So first thing’s first, what exactly is wireless access exploitation?
Well, it’s exactly what it sounds like. It’s the process of exploiting weaknesses in a wireless network and gaining unauthorized access to said wireless network. While we won’t be exploiting any active WiFi networks during the games, we will be using tools to inspect a packet capture and find some information about a wireless network.

What You’ll Need for Wireless Access Exploitation

If you’ve somehow gotten this far into Pro-Tip Tuesday and haven’t set up your Kali Linux VM yet, now is the time to do that. Head over to John’s blog to get set up and then you’ll be ready to go. The two tools you’ll need are Wireshark and aircrack-ng, which are pre-loaded into Kali so as long as your VM is set up, you have what you need.

For this coaching session, we’ll be looking at an easy challenge.

Here are the questions we’ll be looking at for this challenge:

(10 points) What channel was the victim network operating on?
(10 points) What is the ESSID of the WiFi network that was hacked?
(10 points) What is the MAC address of the victim that was deauthenticated?
(10 points) What is the MAC address of the attacker?
(25 points) What is the wireless password (in hex)?

For the first four questions you’ll be able to use Wireshark to get the answers, so you’ll open up the packet capture file in Wireshark.

(10 points) What is the ESSID of the WiFi network that was hacked?

If you look at Packet 1 of the capture, you’ll get the answer for the second question right away. The ESSID, a.k.a the SSID, of the WiFi network is
Too Spook 4 Me.

(10 points) What channel was the victim network operating on?

Now you’ll want to expand the last line of content in Packet 1 that reads “IEEE 802.11 wireless LAN” and then drop down the list of Tagged parameters to see that the Too Spook 4 Me network is currently operating on Channel 11.

To find the MAC addresses of the victim and the hacker, you’ll want to scroll down a bit in the packet capture. You’ll see a few hundred lines of the same MAC address with the packet Info showing as Deauthentication. This is how you know it’s the victim’s MAC address.

(10 points) What is the MAC address of the victim that was deauthenticated?

The MAC address of the victim is A8:17:B2:F4:75:34.

You’ll have to scroll down a little bit further until you see any interaction with the attacker’s MAC address, but this time the packet Info will show up as Authentication, so you know it’s the attacker’s MAC address.

(10 points) What is the MAC address of the attacker?

The MAC address of the attacker is D0:CB:2A:9C:A5:DD.

Now let’s move on to aircrack-ng to find the wireless password.
Since aircrack-ng is already loaded onto the Kali VM, go into the applications and open aircrack-ng so you can see all the the command line options you have with this program.

The list is even longer than this, but that was all I could fit on the screen and most of these are irrelevant for our use anyway.

(25 points) What is the wireless password (in hex)?

The fact that this question specifies that they want the password in hex, tells you that you’ll need a very simple command for this one. You’ll just need to run a -a1 command on the packet capture, since you don’t need to the plaintext password. If you did need the plaintext, you would run a -a2w command with a path to a word list set as your dictionary (I recommend putting your word list in the same directory as your .cap file, it’ll make it just a little bit easier for you; I also recommend running the rockyou word list as your dictionary since it is the most common one).

So unlike most of the NCL challenges, this is going to run pretty quickly. You’ll see on the bottom it says KEY FOUND! with hex in brackets. With aircrack-ng, it’s always very obvious what the key is since they have it written in all caps.

The wireless password in hex is C0:A0:00:80:76.

I hope this was helpful if you’re new to Wireless Access Exploitation.
Feel free to reach out to me out Twitter @Jeana_Byte if you have any questions and happy hacking!