How to find out if your Wi-Fi adapter supports monitoring mode and packet injections. Solution to the problem: the Wi-Fi card does not switch to monitor mode, although the name changes to wlan0mon Wi-Fi monitoring mode on Android

Everyone has long been accustomed to Wi-Fi wireless networks (802.11a/b/g standards networks). Hotspots will no longer surprise anyone, and in offices Wi-Fi networks are used on a par with wired networks. Moreover, there are already Wi-Fi Internet access providers for home users and corporate clients.
Deploying wireless networks at home has become especially popular. Typical situation: at home you use not one computer, but several, and you need to provide Internet access for everyone, or you need Internet access from a laptop anywhere in the apartment. In these cases, the optimal, and sometimes the only possible solution is the use of wireless routers, which allow, through one wired connection to the Internet using ADSL or Ethernet technology, to implement shared wireless access for all home or office computers. This is why wireless routers have recently become so popular for home users.

However, when deciding to switch to a wireless Wi-Fi network, do not forget that it is imperfect in terms of security. Along with the growing popularity of wireless networks, interest in means of hacking them is also increasing. It is not so much commercially motivated as it is driven by excitement. Indeed, hacking a network for the sake of getting free access to the Internet is no longer relevant in our time - after all, tariffs for Internet access are so low that it is easier to pay than to hack the network. But sporting interest is a completely different matter: hacking for the sake of hacking, and nothing personal. People try to hack wireless networks simply because it's interesting.

There are many myths associated with the vulnerability of wireless networks, and many users believe that any wireless network is not at all secure and can easily be hacked. In fact, everything is not so simple: it is possible to hack a wireless network only in exceptional cases (when, for example, it was deployed and configured by an inexperienced user). Try to gain unauthorized access to wireless network some provider, and you will understand that in fact wireless networks can be protected quite reliably.

In this article, we will use practical examples to show in which cases and how a wireless network can be hacked, and the knowledge gained can be successfully used in the future to audit the security of wireless networks, which will allow you to avoid traditional mistakes made when setting them up.

Note that in one of last year’s issues of our magazine we already described methods for hacking wireless networks using specific examples. However, as it turned out, new versions have appeared software, designed for hacking networks, and although the general hacking methodology has not changed, our “young hacker's textbook” clearly needs an upgrade.

First, we'll look at the basic security measures used to protect wireless networks today, and then we'll talk about how they can be overcome.

Wireless Security Methods

Wireless network standards provide several security mechanisms:

• authentication and data encryption mode using the WEP (Wired Equivalent Privacy) protocol;
• authentication and data encryption mode using the WPA (Wi-Fi Protected Access) protocol;
• filtering by MAC addresses;
• using hidden network identifier mode.

WEP protocol

All modern wireless devices (access points, wireless adapters and routers) support the WEP security protocol, which was originally included in the wireless specification IEEE networks 802.11.

The WEP protocol allows you to encrypt the transmitted data stream based on the RC4 algorithm with a key size of 64 or 128 bits. Some devices also support keys of 152, 256 and 512 bits, but this is rather the exception to the rule. The keys have a so-called static component of 40 and 104 bits in length, respectively, for 64- and 128-bit keys, as well as an additional dynamic component of 24 bits in size, called the Initialization Vector (IV).

At the simplest level, the WEP encryption procedure is as follows. Initially, the data transmitted in the packet is checked for integrity (CRC-32 algorithm), after which check sum(integrity check value, ICV) is added to the packet header service field. Next, a 24-bit initialization vector (IV) is generated, to which a static (40- or 104-bit) secret key is added. The 64- or 128-bit key obtained in this way is the initial key for generating a pseudo-random number used to encrypt data. Next, the data is mixed (encrypted) using the logical XOR operation with a pseudo-random key sequence, and the initialization vector is added to the frame service field.

At the receiving side, the data can be decrypted, since information about the initialization vector is transmitted along with the data, and the static component of the key is stored by the user to whom the data is transmitted.

The WEP protocol provides two methods of user authentication: Open System (open) and Shared Key (shared key). When using open authentication, no authentication actually occurs, meaning any user can access the wireless network. However, even in the case of an open system, WEP data encryption is allowed.

WPA protocol

In 2003, another security standard was introduced - WPA, the main feature of which is the technology of dynamic generation of data encryption keys, built on the basis of the TKIP (Temporal Key Integrity Protocol), which is a further development of the RC4 encryption algorithm. Under the TKIP protocol, network devices work with a 48-bit initialization vector (as opposed to the 24-bit WEP vector) and implement rules for changing the sequence of its bits, which eliminates key reuse. The TKIP protocol provides for the generation of a new 128-bit key for each transmitted packet. In addition, cryptographic checksums in WPA are calculated using a new method - MIC (Message Integrity Code). Each frame contains a special eight-byte message integrity code, the verification of which allows you to repel attacks using forged packets. As a result, it turns out that each data packet transmitted over the network has its own unique key, and each wireless network device is endowed with a dynamically changing key.

In addition, the WPA protocol supports encryption using the advanced AES (Advanced Encryption Standard) standard, which has a more secure cryptographic algorithm compared to the WEP and TKIP protocols. In this case we talk about the WPA2 protocol.

When deploying wireless networks at home or in small offices, a variant of the protocol is usually used WPA security or WPA2 based on shared keys - WPA-PSK (Pre Shared Key). In the future, we will consider only the WPA/WPA2-PSK option, without touching on the WPA protocol options aimed at corporate networks, where user authorization is carried out on a separate RADIUS server.

When using WPA/WPA2-PSK, a password of 8 to 63 characters is specified in the access point settings and client wireless connection profiles.

MAC Address Filtering

MAC address filtering, which is supported by all modern access points and wireless routers, although not part of the 802.11 standard, is nevertheless considered to improve the security of a wireless network. To implement this function, a table of MAC addresses of wireless adapters of clients authorized to work in this network is created in the access point settings.

Hidden SSID Mode

Another precaution often used in wireless networks is the hidden network identifier mode. Each wireless network is assigned a unique identifier (SSID), which is the name of the network. When a user tries to log into a network, the wireless adapter driver first scans the airwaves for the presence of wireless networks. If you use the hidden identifier mode (as a rule, this mode is called Hide SSID), the network is not displayed in the list of available ones and you can connect to it only if, firstly, its SSID is known exactly, and secondly, a connection profile has been created in advance this network.

Hacking wireless networks

Having familiarized ourselves with the main methods of protecting 802.11a/b/g networks, we will consider ways to overcome them. Note that the same tools are used to hack WEP and WPA networks, so first we will tell you what is included in the attacker’s arsenal.

Attacker's Arsenal

So, to hack a wireless network we will need:

• laptop or computer;
• the “correct” operating system;
• a set of hacking utilities;
• wireless Wi-Fi adapter.

If everything is clear with the laptop (computer), then the remaining attributes of the hacker need comments.

The "correct" operating system

The main problem that arises in the process of selecting tools for hacking wireless networks is ensuring the compatibility of the wireless adapter chip, the software used and the operating system.

All utilities that allow you to hack wireless networks are tailored for Linux systems. There are, however, their analogues for Windows systems, but, by and large, this is baby talk. Linux systems are preferable for hacking because when using Linux, the range of possible tools is much wider, and Linux utilities work much faster. Well, they don’t break networks on Windows systems! But under Linux you can do everything very simply and quickly.

If some novice user who has barely mastered Windows is pathologically afraid of the word Linux, we hasten to reassure him: we will describe methods for hacking networks that will not require you to install the Linux operating system on your computer (laptop), but at the same time the hacking will be carried out from -under Linux and using Linux utilities. We will simply use a special Linux distribution that does not require installation on a computer and can be launched from a CD/DVD or from a USB flash drive. And most importantly, this distribution already contains all the utilities necessary for hacking. Moreover, you don't have to install video card or wireless adapter drivers separately. Everything you need to work is already integrated into the distribution - download it and go!

In principle, there are quite a few options for Linux distributions that do not require installation on a computer (the so-called LiveCD Linux packages), which allow you to boot the Linux operating system from a CD/DVD or from a USB flash drive. However, for our purpose, the best choice is the BackTrack 3 Beta package, which is built on Linux (kernel version 2.6.21.5) and contains all the necessary utilities for hacking networks. Note that, in addition to the tools we need to hack a wireless network, this disk contains many other utilities that allow you to audit networks (port scanners, sniffers, etc.).

Image of this disk can be downloaded from the website at the link: http://www.remote-exploit.org/backtrack.html. On the same site you can find a version of the distribution kit for a USB flash drive. Note that if your computer or laptop is not too outdated and supports booting from a USB drive, then it is best to write the boot distribution onto a flash drive. Booting an operating system from a flash drive is much faster than booting from a CD/DVD.

To create a bootable USB drive, you will need a 1 GB flash drive. This is done as follows. Download the file bt3b141207.rar from the site, unzip it and copy two directories onto a flash drive: boot and BT3 (it is assumed that all these actions are carried out on a computer with an operating system Windows system). Next, in the boot directory, find the file bootinst.bat and run it for execution. As a result, a hidden boot partition will be created on the flash drive ( Master Boot Record, MBR), which can be used as boot disk with Linux operating system. Having made the necessary settings in the BIOS (to allow booting from a USB drive), insert the flash drive into the computer (laptop) and restart the computer. As a result, in a few seconds the Linux operating system will load on the computer with all the utilities necessary for hacking wireless networks.

A set of hacking utilities

Traditionally, the aircrack-ng software package is used to hack wireless networks, which exists in versions for both Windows and Linux. The current package version is aircrack-ng 1.0 Beta 1 (Windows and Linux use the same version numbering). As we have already noted, using the Windows version of this program is not serious, and therefore we will not even waste time considering the Windows version and will focus specifically on the Linux version.

This package is distributed absolutely free of charge and can be downloaded from the official website http://aircrack-ng.org. There is simply no point in looking for any other utilities, since this package is the best solution in your class. In addition, the latest Linux version is included in the BackTrack 3 Beta disc, so if you use the BackTrack 3 Beta distribution, you don't even need to download and install the aircrack-ng package separately.

Wireless Wi-Fi adapter

As already noted, the main problem that arises in the process of selecting tools for hacking wireless networks is ensuring the compatibility of the software used, the operating system and the wireless adapter chip. Let's take a closer look at the last component.

Unfortunately, not all wireless adapters are suitable for hacking wireless networks. In addition, there are adapters that, although supported by utilities, work extremely slowly (in terms of capturing and analyzing packets).

The fact is that to hack a wireless network, you need special (non-standard) drivers for wireless network adapters. The standard modes of any wireless adapter are Infrastructure (Basic Service Set, BSS) and ad-hoc (Independent Basic Service Set, IBSS). In Infrastructure mode, each client is connected to the network through an access point, and in ad-hoc mode, wireless adapters can communicate with each other directly, without using an access point. However, both of these modes do not allow the wireless adapter to listen on the air and intercept packets. To intercept packets, there is a special monitoring mode (Monitor mode), when switched to which the adapter is not associated with any specific network and catches all available packets. The drivers supplied by the wireless adapter manufacturer do not support monitoring mode, and in order to enable it, you must install special drivers, often written by a group of third-party developers. Note that the driver is needed for the specific chip on which the wireless adapter is built. For example, adapters from different manufacturers with completely different names can be based on the same chip, and then the same driver will be used to operate them in monitoring mode. This is where one of the main advantages comes into play. operating systems Linux families: finding the “correct” drivers for a wireless adapter chip for them is much easier than for Windows OS, and the list of wireless adapter chips for which there are “correct” drivers for Linux is much wider than for Windows.

WITH full list chips for which there are special drivers that support monitoring mode for operating Linux systems and Windows, can be found at http://aircrack-ng.org.

Currently, most laptops use an integrated wireless Wi-Fi adapter based on chips from Intel (IPW2100, IPW2200, IPW2915, IPW3945, IPW4945 chips). These are laptops on the Intel Centrino platform, and it is very easy to find out about the presence of an integrated wireless adapter inside the laptop - a corresponding sticker with the Centrino logo is affixed to all laptops on the Intel Centrino platform.

A year ago, while hacking wireless networks, we found out that wireless adapters on Intel chips, despite their compatibility with the Linux version of the aircrack-ng package, are poorly suited for hacking wireless networks. At that time, these chips worked extremely slowly, which made their use almost unacceptable.

However, a lot has changed over the past year, such as the version of the aircrack-ng package. And most importantly, new versions have appeared special drivers under Linux for Intel wireless chips. And, as it turned out, with the new drivers, wireless adapters from Intel work perfectly in monitoring mode. Specifically, we are talking about a wireless adapter on the IPW3945 chip. True, despite the fact that this chip works perfectly in monitoring mode, this wireless adapter cannot be used to carry out some specific operations (certain types of attacks).

In general, to hack wireless networks, it is preferable, in our opinion, to use a wireless adapter based on Atheros series chips.

Steps to hacking wireless networks

Hacking any wireless network is carried out in three stages (Table 1):

• collecting information about the wireless network;
• packet interception;
• packet analysis.

Next, we will look at each of these stages in detail using practical examples. To demonstrate the capabilities of hacking wireless networks, we deployed an experimental wireless network based on wireless router TRENDnet TEW452BRP and network client - desktop computer with wireless adapter TP-LINK TL-WN651G.

To hack the network, we used a laptop based on mobile technology Intel Centrino with a wireless adapter based on the Intel IPW3945 chip, as well as a wireless PCMCIA adapter TP-LINK TL-WN610G based on the Atheros AR5212/AR5213 chip.

Let us note once again that when using the BackTrack 3 disk, you do not need to install any additional wireless adapter drivers - everything is already on the disk.

Collecting wireless network information

At the first stage, it is necessary to collect detailed information about the wireless network being hacked:

• MAC address of the access point;
• network name (network identifier);
• network type;
• the type of encryption used;
• communication channel number.

To collect information about the wireless network, the airmon-ng and airodump-ng utilities are used, which are included in the aircrack-ng package and, of course, are present in the BackTrack 3 Beta distribution.

The airmon-ng utility is used to configure the wireless network adapter driver to monitor the wireless network, and the airodump-ng utility allows you to obtain the necessary information about the wireless network.

The sequence of actions in this case is as follows. We boot the laptop from a USB flash drive on which the BackTrack 3 Beta distribution kit was previously installed (instructions for creating the distribution kit are given above). Then call the command console (Fig. 1) and launch the airmon-ng utility, included in the aircrack-ng package. It allows you to determine the available wireless interfaces and assign the network monitoring mode to one of the available interfaces.

Rice. 1. Launch the Shell

The syntax for using the airmon-ng command is as follows:

airmon-ng ,

where are the options determine the start or stop of the monitoring mode; - wireless interface, which is used for monitoring mode, and an optional parameter specifies the number of the channel in the wireless network that will be monitored.

Initially the team airmon-ng is specified without parameters (Fig. 2), which allows you to obtain a list of available wireless interfaces.

Rice. 2. For compliance information
launch wireless adapters and interfaces
airmon-ng command without parameters

Using the Intel 3945ABG Integrated Wireless Adapter

First, let's look at the sequence of actions when using the integrated Intel 3945ABG wireless adapter, and then the situation with the TP-LINK TL-WN610G wireless PCMCIA adapter based on the Atheros AR5212/AR5213 chip.

So, in the case of using the integrated wireless adapter Intel 3945ABG in response to the command airmon-ng without parameters, we get a mapping between the adapter and the interface assigned to this adapter. In our case, the Intel 3945ABG adapter is assigned the interface wlan0(Fig. 3).

Rice. 3. Intel 3945ABG adapter is assigned
wlan0 interface

Note that if the computer uses a single wireless adapter, then when executing the command airmon-ng the corresponding interface is automatically switched to monitoring mode. If the computer has several wireless interfaces, then you must explicitly specify which interface needs to be switched to monitoring mode, but since in our case there is only one wireless interface, it is enough to run the command airmon-ng without parameters.

After the wireless adapter is switched to monitoring mode, you can begin collecting detailed information about the wireless network. The airodump-ng utility is used for this. It is used both to intercept packets in wireless networks and to collect information about the wireless network. The syntax for using the command is as follows:

airodump-ng .

Possible command options are shown in the table. 2.

Initially when you run the command airodump-ng You only need to specify the name as a parameter wireless interface, which is used in monitoring mode, that is: airodump-ng wlan0. So, let's dial in command line airodump-ng wlan0 and in response we receive detailed information about all wireless networks within the coverage area of ​​which we are located (Fig. 4).

Rice. 4. The airodump-ng wlan0 command allows you to get information
about all wireless networks

We are interested in our experimental test network, to which we have assigned the identifier (ESSID) ComputerPress. As you can see, the team airodump-ng wlan0 allows you to get all the necessary information about the network, namely:

• MAC address of the access point;
• MAC address of the active wireless client;
• network type;
• Network ESSID;
• encryption type;
• communication channel number.

In our example, the following attributes are applied to the ComputerPress network:

• The MAC address of the access point is 00:18:E7:04:5E:65;
• Client MAC address - 00:15:AF:2D:FF:1B;
• network type - 802.11g (54);
• Network ESSID - ComputerPress;
• encryption type - WEP;
• communication channel number - 12.

Note that the airodump-ng utility allows you to determine the network identifier (ESSID) regardless of whether the access point is set to Hidden SSID mode or not.

Next, in order to filter out all unnecessary things, you can use the command again airodump-ng, specifying as parameters not only the interface, but also the communication channel number: airodump-ng –channel 12 wlan0. After this, we will receive information only about the wireless network we are interested in (Fig. 5).

Rice. 5. Using the airodump-ng command in filter mode
via communication channels allows you to filter out all unnecessary information

Using the TP-LINK TL-WN610G PCMCIA adapter based on the Atheros AR5212/AR5213 chip

When using an external PCMCIA adapter based on an Atheros series chip (in this case, the name of the adapter is absolutely unimportant), the sequence of actions is somewhat different.

First of all, to use an external adapter, you must disable the integrated adapter. This can be done either with a button (if available), or with a key combination, or in BIOS settings(Disable the integrated wireless adapter in different laptops differently). After that, insert the PCMCIA card and reboot the laptop.

As usual, call the command console and run the command airmon-ng without parameters to get a list of available wireless interfaces.

When using an integrated wireless adapter based on an Atheros series chip, in response to a command airmon-ng without parameters, we get a mapping between the adapter and the interface assigned to this adapter. In our case, the adapter on the Atheros chip is assigned an interface wifi0 and another virtual interface ath0, generated by the interface wifi0(Fig. 6). Note that the interface wifi0 driver assigned madwifi-ng, which just supports the monitoring mode.

Rice. 6. The adapter on the Atheros chip is assigned the wifi0 interface

In order to put our wireless adapter into monitoring mode, we run the command airmon-ng start wifi0. As a result, we have another virtual interface ath1(Fig. 7). The most important thing is that the monitoring mode is implemented through it (monitor mode enabled).

Rice. 7. Switching the wifi0 interface to monitoring mode

Virtual interface ath0 we don't need it and need to turn it off. To do this we use the command ifconfig ath0 down(Fig. 8).

Rice. 8. Disable interface ath0

After this, you can proceed to the stage of collecting information about the wireless network using the command airodump-ng-ath1(Fig. 9). Note that if no packets are intercepted during its execution, then the interface ath0 has not been turned off and the shutdown procedure must be repeated.

Rice. 9. Collect information about wireless networks using the command
airodump-ng-ath1

To make sure that everything is configured correctly and that the interface ath1 is in monitoring mode, it is convenient to use the command iwconfig(not to be confused with the command ifconfig) without parameters. It allows you to view information about all network interfaces.

In our case, as can be seen from the print screen (Fig. 10), the interface ath1 is in monitoring mode ( Mode: Monitor), and the MAC address of our network card - 00:14:78:ed:d6:d3. Inscription Access point: 00:14:78:ed:d6:d3 in this case it should not be confusing. Of course, the adapter is not an access point, but in monitoring mode (packet interception) it acts as an access point.

Rice. 10. View information about network interfaces
using the iwconfig command

In conclusion, we note that through a similar procedure for configuring an external wireless adapter (putting the adapter into monitoring mode), other external adapters based on other chips are also configured. However, in this case the name of the wireless interface will be different.

Packet interception

After all the necessary information about the network has been collected, you can move on to the packet interception stage. The airodump-ng utility is again used for this, but the command syntax is airodump-ng is different and depends on the type of encryption.

In the case when WEP encryption is used on the network, it is necessary to intercept only packets containing the initialization vector (IV packets) and write them to a file that will later be used to guess the key.

If the network uses WPA-PSK encryption, then it is necessary to intercept packets that contain information about the client authentication procedure on the network (handshake procedure).

The case of WEP encryption

First, let's consider the option when the network uses WEP encryption. As already noted, in this case we need to filter only the packets containing the initialization vector (IV packets) and write them to a file.

Since the attacked network is an 802.11g type network and uses WEP encryption, and transmission is carried out on channel 12, the command syntax for intercepting packets can be as follows (see Table 2):

airodump-ng --ivs --band g --channel 12 --write dump wlan0

In this case, only IV packets will be collected, which will be written to a file called dump, and the interception of channels will be carried out on channel 12. Parameter -band g indicates that an 802.11g network is being used, and the parameter wlan0 specifies the interface name in monitoring mode. This example assumes that the Intel 3945ABG Integrated Wireless Adapter is used.

Note that when writing packages to a file, it is automatically assigned the extension ivs(in case of collecting IV packets). When specifying the name of the file with intercepted packets, you can specify only the file name, or you can specify the full path to the file. If only the file name is specified, the file will be created in the program's working directory. An example of using the command when specifying the full path to a file is as follows:

airodump-ng --ivs --band g --channel 12

--write /mnt/sda1/dump wlan0

In this example the file dump.ivs will be created in the directory /mnt/sda1. Translating this into the language of Windows users, we will create a dump.ivs file on the hard drive in the root directory of C:\.

It should be noted that not only the extension, but also the file numbering is automatically added to the saved files of intercepted packets. For example, if this is the first time you run a command to capture packets and save them in a dump file, then this file will be saved under the name dump-01.ivs. The second time you start capturing packets and saving them in a dump file, it will be named dump-02.ivs, etc.

In principle, if you have forgotten where the interception file you saved is located, then it is quite easy to find it. Run the command mc, and you'll launch a shell that resembles Norton Commander. With its help (via the F9 key) it is easy to find the location of any file.

After entering the command to intercept packets on the command line, the wireless adapter will begin to intercept packets and save them to the specified file (Fig. 11). In this case, the number of intercepted packets is interactively displayed in the airodump-ng utility, and to stop this process you just need to press the key combination Ctrl + C.

Rice. 11. Capture IV packets using the airodump-ng utility in case
WEP encryption

The probability of successful key selection depends on the number of accumulated IV-packets and the length of the key. As a rule, with a key length of 128 bits, it is enough to accumulate about 1-2 million IV packets, and with a key length of 64 bits - on the order of several hundred thousand packets. However, the length of the key is unknown in advance, and no utility can determine it. Therefore, for analysis it is desirable to intercept at least 1.5 million packets.

When using an external wireless adapter based on the Atheros chip, the packet interception algorithm is exactly the same, but, of course, in the command airodump-ng you must specify the interface as a parameter ath1.

It should be noted that it is more efficient to use the integrated Intel 3945ABG wireless adapter to collect packets. At the same traffic intensity, the packet collection speed when using the Intel 3945ABG adapter is higher than when using an adapter based on the Atheros chip. At the same time, we note that there are situations (we will discuss them later) when it is impossible to use the Intel 3945ABG adapter.

When intercepting packets, a situation often arises when there is no intensive traffic exchange between the access point and the client, therefore, in order to accumulate the number of packets required for successful network hacking, you have to wait a very long time. In the literature you can often find advice that the process of collecting packets can be speeded up by forcing the client to communicate with the access point using the aireplay-ng utility. We will consider the aspects of using this utility in more detail later, but for now we will only note that using it to increase the traffic of IV packets is completely ineffective. In fact, it is unlikely to help you. If the network client is inactive and there is no heavy traffic between the access point and the client, then the only thing left to do is wait. And using the airodump-ng utility is pointless. Moreover, it does not work with the Intel 3945ABG adapter (at least, with its current version) and trying to use it causes the laptop to freeze.

The case of WPA encryption

With WPA encryption on a wireless network, the packet interception algorithm is slightly different. In this case, we do not need to filter out IV packets, since with WPA encryption they simply do not exist, but it also does not make sense for us to capture all packets in a row. Actually, all that is required is a small part of the traffic between the access point and the wireless network client, which would contain information about the client authentication procedure on the network (handshake procedure). But in order to intercept the client authentication procedure on the network, it must first be forcibly initiated. And this is where the help of the aireplay-ng utility is needed.

This utility is designed to carry out several types of attacks on an access point. In particular, for our purposes, we need to use a deauthentication attack, which causes the connection between the access point and the client to be broken, followed by the connection establishment procedure.

Let us immediately note that drivers for not all wireless adapter chips are compatible with the aireplay-ng utility and the fact that the adapter can operate in monitoring mode, that is, is compatible with commands airmon-ng And airodump-ng, does not guarantee that it will be compatible with the command aireplay-ng.

If your wireless adapter has drivers compatible with the aireplay-ng utility, then you are very lucky, since in many cases this utility turns out to be simply irreplaceable.

So, when using WPA encryption, the packet interception algorithm will be as follows. We open two console sessions and in the first session we run a command to force the network to disconnect followed by re-identification of the client (aireplay-ng utility, deauthentication attack), and in the second session with a pause of one or two seconds we run a command to intercept packets (airodump-ng utility ).

In a team aireplay-ng The following syntax applies:

aireplay-ng

This command has a very large number of different options, which can be found by running the command without parameters.

For our purposes, the command syntax will look like this:

aireplay-ng -e ComputerPress -a 00:18:c7:04:5e:65

-c 00:19:e0:82:20:42 --deauth 10 ath1

In this case the parameter -e ComputerPress specifies the identifier ( ESSID) wireless network; parameter -a 00:18:c7:04:5e:65- MAC address of the access point; parameter -c 00:19:e0:82:20:42- MAC address of the wireless network client; option --deauth 10- an attack to break the connection (ten times in a row) followed by client authentication, and ath1 defines the interface that is in monitoring mode.

In response to this command, the client connection with the access point will be disconnected ten times in a row, followed by the authentication procedure (Fig. 12).

Rice. 12. Performing a client deauthentication attack
using the aireplay-ng utility

For the command to intercept packets when using WPA encryption in our case, you can use the following syntax:

airodump-ng --band g --channel 12

--write /mnt/sda1/WPAdump ath1

Please note that in the command syntax airodump-ng there is no IV packet filter ( --ivs). The WPAdump file will be automatically assigned a sequence number and *.cap extension. So, when you first run the command, the file with intercepted packets will be located in the directory /mnt/sda1 and it will be named WPAdump-01.cap.

The process of capturing packets should only continue for a few seconds, since with the deauthentication attack activated, the probability of capturing handshake packets is almost one hundred percent (Fig. 13).

Rice. 13. The process of intercepting packets using the airodump-ng utility
when a deauthentication attack is launched

Packet analysis

At the last stage, the intercepted information is analyzed using the aircrack-ng utility. In the case of WEP encryption, the probability of finding a key depends on the number of collected IV packets, and in the case of WPA/WPA2 encryption, it depends on the dictionary used.

Naturally, the command syntax aircrack-ng different for WEP and WPA-PSK encryption. The general command syntax is as follows:

aircrack-ng

Possible command options are presented in table. 3. Note that several files with the extension *.cap or *.ivs can be specified as files containing captured packets (capture file(s)). In addition, when hacking networks with WEP encryption, the airodump-ng and aircrack-ng utilities can be launched simultaneously (two console sessions are used). At the same time, the team aircrack-ng will automatically update the database of IV packages.

The case of WEP encryption

The main problem with WEP encryption is that we do not know in advance the length of the key used for encryption, and there is no way to find out. Therefore, you can try to try several options for the key length, which is specified by the parameter -n. If this parameter is not specified, then by default the key length is set to 104 bits ( -n 128).

If some information about the key itself is known (for example, it consists only of numbers, or only of letters, or only of a set of letters and numbers, but does not contain special characters), then you can use the options -With, -t And -h.

In our case, to select the key we used the command aircrack-ng in the following syntax:

aircrack-ng -a 1 -e ComputerPress -b 00:18:c7:04:5e:65

-m 00:19:e0:82:20:42 -n 128 /mnt/sda1/dump-01.ivs

Here, specifying the MAC address of the access point and client, as well as the network ESSID, is redundant, since only one access point and one wireless client were used. Therefore, you can also use the command:

aircrack-ng -a 1 -n 128 /mnt/sda1/dump-01.ivs

However, if there are several clients and there are several access points, then these parameters must also be specified.

As a result, we were able to find a 128-bit key in just 3 seconds (Fig. 14)! As you can see, hacking a network based on WEP encryption is not a serious problem, however, as we have already noted, currently WEP encryption is practically not used due to its vulnerability.

Rice. 14. Selection of a 128-bit key using the aircrack-ng utility

The case of WPA encryption

With WPA-PSK encryption, a dictionary is used to guess the password. If the password is in the dictionary, it will be guessed - it's only a matter of time. If the password is not in the dictionary, then it will not be possible to find it.

The aircrack-ng program has its own dictionary, password.lst, located in the /pentest/wireless/aircrack-ng/test/ directory. However, it is very small and contains only English words. The likelihood that you will be able to guess a password using this dictionary is negligible, so it is better to immediately connect a normal dictionary. In our case, we created the password.lst dictionary in the /mnt/sda1/ directory.

When connecting external dictionaries, you need to remember that they must have the *.lst extension. If you are using a dictionary with a *.dic extension, then simply change it.

A large selection of good dictionaries can be found on the website www.insidepro.com. If you want to use all these dictionaries, then you first need to “merge” them into a single dictionary, which can be called, for example, password.lst.

If dictionaries do not help, then most likely the password is a meaningless set of characters or a combination of symbols and numbers. After all, dictionaries contain words or phrases, as well as convenient, easy-to-remember keyboard shortcuts. It is clear that there is no arbitrary set of characters in dictionaries. But even in this case there is a way out. Some utilities designed for password guessing can generate dictionaries from a given set of characters with a specified maximum word length. An example of such a program is the PasswordPro v.2.4.2.0 utility. (www.insidepro.com).

So, to select passwords we used the following command:

aircrack-ng -a 2 -e ComputerPress -b 00:18:c7:04:5e:65

–w /mnt/sda1/password.lst /mnt/sda1/WPAdump-01.cap,

Where -a 2- specifies that WPA-PSK encryption is used; -e ComputerPress- indicates that the network identifier is ComputerPress; -b 00:18:c7:04:5e:65- indicates the MAC address of the access point; –w /mnt/sda1/password.lst indicates the path to the dictionary; /mnt/sda1/WPAdump-01.cap specifies the path to the file.

In our case, we used a 60 MB dictionary and were able to guess the password quite quickly (Fig. 15). True, we knew in advance that the password was in the dictionary, so finding the password was only a matter of time.

Rice. 15. Selecting a WPA-PSK password using the aircrack-ng utility

However, we note once again that the probability of hacking a WPA-PSK password using a dictionary is close to zero. If the password is not specified in the form of any word, but is a random combination of letters and numbers, then it is almost impossible to guess it. In addition, it is necessary to take into account that the aircrack-ng program provides only one method of working with the dictionary - the brute force method. And such intelligent ways of working with the dictionary, such as checking a word written down twice, checking the reverse order of the characters of a word, replacing the Latin layout, etc., alas, are not provided. Of course, all this can be implemented in subsequent versions of the program, but even in this case, the efficiency of selection from the dictionary will be low.

To convince readers that it is almost impossible to break WPA encryption, let's do a little math.

Passwords, even if they are a disjointed string of characters, are typically between 5 and 15 characters long. Each character can be one of 52 (case-sensitive) letters of the English alphabet, one of 64 (case-sensitive) letters of the Russian alphabet, and one of 10 digits. In addition, we will also take into account special characters. Of course, we can assume that no one uses special characters, and passwords are typed from letters of the English alphabet and numbers. But even in this case, each character can be typed in one of 62 options. With a password length of 5 characters, the number of possible combinations will be 625 = 916,132,832, and the size of such a dictionary will be more than 2.6 GB. With a password length of 10 characters, the number of possible combinations will be 8.4 1017, and the size of the dictionary will be approximately 6 million TB. If we take into account that the speed of searching through possible passwords using a dictionary is not very high and is approximately 300 passwords per second, it turns out that to search through all possible passwords in such a dictionary it will take no less than 100 million years!

Bypassing MAC address filter protection

At the very beginning of the article, we noted that in addition to WEP and WPA-PSK encryption, functions such as hidden network identifier mode and MAC address filtering are often used. These are traditionally classified as wireless security features.

As we have already demonstrated with the aircrack-ng package, you cannot rely on the hidden network ID mode. The airodump-ng utility will still show you the network ESSID, which can later be used to create a connection profile (unauthorized!) to the network.

If we talk about such a security method as filtering by MAC addresses, then this precautionary measure is not very effective. This is a kind of foolproof protection that can be compared to a car alarm.

On the Internet you can find quite a lot of different utilities for Windows that allow you to replace the MAC address network interface. An example is free utility MAC MakeUP (www.gorlani.com/publicprj/macmakeup/macmakeup.asp).

By replacing the MAC address, you can pretend to be yours and gain unauthorized access to the wireless network. Moreover, both clients (real and uninvited) will completely calmly coexist on the same network with the same MAC address, moreover, in this case the uninvited guest will be assigned exactly the same IP address as the real network client.

In the case of Linux systems, no utilities are required at all. All you need to do in the Shell is run the following commands:

ifconfig wlan0 down

ifconfig wlan0 hw ether [newMAC-address]

ifconfig wlan0 up

The first command disables the interface wlan0, the second - assigns to the interface wlan0 new MAC address, and the third one enables the interface wlan0.

When using the BackTrack distribution, you can use the command to replace the MAC address macchanger. To replace the MAC address, use the following syntax:

ifconfig wlan0 down

macchanger -m [newMAC-address] wlan0

ifconfig wlan0 up

You can use the command macchanger with parameter –r (macchanger -r wlan0) - in this case, the wlan0 interface will be assigned a random MAC address.

conclusions

So, it is not difficult to overcome the entire security system of a wireless network based on WEP encryption. At the same time, it should be noted that the WEP protocol is already obsolete and is practically not used. Indeed, what is the point of setting up vulnerable WEP encryption on a wireless network if all wireless access points and network adapters support WPA/WPA2-PSK encryption? Therefore, you cannot expect that you will be able to find such an ancient network.

From the attacker's point of view, when hacking into networks that use WPA encryption, things are rather unpromising. When choosing a password, it is enough to combine numbers and letters of upper and lower case - and no dictionary will help. It is almost impossible to guess such a password.

The son asks the programmer father:
- Dad, why does the sun rise in the east?
-Have you checked this?
- Yes.
- Works?
- Yes.
– Does it work every day?
- Yes.
“Then son, for God’s sake, don’t touch anything, don’t change anything!”

Of course, it was thought that the problem lay with River. Errors like “WARNING: Failed to associate with” appeared in it endlessly, even without Pixiewps it stopped picking up anything for me. But if you take a closer look at the work of other programs, for example Wifite, you will see the same problem - the attack on WPS does not work. Penetrator-WPS also does not work.

The answer was suggested by one of the site visitors named Vladimir. Here is his message:

“I noticed a problem that airmon does not always switch the card to monitor mode (the name of the card changed to wlan0mon, but the mode remained managed), this time penetrator was not able to switch the card to monitor. As a result, I switched the card to monitor mode manually via iwconfig wlan0 mode monitor. After this penetrator -i wlan0 -A started working"

Vladimir, thank you so much for pointing me to the right decision!

Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy.

In my case (and I think in others who have a similar situation with River), it turned out that the card simply did not switch to monitor mode.

This can be done, as Vladimir pointed out, with the following command:

Iwconfig wlan0 mode monitor

However, my command gave me the following error:

Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy.

The following sequence of commands allowed me to overcome this error and switch the card to monitor mode:

Ifconfig wlan0 down iwconfig wlan0 mode monitor ifconfig wlan0 up

As a result, the card was switched to monitor mode and programs using this mode started working properly.

Today's article is a great example of how our own knowledge increases when we share it with others.

Monitoring mode ( "promiscuous" mode or tracking mode) And native or standard mode - these are two data capture modes supported by and. Capture in monitoring mode can be done using any NDIS driver compatible device, or using professional equipment such as AirPcap card .

Depending on the selected capture type, you can get more detailed information about the Wi-Fi network. Read on to find out what data is available in each capture mode!

Native capture mode

Acrylic WiFi package compatible With any Wi-Fi adapter ami in native capture mode or standard mode. When monitoring in native Wi-Fi mode The adapter behaves just like any other standard Wi-Fi equipment.

The adapter uses standard Windows tools to capture only a certain type of Management packets, namely Beacon packets that are transmitted by the access point. These packets are transmitted by the access point several times per second and indicate that a network or networks are currently transmitting.

Acrylic WiFi tools analyze and interpret these packets, displaying the information they contain and storing it in the current project.

When capturing data in native mode to take measurements no specialized equipment required.

Information available in standard mode when using Acrylic WiFi Professional

Acrylic WiFi Professional provides the following information when capturing data in native mode: SSID, MAC addresses, signal strength, channels, bandwidth, IEEE 802.11, maximum packet rate, WEP, WPA, WPA2, WPS, password, PIN code WPS, Manufacturer, First AP Detected, Last AP Detected, Type established connection, as well as latitude and longitude (information available when a GPS device is connected).

Graphs available in Acrylic WiFi Heatmaps in standard mode

Acrylic WiFi Heatmaps can generate the following reports in native capture mode: RSSI, Access Point Coverage, Channel Coverage, Maximum Supported Transmission Rate, Number of Access Points, Channel Overlap, Data Grouped by Cell, Bandwidth*, Latency* , packet loss* and access point roaming*.

*Reports are available upon completion.

Monitoring mode using NDIS driver

Monitoring mode is a data capture mode that allows you to use the Wi-Fi adapter in tracking or "promiscuous" mode. At the same time, the adapter is capable of intercepting any types of Wi-Fi: Management packets (including packets Beacon), Data and Control. This way you can display not only access points, but also clients, which transmit data at the Wi-Fi network frequency.

To use monitoring mode is required with our NDIS driver or professional Wi-Fi adapter such as AirPcap cards , which support capture in both native and monitoring modes.

To enable monitoring mode on adapters compatible with our driver, you must install the NDIS driver. This can be done in the Acrylic WiFi program using the NDIS driver installation button located next to the button to enable monitoring mode capture.

Information available in NDIS monitoring mode using Acrylic WiFi Professional

When capturing data in monitoring mode, Acrylic WiFi Professional provides not only all the data obtained when working in standard mode, but also information about client devices connected to various access points (#), number of packet retries (Retries), data packets (Data) and management type packets (Mgt).

Data available in NDIS monitoring mode in Acrylic WiFi Heatmaps

When capturing data in monitoring mode, you can display not only the data available when capturing in standard mode, but also a density map ( Cell Density) (density of devices connected to selected access points) and frequency of repetitions of sending packets(Retries rate).

Monitoring mode using AirPcap adapter

In addition, it is possible to capture traffic in monitoring mode using professional analysis equipment Wi-Fi networks, such as Riverbed's AirPcap cards. These cards support work in native mode and monitoring mode and, being designed specifically for this purpose, provide improved performance. Therefore, when capturing in monitoring mode using an AirPcap card, available not only all the data available when running in monitoring mode using an NDIS driver compatible adapter, but also signal-to-noise ratio (SNR) information.

The value of the SNR parameter helps evaluate the quality of the connection, as it takes into account the strength of the received signal and the noise level in the wireless network. The parameter can take values ​​from 0 (worse) to 100 (better). A value above 60 is considered good.

Tracking the SNR parameter is available both in the program and in . Try it yourself!

Or Elcomsoft Wireless Security Auditor for Windows.

WinPcap and Wi-Fi traffic restrictions in Wireshark

Limitations for capturing Wi-Fi packets in Windows are related to the WinPcap library, and not to the Wireshark program itself. After all, Wireshark has support - specialized and enough expensive Wi-Fi adapters whose drivers support tracking network traffic in in Windows environment, which is often called promiscuous network traffic capture on Wi-Fi networks.

Video instructions for using Acrylic WiFi with Wireshark on Windows

We have prepared a video demonstrating the process that will help if you still have questions or if you want to see how wireless traffic is captured using any Wi-Fi maps in Wireshark for Windows.

Download including many additional functions to capture traffic and process the received data. You can try the program for free or purchase it to support further development (we introduce new features every week). Free version also supports Wireshark integration. Check out the list

The son asks the programmer father:
- Dad, why does the sun rise in the east?
-Have you checked this?
- Yes.
- Works?
- Yes.
– Does it work every day?
- Yes.
“Then son, for God’s sake, don’t touch anything, don’t change anything!”

Of course, it was thought that the problem lay with River. Errors like “WARNING: Failed to associate with” appeared in it endlessly, even without Pixiewps it stopped picking up anything for me. But if you take a closer look at the work of other programs, for example Wifite, you will see the same problem - the attack on WPS does not work. Penetrator-WPS also does not work.

The answer was suggested by one of the site visitors named Vladimir. Here is his message:

“I noticed a problem that airmon does not always switch the card to monitor mode (the name of the card changed to wlan0mon, but the mode remained managed), this time penetrator was not able to switch the card to monitor. As a result, I switched the card to monitor mode manually via iwconfig wlan0 mode monitor. After this penetrator -i wlan0 -A started working"

Vladimir, thank you so much for pointing me to the right decision!

Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy.

In my case (and I think in others who have a similar situation with River), it turned out that the card simply did not switch to monitor mode.

This can be done, as Vladimir pointed out, with the following command:

Iwconfig wlan0 mode monitor

However, my command gave me the following error:

Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy.

The following sequence of commands allowed me to overcome this error and switch the card to monitor mode:

Ifconfig wlan0 down iwconfig wlan0 mode monitor ifconfig wlan0 up

As a result, the card was switched to monitor mode and programs using this mode started working properly.

Today's article is a great example of how our own knowledge increases when we share it with others.