From 9eb47657e111d7867fae956a966e701fa5f58c7a Mon Sep 17 00:00:00 2001 From: Camerin Figueroa Date: Thu, 23 Dec 2021 15:38:53 -0500 Subject: [PATCH] Finished the POC Article --- public/api/articles.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/api/articles.json b/public/api/articles.json index fe37763..09267d6 100644 --- a/public/api/articles.json +++ b/public/api/articles.json @@ -16,7 +16,7 @@ "id": 2, "title": "(POC) Cracking Wifi using Phone Numbers", "desc": "Showing you how to crack wifi passwords using phone numbers.", - "contents":"*Introduction*This article is a proof of concept and should show you why it's dangerous to use your phone number as your wifi password. Since the introduction of wifi, people have tried breaking into and exploiting it. WEP an old edition of wifi password security was a very weak method and could be easily broken just by sniffing wifi traffic coming to/from the AP. Since the introduction of WPA security, cracking has become more and more difficult. Although, if you can find the right password, one could potentially crack the login for wireless networks. This is done by sniffing for a specific traffic containing an EAPoL or Extensible Authentication Protocol over Lan. This essentially contains an hashed version of the wifi password. Using this we can then bruteforce the password and crack the password. As found in another article (see references) many people use their phone numbers as their wifi passwords. This can make it specifically easy to crack since your phone number is often related to your location through your area code. For example, if I was living in New York City, my area code would be either 212 or 718. If the wifi's password hash was sniffed somewhere in NYC, every phone number could be stored in a file around 200MB in size. With the technology of today, that password would be cracked in a matter of minutes if you used a phone number as your password. *Prerequisits*~Linux~ ~Wifi Card~ ~git~ ~python3~ *Creating a Phone List* In order to create the list of phone numbers you'll need to use a tool that I created. You can grab the files by cloning the repository `git clone https://github.com/RaspberryProgramming/phone-wordlist-generator` Enter the folder by running `cd phone-wordlsit-generator` Using this you can generate every phone number in your area code and put it into a file. Replacing AREA with your area code run `python3 main.py --staticnum AREA` You will then find the phone numbers in a file called phones.list *Capturing Wifi Hashes* You might be wondering, how would I even get these password hashes? Theres a simple tool called aircrack-ng that gives you a suite of tools that you'll need. If you're running Ubuntu Linux you can run `sudo apt install aircrack-ng` To install all of the necessary tools. On Arch/Manjaro run `sudo pacman -Sy aircrack-ng-git` Now that you've got aircrack installed, you can now set your wifi card in monitor mode. Run `ifconfig`. You'll get something similar to the following output `wlan0: flags=4163 mtu 1500\ninet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255\nether db:3d:4d:b5:ff:12 txqueuelen 1000 (Ethernet)\nRX packets 130672 bytes 152955605 (152.9 MB)\nRX errors 0 dropped 0 overruns 0 frame 0\nTX packets 40063 bytes 8409394 (8.4 MB)\nTX errors 0 dropped 0 overruns 0 carrier 0 collisions 0`" + "contents":"*Introduction*This article is a proof of concept and should show you why it's dangerous to use your phone number as your wifi password. Since the introduction of wifi, people have tried breaking into and exploiting it. WEP an old edition of wifi password security was a very weak method and could be easily broken just by sniffing wifi traffic coming to/from the AP. Since the introduction of WPA security, cracking has become more and more difficult. Although, if you can find the right password, one could potentially crack the login for wireless networks. This is done by sniffing for a specific traffic containing an EAPoL or Extensible Authentication Protocol over Lan. This essentially contains an hashed version of the wifi password. Using this we can then bruteforce the password and crack the password. As found in another article (see references) many people use their phone numbers as their wifi passwords. This can make it specifically easy to crack since your phone number is often related to your location through your area code. For example, if I was living in New York City, my area code would be either 212 or 718. If the wifi's password hash was sniffed somewhere in NYC, every phone number could be stored in a file around 200MB in size. With the technology of today, that password would be cracked in a matter of minutes if you used a phone number as your password. *Prerequisits*~Linux~ ~Wifi Card~ ~git~ ~python3~ *Creating a Phone List* In order to create the list of phone numbers you'll need to use a tool that I created. You can grab the files by cloning the repository `git clone https://github.com/RaspberryProgramming/phone-wordlist-generator` Enter the folder by running `cd phone-wordlist-generator` Using this you can generate every phone number in your area code and put it into a file. Replacing AREA with your area code run `python3 main.py --staticnum AREA` You will then find the phone numbers in a file called phones.list *Capturing Wifi Hashes* You might be wondering, how would I even get these password hashes? Theres a simple tool called aircrack-ng that gives you a suite of tools that you'll need. If you're running Ubuntu Linux you can run `sudo apt install aircrack-ng` To install all of the necessary tools. On Arch/Manjaro run `sudo pacman -Sy aircrack-ng-git` Now that you've got aircrack installed, you can now set your wifi card in monitor mode. Run `ifconfig` You'll get something similar to the following output `wlan0: flags=4163 mtu 1500\ninet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255\nether db:3d:4d:b5:ff:12 txqueuelen 1000 (Ethernet)\nRX packets 130672 bytes 152955605 (152.9 MB)\nRX errors 0 dropped 0 overruns 0 frame 0\nTX packets 40063 bytes 8409394 (8.4 MB)\nTX errors 0 dropped 0 overruns 0 carrier 0 collisions 0`In my case, I'll be using the wlan0 for any sniffing. This may be unneccesary, but I'll be killing any conflicting processed by running. `sudo airmon-ng check kill` Run the following to put your wifi card in monitor mode `sudo airmon-ng start wlan0` You should now have a wlan0mon which is the monitor interface for the wlan0 card. If you had something longer like wlx... it may be the same as the original name. Now that you created the monitor interface, you can now start the sniff traffic. You can do this by running airodump. Replace INTERFACE with your monitor interface. The -w argument specifies the filename we'll be storing the capture to. The --output-format argument specifies we want a pcap file. `sudo airodump-ng --output-format pcap -w capfile INTERFACE` After a while, you may start to capture handshakes. There are multiple ways to determine this but the way I'll go over is using aircrack-ng. You may have multiple capture files if you ran the command multiple times, so we'll run ls to find the file. `ls` Look for a file with the extension .pcap. Next, run aircrack-ng with FILENAME as the filename of your capture file `sudo aircrack-ng FILENAME` You should see a list of SSIDs similar to the following output `Reading packets, please wait...\nOpening capfile-02.cap\nRead 370 packets.\n\n # BSSID ESSID Encryption\n\n 1 00:5F:67:FB:48:FC Unknown\n 2 64:05:E4:6A:E1:2A CarPlay_e12a WPA (1 handshake)\n 3 B6:BC:1F:14:72:0B AndroidAP_6374 WPA (0 handshake)\n 4 BC:82:5D:57:FC:AC WiFi Hotspot 4877 Unknown\n 5 C6:D4:38:D1:4A:2A Unknown\n 6 F8:55:CD:67:54:E0 HotspotLftY Unknown\n 7 F8:55:CD:68:0A:1F Truck WiFi Unknown\n\nIndex number of target network ? 1` If you see, we have 1 handshake from CarPlay_e12a. We can then use the wordlist we made before to try to crack the password. Run aircrack with the wordlist argument `sudo aircrack-ng -w phones.list` You can then select the ssid or wifi name with the handshake to start cracking. If you have the password you'll see the following message `KEY FOUND: 1839231234`" } ] } \ No newline at end of file