Silica Wireless Hacking Tool Cracked Download

How I Cracked seventy% of Tel Aviv'due south Wifi Networks (from a Sample of 5,000 Gathered WiFi).

In the past seven years that I've lived in Tel Aviv, I've changed apartments iv times. Every time I faced the same scenario: the internet company took several days to connect the flat, leaving me disconnected and frustrated while trying to watch laggy Netflix on the TV with my cellphone hotspot. A solution I have to this scenario is having the "Hello. I am the new neighbor" talk with the neighbors while trying to get their cell telephone number in example of emergencies — and request if I could use their WiFi until the cable company connected me. I remember nosotros all can concur that not having internet easily falls into the emergency category! Often, their cell phone number was also their WiFi password!

I hypothesized that most people living in Israel (and globally) accept unsafe WiFi passwords that can be easily croaky or even guessed past curious neighbors or malicious actors.

The combination of my by feel, a relatively new WiFi attack that I will explain momentarily, a new monster cracking rig (8 x QUADRO RTX 8000 48GB GPUs) in CyberArk Labs and the fact that WiFi is everywhere because connectivity is more important than ever collection me to research, whether I was right with my hypothesis or perhaps just lucky.

With the continued shift to remote work due to the pandemic, securing dwelling house networks has become imperative and poses a chance to the enterprise if not washed so. Abode networks rarely have the same controls equally enterprise networks. And a security programme is only as potent as its weakest link.

Figure 1- CyberArk Labs new neat rig

To test this hypothesis, I gathered five,000 WiFi network hashes as my study group by strolling the streets in Tel Aviv with WiFi sniffing equipment. At the end of the research, I was able to interruption more 70% of the sniffed WiFi networks passwords with relative ease. The Tel Aviv Metropolitan area has more 3.9 million people — you can imagine what the numbers would have been had we not cut our research off at 5,000 WiFi networks. And while this research was conducted in Tel Aviv, the routers that were susceptible to this assail — from many of the world's largest vendors — are used by households and businesses worldwide.

In this blog, I demonstrate how hands (you do not demand a cracking rig) and with niggling equipment unsecure WiFi passwords can exist cracked, thus hacking the WiFi network .At the end, nosotros will reveal statistics of the croaky hashes and explicate how to defend your network from this type of attack. Therefore, information technology is of utmost importance that nosotros know and understand the nifty method to form an adequate defence force.

Let's dig in

Before Jens "atom" Steube's (Hashcat's lead developer) research, when a hacker wanted to crack a WiFi password, they needed to capture a alive iv-mode handshake between a customer and a router occurring only during the institution of the connection. Simply put, the assailant would demand to be monitoring the network at the fourth dimension the user or device connects to the WiFi network. Therefore, a hacker needed to be in a physical location betwixt the admission indicate (router) and the client, hoping that the user would enter the right password and that all four packets of the handshake were sniffed correctly. If a hacker did not want to wait until a victim establishes a connection (which can take hours, who connects to their habitation network while they are at work?), the attacker could de-cosign an already-connected user to force the victim to have a new four-way handshake.

Another attack vector is to set upwards a malicious twin network with the same SSID (network proper name), hoping that the victim would try to log in to the simulated network. A major shortcoming of this is, of grade, that it is very noisy (meaning it tin be easily traced) and can be easily noticed.

In elementary English, if an antagonist wanted to hack/crevice a WiFi password, they need to exist in the right place (between users and a router) at the correct time (when users log in) and exist lucky (users entered the right password and all four packets were sniffed correctly).

All of this changed with cantlet's groundbreaking research, which exposed a new vulnerability targeting RSN IE (Robust Security Network Information Chemical element) to retrieve a PMKID hash (will be explained in a fleck) that can be used to crevice the target network password. PMKID is a hash that is used for roaming capabilities between APs. The legitimate use of PMKID is, however, of little relevance for the scope of this blog. Frankly, it makes picayune sense to enable it on routers for personal/private use (WPA2-personal), as commonly there is no need for roaming in a personal network.

Cantlet's technique is clientless, making the need to capture a user'due south login in real time and the demand for users to connect to the network at all obsolete. Furthermore, it only requires the aggressor to capture a unmarried frame and eliminate wrong passwords and malformed frames that are agonizing the cracking process.
Plainly put, nosotros exercise not need to await for people connecting to their routers for this attack to exist successful. We are just in the vicinity of the router/network getting a PMKID hash and trying to crack it.

To scissure a PMKID, we beginning need to understand how it is generated.

How is PMKID hash generated and what elements does it contain

Figure ii- Flow of Computing PMKID hash and PMK

The hash calculation might seem daunting at commencement glance only let the states dive into it.

We demand to generate a PMK driven from SSID (the network name) and the Passphrase ; and then nosotros generate a PMKID driven from the PMK we generated, the AP MAC address, and the client MAC address. So permit us see where nosotros can find those:

The PMK is computed as follows:

Figure 3- PMK calculation

• Passphrase– The WiFi countersign — hence, the function that we are really looking for.
• SSID – The name of the network. It is freely bachelor at the router beacons (Effigy 3).
• 4096 – Number of PBKDF2 iterations

Effigy 4 – SSID from a buoy

After a PMK was generated, we tin can generate a PMKID.
The PMKID is computed as follows:

Effigy 5 – PMKID calculation

• PMK – What we are searching for, generated above. In WPA2 personal, the PMK is the PSK (will be explained in the next paragraph).
• "PMK Name" – Static string for all PKMIDs.
• MAC_AP – Admission Point's MAC address – This address can be found in any frame transport by the router (Figure iv).
• MAC_STA – The customer's Mac address can exist plant in whatsoever frame sent by the client's figurer(Effigy 4). It tin can moreover exist institute in the output of ifconfig\ip a commands.

Figure 6 – PMKID, AP'south MAC, Client'south MAC

Cracking the PMKID hash is ultimately only generating/calculating PMKs with the SSID and different passphrases, then calculating PMKID from the PMK and the other information nosotros obtained. Once we generated a PMKID equal to the PMKID that was retrieved from the AP (Effigy 3), the hash is cracked; the passphrases that were used to generate the right PMK that the PMKID was generated from is the right WiFi password.

Now we know how a PMKID is being generated, and we can continue to the sniffing and cracking phases of our enquiry.

Sniffing PMKID

To gather WiFi PMKID hashes, a wireless network interface that has monitor style capabilities is required. Monitor fashion allows packet capturing without having to associate with an admission betoken.

I bought an AWUS036ACH ALFA Network card for $fifty (there are even cheaper options) that supports monitor mode and package injection and went around the center of Tel Aviv to sniff WiFis.

Before we can commencement the sniffing, nosotros need to fix our surround:

I used an ubuntu machine with AWUS036ACH ALFA.

Figure vii – AWUS036ACH ALFA NIC

Nosotros build the package Hcxdumptool — a cracking utility by ZerBea to capture packets from WLAN devices.

git clone https://github.com/ZerBea/hcxdumptool.git sudo apt-get install libcurl4-OpenSSL-dev libssl-dev pkg-config make        

After that, we need to install drivers with monitor style adequacy. Each chipset has its drivers:

git clone -b v5.six.iv.2 https://github.com/aircrack-ng/rtl8812au.git make && brand install        

It is recommended to close down services that might interfere with Hcxdumptool execution:

sudo systemctl stop wpa_supplicant sudo service NetworkManager stop        

Then it is time to first sniffing. Hcxdumptool is a powerful tool that can be used for various attacks, not only the PMKID; therefore, nosotros disable any attack that is not targeting PMKID.

sudo ../../tools/hcxdumptool/hcxdumptool -i wlx00c0caac2745 -o Wi-Fi_PMKID.pcapng --disable_deauthentication --disable_client_attacks --enable_status=three        

• -i my Alfa NIC, you lot tin execute ifconfig\ip a to find your interface name.
• -o the output pcapng of the execution.

Now habiliment a hoody, because you will get a PMKID of every network you cross past that is vulnerable to the assail.

Figure 8 – Me in a hoodie

When I reached five,000 nerveless networks, I decided to quit; Israeli summer was too hot for me, so I turned to the fun role — corking.

Information technology's cracking fourth dimension!

Our first stride in the nifty procedure is to install hashcat, the world's fastest and nearly advanced password recovery tool. As the sniffing results are in the class of pcapng, we needed to convert them into a hashfile format to fit information technology to hashcat. For this goal, I made use of another tool from the great suite of hcxtools.

hcxpcapngtool -o Wi-Fi_pmkid_hash_22000_file.txt Wi-Fi_PMKID.pcapng        

Resulting in a hashfile that each line takes on the post-obit construction:

SIGNATURE*TYPE*PMKID/MIC*MACAP*MACSTA*ESSID* * *

Here is an example of a hashline:

WPA*01*c6d5c97b9aa88cbe182429275a83efdb*302478bee0ee*acde48a84862*54686557494649***

• SIGNATURE = "WPA"
• Type = 01 for PMKID, 02 for EAPOL, others to follow
• PMKID /MIC = PMKID if TYPE==01, MIC if Type==02
• MACAP = MAC of AP
• MACSTA = MAC of station
• ESSID = ESSID
• Non used in a PMKID attack:
  • ANONCE = ANONCE
  • EAPOL = EAPOL (SNONCE is in here)
  • MESSAGEPAIR = Bitmask

The next step is to commence the cracking procedure by executing hashcat:

Hashcat's capabilities include several cracking methods, of which the near mutual are dictionary + rules and mask assail. The methods differ in the way they are forming the Passphrase.

We chose to commencement with what'south called a "mask assault," due to the terrible habit many people living in Israel take of using their cellphone numbers as WiFi passwords. You can recollect of mask attack as Regex:

• ?d – digits
• ?l – lower example characters
• ?u – Upper case characters
• ?s – special symbols as ? !  $ …..

The mask for the password: 202!$ummeR would go?d?d?d?s?southward?l?l?l?50?u

Hither is my Hashcat command that tried all the possible cellphone numbers combinations in State of israel [the Israeli cellphone prefix is 05]

sudo hashcat -a 3 -w4 -thou 22000 /home/tuser/hashes/Wi-Fi_pmkid_hash_22000_file.txt 05?d?d?d?d?d?d?d?d -o /home/tuser/hashes/pmkid_cracked.txt        

During this first execution of the mask assail, we cracked ii,200 passwords. Let'due south summate the number of options for Israeli cellphone numbers:
Information technology is ten digits long and it starts with 05. Therefore, we need to gauge the remaining 8 digits.

Each digit has 10 options (0-ix), hence 10**8 possible combinations. Ane hundred one thousand thousand seems like a lot of combinations, just our monster rig calculates at the speed of 6819.8 kH/due south which translates into half-dozen,819,000 hashes per 2nd.
A cracking rig is not required every bit my laptop tin get to 194.4 kH/south, which translates into 194,000 hashes per second. That equals more than plenty computing power to cycle through the possibilities necessary to scissure the passwords. Consequently, information technology took my laptop roughly 9 minutes to pause a single WiFi countersign with the characteristics of a cellphone number. (10**viii)/194,000 = ~516 (seconds)/lx = ~9 minutes.

The bully speed for hashtypes differs because of unlike hash functions and the number of iterations. For instance, PMKID is very slow compared to MD5 or NTLM. Nonetheless, it is feasible to crack a PMKID hash if the attacker focuses on a specific network, and the password is not complicated enough.

Afterwards, we executed a standard dictionary attack with the near common dictionary, Rockyou.txt, and cracked more than 900 hashes. Here is a small glimpse into Rockyou.txt content:

123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123 nicole daniel babygirl monkey lovely jessica 654321 michael ashley

Let's look over the statistics of the croaky hashes:

Cracked passwords by their length:

Password Length	Occurrences
10	2405
viii	744
9	368
12	fourteen
xi	14
14	seven
13	7
Sum	3,559

As you tin can come across, except for the 10-digit countersign — which nosotros had a tailored mask for — as the countersign length increased, the number of cracked passwords decreased. The lesson hither? The longer the password, the better.

Superlative 4 masks for the cracked passwords:

Mask	Occurrences	Pregnant
Mask	Occurrences	Meaning
?d?d?d?d?d?d?d?d?d?d	2349	10 digits
?d?d?d?d?d?d?d?d	596	viii digits
?d?d?d?d?d?d?d?d?d	368	ix digits
?l?l?l?50?l?50?fifty?fifty	320	8 lower case letters
Sum	3,633

We tin can see that cracked passwords most often fit a mask that contains simply digits or only lower-instance characters.

Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack. However, our enquiry found that routers manufactured by many of the earth's largest vendors are vulnerable.

As I estimated beforehand, the procedure of sniffing WiFis and the subsequent slap-up procedures was a very accessible undertaking in terms of equipment, costs and execution.

The bottom line is that in a couple of hours and with approximately $50, your neighbor or a malicious actor tin can compromise your privacy and much more if you don't have a stiff password.

Conclusion

In total, we cracked more than 3,500 WiFi network in and around Tel Aviv – 70% of our sample.

The threat of a compromised WiFi network presents serious take a chance to individuals, small business owners and enterprises akin. And as we've shown, when an assailant tin can crack more than than seventy% of WiFi networks in a major global urban center with relative ease, greater attention must be paid to protecting oneself.

At the about basic level, people who use your network take role of your bandwidth, which may deadening down your internet feel. However, more consequential is that in one case attackers gain access to your network, they tin launch various man-in-the-middle (MITM) attacks. That can lead to attackers gaining access to your important accounts, such as your bank business relationship, your email business relationship (which is everything in modern life) and compromising other sensitive credentials. This besides further opens set on vectors to your IoT devices similar smart home equipment, smart TVs, security systems, etc.

For the small concern, the gamble lies in an assailant infiltrating a network and then moving laterally to high-value applications or data, such every bit a billing organization or cashier.

Concerning the enterprise, it's possible for an attacker to gain initial access to a remote user's WiFi and then hop to the user's computer and look for a VPN connectedness or for the user to go to the office and move laterally from there.

From a broader perspective, computers and other devices are normally not accessible from outside of the network because of NAT, just once an assaulter is in the network, it facilitates a range of attack vectors.

How should I protect myself?

1. Choose a complex password. A strong password should include at to the lowest degree ane lower case character, ane upper case character, one symbol, one digit. It should be at least 10 characters long. Information technology should be hands remembered and hard to anticipate. Bad instance: Summer$021
2. Change the default username and password of your router.
3. Update your router firmware version.
4. Disable weak encryption protocols (as WAP or WAP1).
5. Disable WPS.

Information technology's important to note that implementing multi-factor authentication (MFA) for personal WiFi is difficult and largely impractical for a personal WiFi and a non-technical consumer. It is also unlikely that MFA volition exist widely available for general consumer employ cases in the nigh feature.

I would like to give a big shout-out to Atom and ZerBea for their incredible work on this assail technique and for their work in full general.

I promise you enjoyed this blog and that y'all will take the required steps to secure your WiFi network. And every bit a reminder, none of the passwords nosotros cracked were used for unauthorized access to these WiFi networks or whatever other information accessible via these networks.

DOWNLOAD HERE

Silica Wireless Hacking Tool Cracked Download

Posted by: frenchaffecke.blogspot.com

Share this post