Hacking wireless by monitoring
Last updated
Last updated
Hello Hackers 👋
In this write-up, I described how I was able to hack into a wireless network and bypass the MAC filtering as well as bypass router login without having to crack a huge password list.
⚠️ Disclaimer: The following content is provided for educational purposes only. It is not intended to serve any malicious activity without having permission from the competent authorities
Wireless networks are widely used nowadays, and their security is one of the major concerns of network administrators. A wireless network's security is based on various factors, including the type of authentication and encryption used. One widely used authentication method is the Pre-Shared Key (PSK) authentication method, which uses a password or a passphrase to authenticate the users. However, in this write-up, I have shown that PSKs can be leaked within wireless probes, which can be a significant security concern.
The 4-way handshake is a security protocol used in Wi-Fi networks to establish a secure connection between the wireless client and the access point. The 4-way handshake is performed when a wireless client attempts to connect to a Wi-Fi network that uses WPA/WPA2 or WPA3 security protocols.
The 4-way handshake process involves the following steps:
The wireless client sends a connection request to the access point (AP) and requests a Pairwise Master Key (PMK).
The AP responds by sending a random number called a Nonce to the wireless client.
The wireless client uses the Nonce received from the AP and its own Nonce to generate a key called the Pairwise Transient Key (PTK).
The wireless client sends the PTK to the AP to confirm the establishment of a secure connection.
A wireless probe refers to a type of wireless network probing technique used to gather information about a wireless network. It involves sending out a request frame known as a Probe Request frame, which is broadcasted to all access points (APs) in the vicinity of the wireless device. The Probe Request frame contains information such as the Service Set Identifier (SSID) of the network the device is trying to connect to and other parameters related to the wireless network.
During a wireless handshake, the wireless probe plays an important role in establishing a connection between the wireless device and the access point. When a wireless device wants to connect to a wireless network, it sends a Probe Request frame, which is then received by the access point. The access point responds with a Probe Response frame, which contains information about the network, including the SSID, supported data rates, and security options.
The wireless probe can be used for various purposes, such as network discovery, network mapping, and network troubleshooting. For example, an attacker can use a wireless probe to gather information about a wireless network, such as the SSID and security settings, in order to launch an attack on the network. On the other hand, a network administrator can use a wireless probe to troubleshoot network connectivity issues by analyzing the response frames received from access points.
To make it more clear. from my mobile phone, I tried to connect to a fake Network "test-writeup" to see if my device sending these wireless probes and will my adapter catch them or not.
As you can see it sent the probes successfully.
As the title suggests, I`ve found some information leaked within nearby device probes, and let me talk about the full walkthrough and tools that I used.
Airodump-ng is a command-line tool that is primarily used for network monitoring and troubleshooting in wireless networks. Specifically, it allows users to capture and analyze wireless traffic, including information about the access points and connected clients in the vicinity. It can be used to detect rogue access points, identify channel usage and interference, and gather other useful data for network analysis and optimization.
So, start by running this command:
and all nearby wireless networks began to appear in my terminal along with some information about connected devices to these access points.
And there`s something that got my attention, there is a probe that contains an (Extra) phrase/information [Amin 2023 a, Amin 2021 a, etc.] about one of the access point SSID [Amin]. As you can notice below
❓And let me ask you a question. How many times did you enter your email/ID instead of your password or the opposite? 🤔
Answer: A lot of times of course!! 🤷♂️ imagine none-technical people!
So, I thought this might be the PSK and tried to join this network using my phone.
After many tries, I noticed that if I entered any password it stuck on "connecting" without getting any error/message to know if this PSK is wrong!!!
At this moment I was certain that there is some mac filtering in place, Then I decided that the best way to confirm this is to capture the handshake and crack it using the probe information.
One way to attack WPA/WPA2 networks is to capture a handshake and try to crack the used password offline. To do so you need to find the BSSID and channel of the victim network, and a client that is connected to the network. Once you have that information you have to start listening to all the commutation of that BSSID in that channel, because hopefully the handshake will be send there:
Now we need to deauthenticate the client for a few seconds so it will automatically authenticate again to the AP
And within a few seconds, I got the Handshake
So, without wasting time I tried to check this (Extra) information [Amin 2021 a, Amin 2023 a] as PSK, and because there are some fixed characters [Amin, a] and some variable chars [2021,2023]. I used crunch and aircrack-ng to brute force this.
-t: this parameter is used to select fixed chars and add some variables using [^,&,@,%]
%%%%: this will generate a numeric list from 0000 to 9999
-w -: this will make aircrack take generated password list from crunch without needing to store it (help with big paswd lists)
more information about using crunch parameters: https://manpages.ubuntu.com/manpages/bionic/man1/crunch.1.html
And in less than 10 seconds I was able to get this PSK
To bypass MAC filtering on a wireless network and gain access we can use MAC spoofing techniques to change the Media Access Control (MAC) address of our device. MAC spoofing involves making the device's MAC address appear as one that is already registered and allowed to connect to the network. This can be achieved using various tools and software available for MAC spoofing.
For example, I used macchanger Linux command to change my adapter interface to one of the spoofed MACs for this network which is 52:ae:4a:90:9a:d5
Another way to change MAC on windows is technitium mac address changer
And successfully logged-in!!
the router model was HG630 V2 Home Gateway
So, the first thing I did was try to search for any known vulnerability in this model and I found this one.
The default password of this router is the last 8 characters of the device's serial number which exists on the back of the device.
An attacker can leak the serial number via the web app API like the following:
we can use that serial number to login into the router.
Wireless networks are vulnerable to various security threats, and network administrators must take steps to protect them from unauthorized access, data theft, and hacking. The 4-way handshake is a critical security protocol used in Wi-Fi networks to establish a secure connection between wireless clients and access points.
Wireless probes are also essential for wireless devices to discover available wireless networks in the surrounding area. However, they can also pose security risks, as they may contain sensitive information that can be intercepted by attackers. So, Keep a watch out for these probes.
Never rely only on MAC filtering as absolute security for wireless because there are many ways to bypass this filter.
Thanks for reading 🙂