Audit of wireless networks. WiFi-autopwner: script to automatically find and audit low security Wi-Fi networks

• Do you have a clear idea of ​​what is happening on your network?
• Can you identify and see exactly what is happening on the network at any given time?
• Do you know how many applications you use, who uses them and for what purposes?
• Do you know how many threats - known and unknown - are attacking your network?

Find out what's really going on in your company's network by swiping free network security audit using Palo Alto Networks Next Generation Firewall. As a result of the audit, you will receive a detailed report on the current state of the network, describing the applications used and the threats identified in the company's network.

Style Telecom has next generation firewalls from Palo Alto Networks available to our Clients for use in a testing program to assess the real level of company security and to test Palo Alto solutions. Our testing program will allow you to use the Palo Alto Networks firewall for 30 days and get a detailed picture of what is really happening on the company's network, what potential network security threats are present and recommendations for minimizing them.

Most of our clients have gone through a network security audit, following which they received an ongoing assessment of the state of network security and now have an idea of ​​​​what applications are used on their network and what risks they carry. The advantage of this audit is that no change in the network architecture is required, the firewall is installed transparently in the client's infrastructure in monitoring mode.

Based on the results of the network security audit, you will receive a report with detailed network traffic analytics, which will consider:

• High Risk Applications. In addition to legitimate software, users have access to cloud applications, remote access applications, malware, online games, etc. In the process of research, we find open cloud storages (Dropbox, Google Drive, Yandex Disk), P2P filesharing (Bittorrent and eMule), TeamViewer, Skype, social networks. Although these applications are not inherently malicious, they are potentially dangerous in terms of degrading network performance and creating opportunities that can be exploited by attackers to compromise network security. The report will provide a detailed analysis of information on the applications used in the client's network.
• Detection of malicious software (viruses, exploits, ransomware). In the majority of network security audits, malware was found. Malware enters the company's network through partner networks, mobile devices, removable storage media, and through Internet channels. If malware is detected, it is worth reviewing network segmentation, access policies, as well as policies for the use of mobile devices and removable media.
• Zero-day malware detection. As part of the testing, the WildFire service is used, which provides heuristic and behavioral analysis of potentially dangerous files in an isolated environment before they are received by company users. The detection of zero-day attacks may indicate a targeted attack on the company and requires a detailed investigation of information security incidents in the client's company.
• Command parsing and remote control request (Command and Control server). Using the Palo Alto firewall and a Threat Prevention subscription, systems infected with malicious code and managed centrally from C&C servers are identified, followed by recommendations for localizing the problem.
• Information by categories of URLs. Uncontrolled web browsing on the Internet exposes companies to additional risk. Often links to web resources serve as sources of threats, lead to data loss and violation of corporate standards. Based on the results of the audit, information will be provided on the most frequently visited category of sites on the Internet by company users.
Also "Style Telecom" offers an additional list of services:
• Consultations on the choice of a firewall system.
• Carrying out ME sizing taking into account the current needs and growth prospects of the company.
• Audit configuration of existing firewalls.
• Optimization of the configured rules existing ME.
• Migrating settings from existing firewalls to new firewalls.
• Assessment of the architecture and configurations of the network infrastructure and existing technical means of information protection.
• Design and implementation of firewall systems of any complexity.
• Maintenance of firewall systems.
With a line of firewalls Palo Alto Networks you can find in our

The information provided in the article is posted to draw attention to common, well-known wireless network security issues and can only be used to analyze and audit the security of your own wireless networks.

Prologue

Wi-Fi is now available in almost every apartment. Invisible threads of wireless channels have entangled megacities and villages, houses and dachas, garages and offices. Despite the apparent security (“how, did I set a password ?!”) savvy dark side IT workers somehow bypass all these protections of yours and brazenly break into your private wireless property, feeling at home there. At the same time, for many ordinary users, this technology remains a mystery, passed from one generation of hackers to another. In the vastness of the network, you can find dozens of fragmentary articles and hundreds of instructions on how to hack Wi-Fi, the sufferers are invited to watch the training video with the selection of the “qwerty123” password, but I have not yet met a full-fledged guide that is called “from and to” on this topic. Which is exactly what I decided to do.

Chapter 1

Let's see why respectable (and not so) citizens are trying to hack a neighbor's Wi-Fi? So, there could be several reasons for this:

1. Free internet. Yes, yes, thousands of schoolchildren back in the era of fido and modem connections about fifteen years ago unsuccessfully searched search engines for that same magical “Internet cracker”, downloading whole tons of trojans and other evil spirits to their personal computers. Free access to the Web was the ultimate dream of an entire generation. Now the situation has changed significantly, cheap unlimited tariffs are available almost everywhere, but having a spare channel in a 24-hour reserve in case your provider suddenly glues flippers together will not hurt anyone. In addition, there are often situations like “look, he has a wider channel than I will have,” which also seems to hint at the usefulness of what is happening.
2. Travelers (and sailors in particular). When Wi-Fi in a hotel costs 5 euros per hour, and communication with the Motherland is needed constantly and preferably in the room and for free, you feel the practical value of broken Wi-Fi more than ever. I don't think it needs too many comments.
3. Sneaking the victim's traffic and subsequent hacking of mail accounts, social networks, asec and other hooliganism. Having a Wi-Fi password in hand, we are able to decrypt all traffic transmitted “over the air”, including authentication sessions on different sites, cookies, and much more tasty stuff.
4. industrial espionage. Currently, office Wi-Fi, quickly set up by a crooked-handed administrator, is for a savvy person just the front door to the organization's LAN, and there you can find oh so many interesting things, from elementary mail sniffing and asec to secret documents in shared folders and file dumps.
5. Pentesting (from the English penetration testing - penetration testing). Pentesters are essentially the same hackers (and often they are), but acting on the order and with the consent of the network owner. Their tasks include checking the security of the network and resistance to penetration from the outside (or disruption of its work from the inside). Considering the cost of such services, it is unlikely that your neighbor will hire such a specialist (unless, of course, he is an oligarch), but among the owners of large and medium-sized businesses who are puzzled by the security of the IT structures of their enterprises, the demand for such services is very high.

Having taken a cursory glance at the entire list of reasons and weighed all the pros and cons, you can safely proceed ... no, not to the practical part and not to water procedures, but first to the theoretical preparation.

Chapter 2. WEP, WPA, HMAC, PBKDF2 and many other scary words

At the dawn of the development of wireless access, back in 1997, British scientists somehow didn’t bother with security issues too much, naively believing that 40-bit WEP encryption with a static key would be more than enough, LOL. But malicious hackers, together with talented mathematicians (our compatriot Andrey Pyshkin was also noted among them, which is nice) quickly figured out what was happening, and networks protected even by a long WEP key of as much as 104 bits soon began to be equated to open ones for some reason. . However, with the development of computer literacy among the general population, it has now become almost more difficult to find a WEP network than an open one, so we will focus on the more common (ie, ubiquitous) WPA/WPA2.

The main misconception of the working class is “I use WPA2, it cannot be hacked”. In life, everything is completely different. The fact is that the authentication procedure (this terrible word means checking that the client is “your own”) of a wireless network client in both WPA and WPA2 is divided into two large subspecies - simplified for personal use (WPA-PSK, PreShared Key, i.e. password authorization) and full-fledged for wireless networks of enterprises (WPA-Enterprise, or WPA-EAP). The second option involves the use of a special authorization server (most often it is RADIUS) and, to the credit of the developers, does not have obvious security problems. What can not be said about the simplified "personal" version. After all, the password set by the user is usually constant (remember the last time you changed the password on your Wi-Fi :) and is transmitted, albeit in a distorted form, on the air, which means it can be heard not only by the one to whom it is intended. Of course, the WPA developers took into account the bitter experience of implementing WEP and stuffed the authorization procedure with various cool dynamic algorithms that prevent an ordinary hacker from quickly reading the password “over the air”. In particular, over the air from a laptop (or whatever you have) to the access point, of course, not the password itself is transmitted, but some digital mess (hackers and their sympathizers call this process a “handshake”, from the English handshake - “handshake”), obtained as a result of chewing a long random number, password and network name (ESSID) using a pair of computationally complex iterative algorithms PBKDF2 and HMAC (PBKDF2 was especially distinguished, which consists in sequentially carrying out four thousand hash transformations over the password + ESSID combination). Obviously, the main goal of the WPA developers was to complicate the life of coolhackers as much as possible and exclude the possibility of quick password guessing by brute force, because for this it would be necessary to calculate the PBKDF2 / HMAC convolution for each password option, which, given the computational complexity of these algorithms and the number of possible combinations of characters in password (and there can be from 8 to 63 of them, i.e. characters, in a WPA password), will last exactly until the next big bang, or even longer. However, taking into account the love of inexperienced users for passwords like “12345678”, in the case of WPA-PSK (and hence with WPA2-PSK, see above), the so-called dictionary attack is quite possible, which consists in enumeration of pre-prepared most frequently encountered several billion passwords, and if suddenly a PBKDF2/HMAC convolution with one of them gives exactly the same answer as in the intercepted handshake - bingo! we have the password.

All of the above matan could not be read, the most important thing will be written in the next sentence. To successfully crack WPA / WPA2-PSK, you need to catch a high-quality record of the key exchange procedure between the client and the access point (“handshake”), know the exact network name (ESSID) and use a dictionary attack, unless of course we want to grow old before we count the brute though all combinations of passwords starting with “a”. These steps will be discussed in the following chapters.

Chapter 3. From theory to practice

Well, having accumulated a fair amount of theoretical knowledge, let's move on to practical exercises. To do this, we first determine what we need from the hardware and what software needs to be loaded into this very hardware.

Even the most dead netbook will fit to intercept handshakes. All that is required of him is a free USB port for connecting the “correct” Wi-Fi adapter (you can, of course, catch it with the built-in one, but this is only if you attack your dorm neighbor, because the weak signal of the built-in adapter and its incomprehensible antenna are unlikely to be able to break through at least one normal concrete wall, not to mention a couple of hundred meters to the victim, which is very desirable to withstand in order not to burn yourself :). A very good advantage of a netbook can be its low weight (if you have to work on the road) and the ability to work on battery power for a long time. To solve the problem of guessing a password, the computing power of a netbook (and a full-fledged laptop) will no longer be enough, but we will talk about this a little later, now we need to focus on the handshake and methods of catching it.

A little higher, I mentioned the “correct” Wi-Fi adapter. Why is he so "correct"? First of all, it must have an external antenna with a gain of at least 3 dBi, preferably 5-7 dBi, connected via a connector (this will allow, if necessary, to connect an external directional antenna instead of a regular pin and thereby significantly increase the lethal distance to the victim), output signal power adapter must be at least 500 mW (or 27 dBm which is the same). It’s also not worth chasing the power of the adapter too much, since the success of intercepting a handshake depends not only on how loudly we shout on the air, but also on how well we hear the victim’s answer, and this is usually an ordinary laptop (or even worse, a smartphone) with all the shortcomings of its built-in Wi-Fi.

Among the warddrivers of all generations, the most “correct” are the adapters from the Taiwanese company ALPHA Network, for example AWUS036H or similar. In addition to alpha, TP-LINK products, for example, TL-WN7200ND, are quite functional, although it costs half as much as alpha, and thousands of models from other manufacturers are similar to each other like two drops of water, since there are not so many Wi-Fi chipsets in nature. and more.

So, we figured out the hardware, the laptop is charged and ready for exploits, and the necessary adapter was purchased in the nearest computer shop. Now a few words about the software.

Historically, the most common operating system on our laptops has been and still is Windows. This is the main trouble of the wardriver. The fact is that most kosher adapters (or rather their chipsets) do not have normal screw drivers supporting vital functions - monitoring mode and packet injection, which turns the laptop into a potential victim, but not a handshake hunter. In fairness, it should be noted that some chips are still supported by the CommView Windows program, which is very popular in narrow circles, but their list is so poor compared to the cost of the program itself (or the remorse of the person who downloaded the cracked version), which immediately completely discourages the desire to do “this” under Windows . At the same time, the solution has been invented long ago, and without prejudice to the health of your laptop - this is a special BackTrack Linux distribution, in which the maintainers carefully packed not only all the Wi-Fi chipset drivers we need with all sorts of tricky functions, but also the full set of utilities of the aircrack-ng package, (which will come in handy soon), and a lot of other useful things.

CommView in action - watched and forgotten like a bad dream

Download the current version of BackTrack 5R1 (hereinafter BT5 or simply BT in general, because we will have to return to this name more than once): www.backtrack-linux.org/downloads/

It is not necessary to register at all, we select the window manager of our choice (WM Flavor - Gnome or KDE), the architecture of our laptop (probably 32-bit), Image - ISO (we do not need any virtual machines), and the boot method - directly (Direct) or through a torrent tracker (Torrent). The distribution is a Live-DVD image, i.e. boot disk, so you can just cut it into a blank and boot, or spend a little more time and calories and make a bootable USB flash drive using this utility: Universal USB Installer (download here: www.pendrivelinux.com). The obvious beauty of the second solution is that you can create a Persistent partition on the flash drive with the ability to save files, which will come in handy in the future. I will not dwell on the very process of creating a bootable USB flash drive, I will only say that it is desirable that its volume be at least 4 GB.

We insert the USB flash drive (disk, or whatever you got there) into the laptop and boot from it. Voila, we have a scary and terrible (and actually terribly beautiful) BT5 desktop! (When it asks for a username and password, enter root and toor, respectively. If the desktop does not appear, give the startx command. If it does not appear again, then it’s not your destiny to work in Linux, smoke BT5 manuals).

BackTrack: Finish him!

So, everything loaded perfectly, we begin to study what we have where. First, let's find our Wi-Fi adapter, for this we open a command line window (Terminal or Konsole depending on the type of window manager) and issue the iwconfig command:

[email protected]:~# iwconfig wlan0 IEEE 802.11abgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=14 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off wlan1 IEEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off

If you want to better understand which adapter is internal and which is external, issue the ifconfig -a command to see the MAC address of each of the adapters. Great, our adapter is visible as wlan1 (wlan0 is a built-in laptop adapter, you can disable it altogether so as not to interfere). We transfer wlan1 from Managed mode to Monitor mode:

[email protected]:~# airmon-ng start wlan1

and see what happens:

[email protected]:~# iwconfig wlan0 IEEE 802.11abgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=14 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off wlan1 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off

It's time to change the MAC address of our adapter to protect your ass:

[email protected]:~# ifconfig mon0 down [email protected]:~# macchanger -m 00:11:22:33:44:55 mon0 [email protected]:~# ifconfig mon0 up

Just great, but why is the TX-Power (transmit power) only 20 dBm? Do we have a 27 dBm adapter? Let's try to add power (the main thing here is not to overdo it):

[email protected]:~# iwconfig wlan1 txpower 27 Error for wireless request "Set Tx Power" (8B26) : SET failed on device wlan1 ; invalid argument.

And here we are comprehended by the first disappointment - it is impossible to set the power more than 20 dBm! This is prohibited by the laws of many countries, but not Bolivia! It would seem that Bolivia has to do with it, but:

[email protected]:~# iw reg set BO [email protected]:~# iwconfig wlan1 txpower 27

… and everything is going smoothly, Bolivia has helped us a lot, thanks to her for that.

What do we have at this stage? Our powerful Wi-Fi adapter is set to maximum power in monitor mode and waits for orders on the mon0 interface. It's time to look around and listen to the broadcast. It's very simple:

[email protected]:~# airodump-ng mon0

Now all eyes are on the screen!

Circled in red is a network with WEP - a rarity these days

In the upper left corner you can see how the channels are scanned (if you need to fix the channel, you need to call airodump-ng with the --channel key<номера каналов через запятую>), then there is a table of found networks indicating (from left to right): BSSID (MAC address of the network), signal reception level in dBm (depends on the sensitivity of the receiver, on good adapters -80 dBm is quite a normal level), the number of received Beacon frames ( these are broadcast packets that carry information about the network), the number of received data packets and the reception rate (packets per second), the channel on which the access point broadcasts, the speed of the access point in megabits, the type of authentication (OPN - open network, WEP, WPA, WPA2) , type of encryption, magic letters PSK in the case of WPA / WPA2 (details are described above in Chapter 2) and, finally, the name of the network, that is, its ESSID.

Just below the main table is a table of current associations of clients to outlets. Looking ahead, I note that it is also important, since it can be used to determine the activity and MAC addresses of clients for their subsequent deassociation.

It follows from the picture above that we have something to catch - there are access points and clients with a good signal. It remains to choose a victim (so that the file does not swell too much, you can write packets from only one access point by giving the --bssid switch or limiting the channels as indicated a little higher) and give the command to write packets to the file by adding the -w switch to the call<префикс названия файла>. Important: if you booted from DVD, you need to record the file with packages to an external flash drive or hard drive, after mounting them with the mount command:

[email protected]:~# mkdir /mnt [email protected]:~# mount /dev/sda1 /mnt [email protected]:~# cd /mnt

where / dev / sda1 is the device file of the external flash drive (in your case, you can find where the flash drive is picked up by digging in the output of the dmesg command).

For example, let's run airodump-ng to write packets from only one network from the list to the testcap.cap file:

[email protected]:~# airodump-ng --bssid a0:21:b7:a0:71:3c -w testcap mon0

Now you can pour a cup of coffee and chew on a sandwich, waiting until the next client wishes to attach to the access point and give us the coveted handshake. By the way, after receiving a handshake, a warning message will appear in the upper right corner: WPA handshake: A0:21:B7:A0:71:3C. Everything, the job is done, and you can move on to the next chapter.

When all the sandwiches are eaten up, the coffee is no longer coming out and the handshake is still missing, a bright thought comes to mind that it would be nice to hurry the client with the handshake. To do this, the aircrack-ng package includes a special utility that allows you to send clients requests to deassociate (disconnect) from the access point, after which the client will want to connect again, and this is exactly what we are waiting for. This utility is called aireplay-ng and you need to run it in a separate window in parallel with the launch of airodump-ng so that you can record the results of your work at the same time. We start the unassociation:

[email protected]:~# aireplay-ng --deauth 5 -a a0:21:b7:a0:71:3c -c 00:24:2b:6d:3f:d5 wlan1

where it is obvious that we are conducting 5 sessions of deassociation of the client 00:24:2b:6d:3f:d5 from the access point with BSSID a0:21:b7:a0:71:3c (we took the client address from the bottom airodump-ng association table, you can not specify it at all, then the deassociation will be carried out by a broadcast request, which is not as efficient as we would like).

After carrying out such a procedure (and nothing prevents us from repeating it one more time just in case), the probability of catching a handshake increases significantly.

Now the most important thing. Everything described above has been described for educational purposes only. And all because the aircrack-ng package includes such a wonderful utility as besside-ng, which automatically does all the above operations, hacks WEP itself and saves WPA handshakes in a separate file. Running this utility is simple to disgrace:

[email protected]:~# besside-ng mon0

And it's all! Having given this magic command, now you can just sit and watch the results of her vigorous activity, rejoicing for all the arriving and arriving handshakes (they are saved to the current folder in the wpa.cap file, and the log is written to the besside.log file). Passwords from WEP networks cracked by besside-ng can also be found in its log.

Well, as a result of the gigantic work done, we have accumulated *.cap-files containing handshakes and we can safely move on to chapter four. But let's still see what we caught and evaluate the quality of handshakes.

You can quickly assess whether there are handshakes in the file with the simplest call to aircrack-ng:

aircrack-ng<имя файла>

If there is a handshake, aircrack-ng will show the BSSID, ESSID and the number of handshakes for each network:

aircrack-ng sees the linksys handshake, bro

However, I mentioned above that aircrack-ng can only evaluate the presence of a handshake, and this is no accident. The fact is that aircrack-ng does not have a good EAPOL parser and can easily show the presence of a handshake where it does not exist (or, more precisely, it exists, but is not working). Let's dive deeper into the EAPOL packets using Wireshark (for lazy and not too curious readers, you can skip your precious time and skip to Chapter 4).

Open our *.cap file in Wireshark and set the expression

(eapol || wlan.fc.type_subtype == 0x08) && not malformed

as a filter to see only the packages of interest to us among the pile of garbage.

Here they are, handshakes

So what do we see? The first packet on the list is the Beacon frame, which carries information about the wireless network. It is there and indicates that the network is called 'dlink'. It happens that the Beacon frame is not in the file, then in order to carry out an attack, we must know the ESSID of the network for sure, and taking into account the fact that it is case-sensitive (yes, 'dlink', 'Dlink' and 'DLINK' are three different ESSIDs!) and , for example, may contain spaces in the most unexpected places, such as at the end. In this case, setting an incorrect ESSID for the attack is doomed to failure - the password will not be found even if it is in the dictionary! So the presence of a Beacon frame in the handshake file is an obvious plus.

Next in the file are the key EAPOL packages, of which the handshake itself consists. In general, a full-fledged EAPOL handshake should contain four consecutive packets, from msg (1/4) to msg (4/4), but in this case we were not too lucky, we managed to intercept only the first two pairs consisting of msg (1/4) and msg(2/4). The beauty is that it is in them that all information about the WPA-PSK password hash is transmitted and it is they that are needed to carry out the attack.

Let's take a close look at the first pair of msg(1/4) and msg(2/4) (circled in red box). In them, the access point (Station) 02:22:B0:02:22:B0 sends a random number ANonce to the client (Client) 00:18:DE:00:18:DE in the first packet of the EAPOL handshake and receives back SNonce and MIC, calculated by the client based on the received ANonce. But pay attention to the time gap between msg (1/4) and msg (2/4) - it is almost a whole second. This is a lot, and it is quite possible that the msg (1/4) and msg (2/4) packets refer to different handshakes (which will definitely lead to the impossibility of guessing the password even if it is in the dictionary), and not having msg control packets in the interception ( 3/4) and msg (4/4) it is impossible to check this. Therefore, the first handshake has a very dubious quality, although it looks quite valid.

Fortunately, in this case we have another pair of packets msg (1/4) and msg (2/4) with a time gap of only 50 milliseconds between them. This most likely indicates that they belong to the same handshake, so we will choose them for the attack. Mark the Beacon frame and these packets by clicking the right mouse button and selecting Mark packet (toggle) and save them to a new file by selecting the ‘Save As...’ menu item and not forgetting to check the Marked packets box:

Let's keep our hard-earned money!

In conclusion of the chapter, I want to note that it is still recommended to use “full-fledged” handshakes for the attack, having a Beacon frame and the entire sequence of EAPOL packets from the first to the fourth. To do this, your Wi-Fi equipment must “hear” both the access point and the client very well. Unfortunately, in real life this is not always possible, so you have to make compromises and try to “revive” half-dead handshakes manually, as was demonstrated above.

Chapter 4. From Handshake to Password

An attentive reader has long understood that cracking WPA, even with a handshake and direct hands of the attacker, is akin to a lottery, which is organized by the owner of the access point, who assigns a password. Now, having a more or less high-quality handshake in our hands, our next task is to guess this very password, i.e. basically win the lottery. It’s a no brainer that no one can guarantee a favorable outcome, but inexorable statistics show that at least 20% of WPA networks are successfully hacked, so don’t despair, get to work, friends!

First of all, you need to prepare a dictionary. A WPA dictionary is a plain text file containing one possible password per line. Given the WPA password requirements, possible passwords must be at least 8 and no more than 63 characters and can only consist of numbers, upper and lower case Latin letters, and special characters like [email protected]#$% etc. (by the way, such an alphabet is considered quite extensive). And if everything is clear with the lower limit of the password length (at least 8 characters and a dot), then with the upper one everything is not so simple. Cracking a 63-character password in a dictionary is a completely stupid exercise, so it's perfectly reasonable to limit the maximum length of a password in a dictionary to 14-16 characters. A high-quality dictionary (for which the success rate of 20% is given) weighs more than 2 GB and contains about 250 million possible passwords with a length of 8-16 characters in the specified range. What should be included in these combinations of possible passwords? First, unambiguously, the entire eight-digit numeric range, which, according to statistics, accounts for almost half of all disclosed passwords. After all, various dates fit perfectly into 8 digits, for example, 05121988. A full digital eight-digit has 10 ^ 8 = 100 million combinations, which in itself is quite a lot. In addition, the wardriver’s combat dictionary must necessarily include the words most often used as passwords, for example, internet, password, qwertyuiop, names, etc., as well as their mutations with popular password extension suffixes (the sole leader in this area is of course the suffix 123). Those. if diana's password is too short to be WPA compliant, a resourceful user will in most cases pad it to diana123, thus increasing (in his experienced eye) the password's security. Several dozens of such popular suffixes are also known.

If you build a dictionary on your own, you can google the wpa wordlist keywords and download a ready-made dictionary (don't forget about targeting, because it would be rather naive to hope for success by chasing a Chinese handshake through a Russian dictionary and vice versa) or look for a suitable one in this thread.

and this is how you can use crunch to create different combinations of basic words

Having prepared some kind of dictionary (let's call it wordlist.txt for clarity), we proceed directly to the selection of a password. Run aircrack-ng with the following options:

[email protected]:~# aircrack-ng -e -b -w wordlist.txt testcap.cap

Hooray! Dictionary password found in 3 seconds! (If only it were that easy...)

In the screenshot above, aircrack-ng found the password (which was the word dictionary) in just 3 seconds. To do this, he tried 3740 possible passwords at a rate of 1039 passwords per second. Everything would be fine, but here the attentive reader should pretty tense up, because earlier we talked about a dictionary of 250 million possible passwords! Quick calculation 250 * 10 ^ 6 divided by 1039 and we get ... about 240 thousand seconds, which is 66 hours, which is almost three days! That is how long it will take your laptop to calculate the basic 2GB dictionary (unless of course you are lucky and the password is not found somewhere in the middle of the process). Such gigantic time intervals are dictated by the low speed of calculations, due to the high computational complexity of the algorithms embedded in the WPA authentication procedure. What can we say about large dictionaries, for example, a full digital nine-digit already contains 900 million combinations and will require a couple of weeks of calculations to make sure that (at least) the password is not found :)

Such a loser situation could not but disturb the inquisitive minds of hackers, and soon a way out was found. GPUs were used for streaming computing. The GPU (Graphic Processing Unit) is the heart of your 3D accelerator, a chip with hundreds (or even thousands) of stream processors that allows you to distribute numerous but elementary password hashing operations and thereby speed up the brute force process by orders of magnitude. In order not to be unfounded, I'll say that the overclocked ATI RADEON HD 5870 is capable of reaching a speed of 100,000 passwords per second, and this is already a tangible (by two orders of magnitude) leap forward compared to aircrack-ng.

Monster ATI RADEON HD 6990 - 3000 shaders, 165.000 WPA passwords per second. Who is bigger?

Of course, such numbers are typical only for top-end ATI RADEON adapters (NVIDIA with its CUDA technology frankly outperforms ATI in terms of WPA brute force due to the obvious architectural advantages of the latter). But you have to pay for everything, a good adapter costs good money, and it eats a lot of energy. In addition, you need to carefully monitor the overclocking and cooling of the GPU, not succumbing to the provocations of true gamers who drive their adapters until artifacts appear on the screen. After all, for them, artifacts (and in fact, hardware errors of GPU calculators due to operation at extreme frequencies) are only fleeting garbage on the screen, and for us they are fraught with a missed password.

As part of the article for beginners, I will probably not delve into the wilds of setting up the ATI SDK and pyrit for Linux (I will only note that this is still the same sekas :)), because. this is quite enough for a separate article (of which there are many on the Internet), and the target audience, namely the happy owners of top radeons, is not so great, and they can easily find the necessary material on their own.

Paradoxically, GPU-assisted WPA password guessing is best suited to Windows. The fact is that video adapter drivers play a significant role in this process, the Windows versions of which developers pay much more attention to than drivers for Linux and other operating systems, and this is no coincidence, because they are mainly focused on the needs of gamers. Two programs can do WPA password selection under Windows - the commercial Elcomsoft Wireless Security Auditor (or simply EWSA) and the hashcat-plus console utility from the hashcat by Atom package (to the general delight of Windows users, there is also a GUI for it, but simply speaking, a separate window interface). We will consider the use of these particular programs below, and at the same time compare their qualitative characteristics, and specifically it will be the enumeration speed that each of them will develop under equal conditions, namely on the same computer with the same drivers and one and the same vocabulary.

You need to start by finding and installing the latest drivers for your video card (or at least make sure you already have the latest version installed). Adherents of green video adapters should visit www.nvidia.com, while red ones go the old fashioned way to www.ati.com, where you can select your GPU model from the list and download drivers for your version of Windows. I will not pay much attention to the procedure for installing drivers, probably you have already done this before, and more than once.

EWSA can be found (and purchased) on the developer's website - www.elcomsoft.com, just keep in mind that the free trial version is rumored not to show the found password. Installing and configuring EWSA should not cause much trouble, you can immediately select the Russian language in the menu, in the GPU settings make sure that your GPUs are visible to the program and are checked (if the GPUs are not visible in the list, you obviously have a problem with the drivers), and also indicate program your dictionaries in the dictionaries settings.

Harnessing all the horses...

Click “Import data -> Import TCPDUMP file” and select the *.cap file with the handshake (the program will check them and offer to mark those that we want to attack), after which you can safely press “Launch attack -> Dictionary attack”:

EWSA otakue (what a speed...)

In this test, EWSA showed a speed of only 135,000 passwords per second, although based on the hardware configuration, I expected to see a figure of at least 350 thousand.

Let's compare the work of EWSA with its truly free competitor - hashcat-plus. Download the full set of hashcat-gui (which already includes the console hashcat-plus) from the author's website and unpack the archive to a convenient location (no installation required). Run hashcat-gui32.exe or hashcat-gui64.exe depending on the bitness of Windows and answer the first question which GPU we will use - NVidia (CUDA) or ATI RADEON (CPU only option will obviously not suit us).

When the main program window appears, go to the oclHashcat-plus tab (or cudaHashcat-plus in the case of NVidia). There is one subtlety here - hashcat cannot parse EAPOL handshakes (not at all), and requires you to put WPA hashes on a silver platter in its own *.hccap format. You can convert a regular *.cap to *.hccap using the patched aircrack-ng utility, but don't download BT again for the sake of such a trifle! To our general joy, the hashcat developer has made a convenient online converter, just upload your *.cap file with a handshake there and specify the ESSID, if there is a handshake in the file, *.hccap will be returned to you ready for the attack.

We move further - we indicate to the program our * .hccap file as a Hash file for the attack, add dictionary files to the Word lists window (you can set the desired order of their passage with the arrows), select WPA / WPA2 as the Hash type and click on Start.

A console window should appear with the launch of the selected version of hashcat-plus with a bunch of parameters, and if everything is in order, the utility will start working. During the calculation, you can display the current status on the screen by pressing the 's' key, suspend the process by pressing 'p' or interrupt the process by pressing 'q'. If hashcat-plus suddenly finds a password, it will definitely acquaint you with it.

The result is 392,000 passwords per second! And this is in very good agreement with the theoretical implied speed, based on the system configuration.

I am not a strong supporter or opponent of EWSA or hashcat-plus. However, this test convincingly shows that hashcat-plus scales much better when using multiple GPUs at the same time. The choice is yours.

Chapter 5

Section under construction...

Chapter 6. The main myths and misconceptions of Wi-Fi users

The first misconception is “Why put a password on Wi-Fi, I still have unlimited, let people use it.”

Just do not forget that in an open network all your traffic is visible from the outside (including all sorts of interesting points), in addition, you can then get tired of giving evidence to people in uniform when someone writes something, and even from your IP. I hope these reasons are already quite enough to put a password on your Wi-Fi.

The second misconception is “I use WPA2, it cannot be hacked”.

We have already discussed this issue in Chapter 2, but it will not be superfluous to repeat it again. WPA-PSK and WPA2-PSK have the same authentication algorithms, the only difference is that WPA2 implements a more secure AES traffic encryption algorithm instead of the problematic TKIP. Therefore, the password is cracked in the same way for WPA-PSK as for WPA2-PSK. So if you don't want to be hacked - use WPA2, put all your imagination into a long random password or set up a RADIUS server. Dot.

Misconception three - "I set up a filter by poppy address on the router, now no one can connect to it except me."

Yes, just don't forget that your MAC address lights up in every packet you send and, accordingly, is visible to the sniffer. And nothing will prevent an attacker from assigning your MAC address to his adapter, wait until you leave the network and connect (provided that he has already calculated the password in advance). In addition, a more perverse way is also possible, it can eavesdrop on your HTTP basic authorization session when you enter the admin panel of your router (and the password to the admin panel is transmitted in plain text without encryption), and then simply add a couple more MAC addresses to the table permitted.

The fourth misconception - “And I hid my network by turning off SSID Broadcast in the router settings, now you definitely won’t hack, you don’t know the name of my network.”

This method (namely, disabling the transmission of broadcast Beacon frames by the router advertising the capabilities of your wireless network) would be just perfect protection (I remind you that in WPA the ESSID of the network, along with the password, participates in the hashing procedure, and by hiding the ESSID you would disarm the hacker), if not one "but". For a better understanding of this “but”, let's use a real example to set up a “hidden” network on the router (let's call it MyHiddenNetwork for example) and connect to it. To connect to a “hidden” wireless network in Windows, you need to create its profile, where you will have to specify all its parameters - network name, security type, password. Wait, what's with the weird postscript in the screenshot below?

Now let's connect to our "hidden" network and see what happens on the air:

Interesting, right? The client tries to find the router using its so securely “hidden” ESSID with a Probe request, and it reciprocates! Not only is the ESSID visible at a glance, besides, wherever you are, your laptop will constantly hammer Probe requests on the air, telling everyone around you that you are the happy owner of a connection to the “hidden” network MyHiddenNetwork. That's how safe it is, bro.

Fifth misconception - “Soon I will have WPA Rainbow Tables 34Gb downloaded and I will crack any WPA without any GPU.”

Rainbow Tables are not a new hack or replacement for the GPU. Rainbow tables just save a little time and electricity by writing the results of calculating the ESSID+password folds for all passwords in the dictionary to a file or database on your hard drive. The size of such a file (with the appropriate dictionary) turns out to be quite decent, and it must be generated for each ESSID. Therefore, the use of rainbow tables makes sense only for handshake pipeline processing, and even then only for the top ten, hundreds, thousands of popular ESSIDs (underline as necessary depending on the size of your disks). The profit from rainbow tables is in the speed of calculations (ten times higher than calculating on the GPU). But the password should still be in the dictionary, there's no getting around it.

Instead of an epilogue

I did not set the goal of my article to prepare a super-professional in hacking wireless networks from an ordinary reader and thereby causing irreparable damage to the national economy of the country. Those who need it can find all the necessary information on the Internet themselves. Rather, the purpose of the article was to draw attention to common (albeit long known) security problems in wireless networks. Please use the information received only for its intended purpose - to check the security of your own networks and nothing else.

On codeby.

Main Wi-Fi security audit trends in 2018 ​

Types of attacks on Wi-Fi networks:

• pixie dust
• Wi-Fi Protected Setup (WPS)
• Evil twin
• handshake cracker

pixie dust

Hidden from guests

Hidden from guests

Programs:

Hidden from guests

Hidden from guests

Hidden from guests

Hidden from guests

Helpful information:

Hidden from guests

Hidden from guests

Hidden from guests

Wi-Fi Protected Setup (WPS)

The problem was found in the communication between the routers and the new device connecting to it. An attacker who wants to hack the access point sends a PIN code for authorization in the wireless network. If the PIN is not correct, then in response he will receive an EAP-NACK. Based on this, we can get the first half of the PIN code, and the second half of the code can be obtained by analyzing the checksum that is calculated from the first half. All this brings us to the brute-force attack. This attack is likely to succeed, since the number of attempts we need is reduced from 10^8 to 10^7.

WPS hacking scheme for brute force methods

This attack can be carried out much more often than the previous one, on average, in practice, there are 30% - 40% of routers with wps enabled (but since the developers also do not sleep, security measures were taken that made our life more difficult, namely, they added timeouts after several incorrect connection attempts. But still there are routers where there is no blocking). When using this attack, you can get the password from the access point in 4 - 5 hours, but it happens that the search can take up to 10 hours.

This attack requires a chipset compatible with

Hidden from guests

Hidden from guests

The best compatibility of these programs with the chipset brand Atheros.

Programs:

Hidden from guests

Hidden from guests

Hidden from guests

Helpful information:

Hidden from guests

Hidden from guests

Hidden from guests

Evil twin

This attack is based on social engineering, in Runet it sounds like an evil twin. The implementation of this type of attack occurs in two stages. First, we must carry out a dos attack on the victim's access point, and second, create a copy of the attacked access point. Thus, the victim will lose wi-fi, due to a dos attack, and only our access point will be visible in the network lists. After a short wait, the victim himself will press the connection to our point, and there a prepared page will already be waiting for you to confirm your identity to access the Internet or update the router firmware for further access to the Internet. In fact, at this stage, everything is limited only by your imagination. In 80% it does, but it often happens that the victim can jump off if the attack does not last long enough and is not stable.

Fake page example

I prefer to use fluxion for this attack. In my opinion, it works more stably than some similar software. For fluxion, it is better to make your own phishing pages, since those that are available are not suitable for the CIS countries or are generally outdated, which can only alert the victim or even scare them away. An article on creating your projects under fluxion will be below.

Programs:

Hidden from guests

Hidden from guests

Helpful information:

Hidden from guests

Hidden from guests

handshake cracker

This method is quite ancient but effective and is suitable for any access point, since they all allow you to get a handshake. A handshake can be obtained when a user who knows the correct password connects to a wireless access point. After the handshake has been received, we will sort through the passwords in the dictionary and if we are lucky, we will get the password.

This method in most cases works with a bang, but as you guessed, the biggest disadvantage of this attack is the dictionary and computing power of your PC (if the password is complex, it is difficult to crack the access point using this method). According to statistics, most of the routers installed in the apartment have a numeric password, which guarantees us a successful hack.

If you have a good video card, then you can connect it to the brute force and thereby increase the speed of password guessing. Personally, I don’t have such an opportunity, since I have a MacBook main machine + I also don’t really like to spend a lot of time searching and loading a laptop for the sake of a simple access point, and fortunately for people like me there is a service that will do it for us much faster than if I sorted out passwords at myself. On the

Hidden from guests

You can crack a password for as little as $2. The last time I sorted out the password through this service, it took me about 2 minutes (the password was numeric).

Programs:

Hidden from guests

Hidden from guests

windows/linux

Helpful information:

Hidden from guests

Hidden from guests

Adviсe:

For a successful audit, you will need the right wifi adapter with the right chipset. You can read about models of such adapters

Hidden from guests

After you have chosen a model, do not rush to buy immediately. Read in detail about the chipset that is installed in the adapter, for example, on the forum

Hidden from guests

If there are no problems with it or those that are solvable, then you can take it (if in doubt, it’s better to get the opinions of other users on the forum that relate to the subject of wardriving). I myself use Alfa AWUS036NH and TP-LINK TL-WN722N v1.

Also keep in mind that the adapter will not solve all your problems. In order not to stand under the door of a neighbor for the sake of a good signal, you still need a normal antenna. I myself use a 9 dBi omnidirectional antenna and a 16 dBi Yagi directional antenna. The first option is most often used when I just need to hack wi-fi to use the Internet, and the second option is when it is aimed at a specific victim. A good signal is the key to a successful hack

Don't forget to enlarge

Hidden from guests

When attacking, if your adapter allows it, and also try

Hidden from guests

.

For WPS hacking, the Atheros chipset is well suited as it works well with reaver or bully. Rialink chipsets for attacks on WPS do not perform very well, especially in the reaver program, with bully Rialink seems to be friendly but not always, you can’t do without dancing with a tambourine, but a tambourine does not always help (so you need to take this moment into account too).

Alfa adapter can be purchased on the site

Hidden from guests

There were no problems with this site, I bought it myself. Good news for those who do not live in Russia, this store delivers to other countries (before taking a thoughtless alfa adapter, read about all the minuses and pluses of the chipset that is there).

802.11 network security audit

Personal opinion:

In my opinion, these are 4 main types of attacks to obtain a password to a wireless access point at the moment. The article does not list all the programs that you can use, but only the main ones for implementing a particular method. I hope for someone the article was useful and I did not waste my time.

The attached links may be repeated, but this is because the material presented can relate to several methods of attack (links from other resources do not relate to the PR of these very resources - I attached them because the material is presented there in an acceptable and readable form for me).

Before using programs for mass wi-fi hacking where there is only one button, learn how to use those that I attached to the article. If you do not understand how they work, then you cannot understand why frameworks do not work at some points or fall off when hacked. And also initially carry out attacks in laboratory conditions (at home on your router in order to learn the material and understand what is happening in general)

Last edit: 03/13/2019

Bidjo111

red team

14.11.2017 199 73

Wouldn't it be two

In my opinion, it is still necessary to pay attention to the revision of the chipset. You can take an adapter from the list with a chipset from the list, but you can’t guess with the revision ... I took two 036NH, one Chinese, one from Dalradio, both have the latest revision chipsets, which negatively affected the WPS brute process in both bully and reaver. Although for evil twin they fit perfectly.

proven

red team

19.01.2018 163 384

Thanks for the review, it really matters. I really hope that soon it will be possible to add KRACK to the list ...

Wouldn't it be two TD listed? It's just that it will be impossible to connect to one, and the client, in despair, will connect to another with the same name. And then, I saw the same names only on the phone, and in Win10, for example, the number 2 is added to the name. Well, the wifi icon without a lock ...

In my opinion, it is still necessary to pay attention to the revision of the chipset. You can take an adapter from the list with a chipset from the list, but you can’t guess with the revision ... I took two 036NH, one Chinese, one from Dalradio, both have the latest revision chipsets, which negatively affected the WPS brute process in both bully and reaver. Although for evil twin they fit perfectly.

P.S. If WPS brute or PixieDust is not working well for someone, try both techniques on RouterScan. In my case, when I already thought that APs are invulnerable to brute and pixie, or adapters do not work well, running from under win RS worked perfectly with all adapters ...

Recommend compact directional proven alpha antenna. In the Alf format at 7db, but a little more powerful ...

Nowadays, people change smartphones every year or even more often. KRACK attack does not work on Android devices with firmware 6.0 and higher, I think it’s not worth talking about IOS because they are all updated at once - in connection with this attack is no longer relevant and it does not apply to getting flogged. Here is the list of patches:

It's good that you raised the issue of the evil janitor. The fact is that if you have a weak signal when attacking an access point, then the original network will break through. It can also be visible immediately until the list of wifi points is updated, but the victim, after he sees that a disconnect has occurred and cannot connect to his point, usually updates the list several times and her original point disappears (the lock is not a problem because of a connection failure the victim, who is not aware of this issue, refers to a router glitch and tries to connect back to his point). I will not dissemble on Windows did not spend in test conditions. Today I will check and give an answer about venda (everything works fine with Android, IOS).

I can’t advise a small directional antenna, since I don’t have to say that it would be quite small) And I haven’t seen such compact ones live. You can search on alik, I think there will be something similar. I want to try to make my own compact directional antenna. If everything works out then I will describe the creation process.

Last edit: 02/07/2018

Bidjo111

red team

14.11.2017 199 73

red team

19.01.2018 163 384

Regarding KRACK, I don’t think that homeusers who sit under win7, or even winXP, will take care of OS patches and flashing their routers in time. So the technique will certainly find its purpose, albeit at such a level. Out of 12-15 networks, 4 succumbed to PixieDust, I'm not talking about the fact that 4 out of 4 have access to the admin / admin router admin panel ...

Regarding the evil janitor) To whom are deauthentication packets sent? Do I understand correctly that in order to avoid the appearance of two identical SSIDs at the target, I can simply increase the power of the adapter itself without any antennas ...? especially since I can set up to 2 watts
By the way, when I tried it at home, the router with the Internet was in another room, and the adapter was deauthentic. right next to the computer ... and still you could see 2 ssidas ...

And yet, tell me how to create your fake page for fluxion?

The KRACK attack will not help you get the password from the access point directly, which means it does not apply to this article and in fact there is no point in hacking a device with the win7 and winXP operating systems, since these are people of no value in most cases.

Regarding the Evil Twin section. The article needs to be redone a bit, please give the admins the opportunity to correct the material.With a more in-depth study of this topic and testing, the results were as follows. On a Mac OS system, the access point attacked by means of a dos attack disappears and our janitor appears. On an Android device, if the point was saved, you can see the point that was saved and the point of the double, but if the user is new and the point is not yet saved, then he saw only ours during the attack. As for Linux (Ubuntu) and Windows, you can see two access points, but you can’t connect to the original one, since an attack is directed at it. Despite such mixed results, it still does not prevent the user from being hacked in a stable attack (since curiosity takes its toll in conjunction with a well-implemented phishing page). I want to add that it is better to carry out such an attack not on a laptop, but, for example, on disassemble it, since it can be left, for example, for a day and wait for the result.

Last edit: 02/08/2018

red team

30.12.2017 425 871

red team

19.01.2018 163 384

With rapsberry, it’s not quite a way out, because you need control over ongoing events. One small bug in the script and a day of idle. Range issues are resolved, in particular, by raising the power of the adapter and pointing the directional antenna towards "our" point. Thus, you can hang clients at a very decent distance.

As for the disassemble, I do not quite agree, since you can add a 3g modem and then control the process remotely. If you get confused and put this attack on stream, then in case of failures, you can start the attacks again + add a notification via a telegram bot to your phone. This is not about power at the moment, but about the fact that different operating systems react to this attack in different ways. Even if the user is suspicious and does not act immediately, and the attack is stable and long enough, it is most likely that he will be caught.

red team

30.12.2017 425 871

As for the disassemble, I do not quite agree, since you can add a 3g modem and then control the process remotely. If you get confused and put this attack on stream, then in case of failures, you can start the attacks again + add a notification via a telegram bot to your phone. This is not about power at the moment, but about the fact that different operating systems react to this attack in different ways. Even if the user is suspicious and doesn’t act immediately, and the attack is stable and long enough, it is most likely that he will get caught.

Too much, but in the scheme, yes, you correctly noticed that you can control it through a 3g modem. The longer the chain, the more likely it is to leak somewhere. I said about power because you can get a network without leaving your home. And if the network is in the corporate segment and needs to be hacked, then such a bookmark in the form of a rapsberry will be found very quickly. Provided that there are no boobies sitting there

red team

19.01.2018 163 384

Too much, but in the scheme, yes, you correctly noticed that you can control it through a 3g modem. The longer the chain, the more likely it is to leak somewhere. I said about power because you can get a network without leaving your home. And if the network is in the corporate segment and needs to be hacked, then such a bookmark in the form of a rapsberry will be found very quickly. Provided that there are no boobies sitting there

There can be no question of a corporate network with this attack, unless a specific employee is forged at his home (and again, then you can use it). I have now given an example with disassemble, since the laptop is always with me and at home I leave it extremely rarely, but for such an attack, disassemble can be left at home and the laptop should not be occupied with this process.

I agree that there is a lot in my theory now, but about getting notifications when something went wrong. But if the hands reach to finally write a similar software based on fluxion, I already thought about how to add this functionality.

p.s. In general, this attack should be carried out when, to put it mildly, other 3 methods have spilled, unless of course this is Petya's ordinary neighbor) then there is nothing to worry about.

red team

30.12.2017 425 871

We misunderstood each other) I was trying to understand why we need rapsberry if we get a network for home use, because this is all done without leaving home. I just have a few laptops and your circumstances did not arise))

lecudug

xls

well-known member

29.12.2016 144 67

Current Wi-Fi Hacking Methods for 2018 ​

Good day forum users.

I want to start this article with a preface. Once upon a time, when it was still easier, I tried to hack wi-fi, but since I was still very young + I really didn’t have the necessary equipment and knowledge of English. With all this, without understanding, I stupidly copied and pasted some commands into the terminal and waited for a miracle. At that time, of course, nothing happened to me and I scored. Not so long ago, I again decided to raise the issue of methods for hacking wireless wi-fi networks. When I started reading about hacking methods, it turned out that there are a lot of articles and it’s not clear which method to use + most of them have already been written like a couple of years ago or even more. In this regard, it is not clear what is relevant from all this. Then I decided to dive into this issue with my head and still understand what's what and also analyze what is generally relevant at the moment and what has already been forgotten and deduce for myself a more or less stable scheme for attacks. After I tried most of the wifi hacking methods, I decided to write an up-to-date article so that others know which way to go when studying this topic. And so I finally got together and wrote this article. This preface ends and we proceed!)

I took out for myself 4 main wi-fi hacking methods that are relevant at the moment. I will tell you about each of them separately so that you have an understanding of what is happening, I will also attach links to material and programs for implementing these attacks under each method. At the end of the article I will share some tips and personal opinion about all this.

Wi-Fi Hacking Methods:

• pixie dust
• Wi-Fi Protected Setup (WPS)
• Evil twin
• handshake cracker

pixie dust

The problem with this vulnerability is the generation of random numbers E-S1 and E-S2 on many devices. If we manage to find out these numbers, then we can easily get a WPS pin, and the most wonderful thing is that these numbers are used in the cryptographic function to protect against WPS pin selection.

This attack is still relevant, but the catch is that there are already very few devices that are affected by this vulnerability (personally, I’m not at all lucky and I only came across a couple of dots with this vulnerability all the time). But if you are lucky with such an access point, hacking will take place in a couple of minutes.

This attack requires a chipset compatible with

Hidden from guests

Hidden from guests

The best compatibility of these programs with the chipset brand Atheros.

Programs: