Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 75
Guests Online: 74
Members Online: 1

Registered Members: 82803
Newest Member: Tired_of_being_ignorant
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

WPA wireless hacking

rootDaemon
Member



Posts: 12
Location:
Joined: 14.11.10
Rank:
Guest
Posted on 13-06-11 21:52
I'm testing some wireless hacking out. The router is running WPA2-PSK for security. After a deAuth, I have the encrypted router password which i managed to crack. So my question is, now what? I can obviously connect to the router and use their internet, but is there any way i can eavesdrop on the network traffic, ie passwords and such, or am i unable to read the encrypted packets just because i have the router password?


Aut viam inveniam aut faciam


http://www.squidoo.com/lensmasters/rootDaemon
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 14-06-11 00:53
There are many ways you could do that.
Ettercap or Wireshark could allow you to do a mitma on the network through arp piosoning.
Its quite easy to do..

Just google for mitma attacks, you'll find a lot on it.

Ettercap is what i usually use for this, and for monitoring my own network traffic too. Smile

It will work the same way with LAN networks as well, however you'd want to be careful if you're doing it on someone's network without permission, because its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark.

I know that ettercap even has a plugin that reports and suspicious arp activity to you as well as searches for other people using ettercap or other sniffers on the network.




Edited by Night_Stalker on 14-06-11 01:07
Author

RE: WPA wireless hacking


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-06-11 01:20
If you have the encryption key you should be able to decrypt all traffic. You could connect to the network using this key and simply run C&A.

I wouldn't be worried about getting detected if its a simple household. If you're running Backtrack or some other linux there are a lot of tools available.
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 14-06-11 01:25
Yeah, like he said ^^, most normal people won't monitor it.
BackTrack has many tools built in, Pentoo does as well.
Russix was made for wifi attacks, its alright if that's all you want to do, but its a bit older, and doesn't support some newer hardware.


You can just PM me on here if you have any questions, and I'll try to give an answer.


Author

RE: WPA wireless hacking

rootDaemon
Member



Posts: 12
Location:
Joined: 14.11.10
Rank:
Guest
Posted on 14-06-11 02:56
Is a mitm attack really necessary to capture packets across a WLAN or are their other ways to do it?


Aut viam inveniam aut faciam


http://www.squidoo.com/lensmasters/rootDaemon
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 14-06-11 03:38
You'll need to probably do some ARP poisoning and have all the packets sent to you first then you send the to the router then back to you and then back to the victim computer. That'd be a mitm attack..

I'm not sure how you'd sniff for login credentials without arp poisoning, but I'm sure its possible, its just arp poisoning is the only way I've done it over wlan/lan.

Check your PMs, I replied to your question saying how to set it up, I also sent a link to another tutorial on it that had pictures of setting it up. Hope it helps. Smile


Author

RE: WPA wireless hacking

starofale
Member



Posts: 218
Location: England
Joined: 05.12.07
Rank:
Moderate
Posted on 14-06-11 03:49
@rootDaemon:
Look into putting your wireless card in promiscuous mode or monitor mode.
Unfortunately I didn't succeed when I tried what you are doing a few months ago and I don't have a wireless network to test on any more, so can't guarantee that this will work.


Night_Stalker wrote:
its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark.

Just to point out - you won't be able to detect people who are only using Wireshark (no ARP poisoning).


Try a new search engine
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 14-06-11 04:08
starofale wrote:
@rootDaemon:
Look into putting your wireless card in promiscuous mode or monitor mode.
Unfortunately I didn't succeed when I tried what you are doing a few months ago and I don't have a wireless network to test on any more, so can't guarantee that this will work.


Night_Stalker wrote:
its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark.

Just to point out - you won't be able to detect people who are only using Wireshark (no ARP poisoning).


I didn't think you could.

Is it possible for someone to view the info being sent through the network without ARP poisoning?
<offtopic>
It'd be pretty nasty if someone did that, because I suppose then they could, more easily undetected,redirect traffic to a self-hosted malicious php script to spawn a meterpreter shell or something on the victims computer then bind of to another process to maintain access after the web-browser is closed.
</offtopic>

If its possible to view info (urls visited, usernames, passwords, etc..) being passed over it without ARP poisoning or redirect someone to another page (think its called dns spoofing, right? i can't remember now.), how would you defend against something like that over your network?


Author

RE: WPA wireless hacking

starofale
Member



Posts: 218
Location: England
Joined: 05.12.07
Rank:
Moderate
Posted on 14-06-11 04:28
Night_Stalker wrote:
It'd be pretty nasty if someone did that, because I suppose then they could, more easily undetected,redirect traffic to a self-hosted malicious php script to spawn a meterpreter shell or something on the victims computer then bind of to another process to maintain access after the web-browser is closed.

Only if you found a 0-day exploit or if the victim was using un-patched software.

Night_Stalker wrote:
how would you defend against something like that over your network?

- Don't let untrusted people on your network.
- If you're on someone else's network, only use encrypted protocols.


Try a new search engine

Edited by starofale on 14-06-11 04:29
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 14-06-11 04:49
I have WPA (TKIP+PSK) enabled, and a random 10 character password, and mac filtering, so I think I'd be alright on net letting people in, but I'm not sure. Lol.

Before I had mac filtering on, I noticed my creepy redneck neighbour had gotten the password from my little brother...
Its interesting watching his web browsing habits, and it was fun to mess with him by sending him to pages that he didn't want to go to. I bet it caused him to him some awkward talks with his mum and dad when they walked in and saw the computer loading up a google search for gay porn. xD

0-Day exploit, that's when you know there's a certain vulnerability in a program that's running on a computer and you use that to attack the computer?
Like if they're running windows and they have up some program that's running that is vulnerable to an exploit and you exploit it with a buffer-overflow or whatever it is that the software's flaw is vulnerable to to get an admin command prompt or get control over some other thing that it may allow?




Author

RE: WPA wireless hacking

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 14-06-11 05:40
rootDaemon wrote:
Is a mitm attack really necessary to capture packets across a WLAN or are their other ways to do it?


If you are asking if it is possible to use your captured key to decrypt everyones traffic over the air, then no, it is not with WPA.

WPA takes the base "key" and uses that to derive a unique key for each connected client, and then they use *that* key to encrypt/decrypt data. You can connect to the access point, but you can't capture and read the traffic of other clients over the air.

You will have to use a WLAN network MitM method, such as ARP poisoning.

Night_Stalker wrote:
I have WPA (TKIP+PSK) enabled, and a random 10 character password, and mac filtering, so I think I'd be alright on net letting people in, but I'm not sure. Lol.


Unless you are worried that someone will dedicate a machine to cracking for around 4274902 years, I don't think you have to be too concerned Wink

0-Day exploit, that's when you know there's a certain vulnerability in a program that's running on a computer and you use that to attack the computer?


An 0-Day vulnerability is just a vulnerability that has no fix. An 0-day exploit is just an exploit that utilizes an 0-day vulnerability to gain access to a host.

starofale wrote:
Night_Stalker wrote:
its easy to detect any suspicious arp activity and people sniffing traffic who are using programs like ettercap or wireshark.

Just to point out - you won't be able to detect people who are only using Wireshark (no ARP poisoning).


If they are using Wireshark on the WLAN without ARP poisoning, they won't be able to see anything but their own traffic (assuming it's a switch). It wouldn't be able to decrypt traffic over the air, either, for reasons mentioned above.


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .

Edited by stealth- on 14-06-11 05:41
http://www.stealth-x.com
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 14-06-11 06:06
stealth- wrote:
If you are asking if it is possible to use your captured key to decrypt everyones traffic over the air, then no, it is not with WPA.


So I'm guessing that it is possible to decrypt it over the air if the encryption type is WEP? :right:


Author

RE: WPA wireless hacking

starofale
Member



Posts: 218
Location: England
Joined: 05.12.07
Rank:
Moderate
Posted on 14-06-11 15:17
stealth- wrote:
WPA takes the base "key" and uses that to derive a unique key for each connected client, and then they use *that* key to encrypt/decrypt data. You can connect to the access point, but you can't capture and read the traffic of other clients over the air.

Well that explains why I couldn't get it to work before Pfft

stealth- wrote:
If they are using Wireshark on the WLAN without ARP poisoning, they won't be able to see anything but their own traffic (assuming it's a switch). It wouldn't be able to decrypt traffic over the air, either, for reasons mentioned above.

My point was just that Wireshark doesn't send out anything, so you can't be detected if that is all you are using.
With just Wireshark you would still be able to see other people's data on hub based networks and I'd assume on unencrypted wireless networks as well.


Try a new search engine

Edited by starofale on 14-06-11 15:20
Author

RE: WPA wireless hacking

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 14-06-11 17:06
Night_Stalker wrote:
stealth- wrote:
If you are asking if it is possible to use your captured key to decrypt everyones traffic over the air, then no, it is not with WPA.


So I'm guessing that it is possible to decrypt it over the air if the encryption type is WEP? :right:


Yes, WEP uses the same key for encrypting all packets and for all clients.
That's actually a large part why WEP can be cracked so easy.

starofale wrote:
My point was just that Wireshark doesn't send out anything, so you can't be detected if that is all you are using.
With just Wireshark you would still be able to see other people's data on hub based networks and I'd assume on unencrypted wireless networks as well.


Yup, definitely.


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com
Author

RE: WPA wireless hacking

rootDaemon
Member



Posts: 12
Location:
Joined: 14.11.10
Rank:
Guest
Posted on 14-06-11 19:58
So if the router were running WEP, once you've connected to the router a program like wireshark will sniff and decrypt all the wireless traffic?


Aut viam inveniam aut faciam


http://www.squidoo.com/lensmasters/rootDaemon
Author

RE: WPA wireless hacking


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-06-11 23:44
If you have the key. Whatever program you are using uses that key to decrypt traffic and encrypt your traffic.
Author

RE: WPA wireless hacking


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-06-11 19:29
Night_Stalker wrote:
Before I had mac filtering on, I noticed my creepy redneck neighbour had gotten the password from my little brother...
Its interesting watching his web browsing habits, and it was fun to mess with him by sending him to pages that he didn't want to go to. I bet it caused him to him some awkward talks with his mum and dad when they walked in and saw the computer loading up a google search for gay porn. xD


out of curiosity, how did you do that? sending him to other pages i mean, did you somehow change his request header or did you manage to send an redirect in the html?

curious George Grin:happy::happy:
Author

RE: WPA wireless hacking

Night_Stalker
Member

Your avatar

Posts: 329
Location:
Joined: 01.02.07
Rank:
Apprentice
Warn Level: 10
Posted on 16-06-11 20:38
Shazrah wrote:

out of curiosity, how did you do that? sending him to other pages i mean, did you somehow change his request header or did you manage to send an redirect in the html?

curious George Grin:happy::happy:


I used one of the plugins in Ettercap. I think it was the dns spoofing plugin?
I remember I had to edit and add on certain URLs manually on a config file and then set to what I wanted them to redirect to.

I just googled and found what looks like a guide on how to do it. Smile
http://www.bright. . .17869.aspx


Author

RE: WPA wireless hacking

garabaldi
Member

Your avatar

Posts: 8
Location:
Joined: 31.03.11
Rank:
Newbie
Posted on 18-06-11 18:04
Definitely DNS spoofing, which can be a lot of fun! It's also good for directing users to phishing pages.
Author

RE: WPA wireless hacking


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-06-11 19:23
that is very cool thanks Grin