SOURCE:
http://resources.infosecinstitute.com/wifite-walkthrough-part-1/#article
http://resources.infosecinstitute.com/wifite-walkthrough-part-2/#article
WHAT IS IT?
In this article series, we will look at a tool named Wifite suitable
for automated auditing of wireless networks. Most of you who have
experience in wireless pentesting would use tools like airmon-ng,
aireplay-ng, airodump-ng, aircrack-ng to crack wireless networks. This
would involve a sequence of steps, like capturing a specific numbers of
IV’s in case of WEP, capturing the WPA handshake in case of WPA etc, and
then subsequently using aircrack-ng to crack the password required for
authentication to the network. Wifite aims to ease this process by using
a
wrapper over all these tools and thus making it super easy to crack
Wifi networks.
Ethical Hacking Training – Resources (InfoSec)
Here is a list of features of Wifite as per its official
homepage.
- sorts targets by signal strength (in dB); cracks closest access points first
- automatically de-authenticates clients of hidden networks to reveal SSIDs
- numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
- customizable settings (timeouts, packets/sec, etc)
- “anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete
- all captured WPA handshakes are backed up to wifite.py’s current directory
- smart WPA de-authentication; cycles between all clients and broadcast deauths
- stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
- displays session summary at exit; shows any cracked keys
- all passwords saved to cracked.txt
- built-in updater: ./wifite.py -upgrade
RECOMMENDED WIRELESS CARD
Before we start using wifite, make sure you have a proper wireless
card that supports packet injection. If you don’t have one, i would
suggest that you buy
this card.
ALFA 1000mW 1W 802.11b/g USB Wireless WiFi network Adapter with 5dBi Antenna
"aireplay-ng" bug info and fix
Note that there is a bug in Wifite that may or may not be there in
your particular version of Wifite. The bug basically doesn’t aireplay-ng
to function properly and displays an error like
aireplay-ng exited unexpectedly .
In order to fix this, you will have to make slight modifications in the
code of wifite. You can install gedit (apt-get install gedit) which is a
text editor and then edit the wifite python script (found in
/usr/bin/wifite) using the steps mentioned
here. To open wifite, use the command
gedit /usr/bin/wifite. This will open up the source code of wifite. Then replace every occurence of
cmd = [‘aireplay-ng’, with
cmd = [‘aireplay-ng’,’–ignore-negative-one’,
UPDATE to the latest version
Wifite can be found under
Applications -> Kali Linux -> Wireless Attacks -> 802.11 Wireless Tools.
Also, note that if you are running wifite in a different VM than Kali
Linux, then you have to make sure that tools like airmon-ng,
aireplay-ng, airodump-ng, aircrack-ng are already installed on that
system. This is because Wifite is nothing but a wrapper over all these
tools. Before we even start using Wifite, it is better to update to the
latest version.
LIST ALL THE COMMANDS and SWITCHES
In my case, i already have the latest version. In this tutorial, we
will be targeting a simple Wifi network with WEP encryption. Just using
the command
wifite -h will give you a list of all the commands.
Crack some WEP
A very tempting option would be
-all which tries to attack
every network that it finds. We will try it in later articles in this
series. However, first lets take a look at all the targets that we have.
To do that, use the command
wifite -showb
Once this is done, we can see that wifite has put our network
interface card into monitor mode (using airmon-ng) and started to look
for clients. After a few more seconds, it will start displaying the list
of access points.
Note that as it is mentioned in its feature list (automatically
de-authenticates clients of hidden networks to reveal SSIDs), this list
will also include hidden access points. Hence, wifite can also be used
to find hidden access points. In this case we will attack an access
point with the BSSID 00:26:75:02:EF:65 that i have set up for testing
purposes. The access point has a simple WEP password
1234567890.
To start attacking an access point, just press
Ctrl+C.
Wifite will now ask you to choose a target number from the list. The
target number for my test network is 1, so let me enter that. Note that
if you press
Ctrl+C again, it will quit Wifite.
You can now see that Wifite will start attempting to crack the WEP
access point using the different known techniques for cracking WEP
encryption. After some unsuccessful tries, it has finally begun to start
attacking the access points using different techniques for cracking
WEP.
Once enough IV’s are being captured, it will automatically start cracking the password.
As we can see, Wifite has successfully figured out the WEP key for
the access point. Wifite is an extremely useful tool for cracking
wireless networks. As i mentioned previously, you need to have all the
tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng already
installed on your system. To further prove the point, let’s dive into
the source code of Wifite.
As we can see, the python code has mentions of calling aireplay-ng. Hence,
it is recommended to run Wifite inside Kali linux.
Crack some WPA
In this article, we will look at cracking access points using WPA-PSK or WPA2-PSK using Wifite.
If you have used tools like airodump-ng, aircrack-ng etc to crack WPA
access points before, you would know that the required thing to
successfully crack a WPA-PSK network is a captured WPA four-way
handshake.
To start wifite for cracking a WPA access point, give it the option
-wpa to only target WPA networks. Also, give it a dictionary file as an input for cracking the WPA passphrase with the
-dict option. In kali linux, the wordlists are stored at the location
/usr/share/wordlists. Wifite will now start scanning for WPA access points.
Press Ctrl+C to give a target number. In my case, the target number
is 2 which is an access point i have configured for testing purposes.
The access point uses WPA2-PSK encryption with the key as “password”.
Wifite will now start listening for the handshake. Once it has found
it, it will automatically start cracking the passphrase using the
dictionary file that we supplied.
And as you can see, Wifite has successfully found the passphrase for the access point.
Sometimes, things may not work as smoothly. In order to capture a WPA
handshake between the client and the access point, the client has to
connect to the wireless network during that period when we are
monitoring the network. If the client is already connected, there will
be no handshake that is captured. Wifite does this by automatically
sending deauthentication packets to a particular client or a broadcast
deauthentication packet if it is required. You can specify the time
between deauthentication packets using the -wpadt flag. Hence, when the
client tries to reconnect to the access point, the handshake is
captured.
You can also specify which tool you want to use to crack the
passphrase once the four-way handshake has been successfully captured.
By default, aircrack-ng is selected. You can also use cowpatty, pyrit or
tshark to crack the passphrase.
Another cool option in Wifite is to anonymize your MAC address using the
-mac option. Even though it is quite trivial using simple commands or
macchanger
utility to change the MAC address for a specific interface, it is good
to have this feature in the tool itself. However, in order to make this
work, you first have to take that specific interface for which you want
to change the MAC address down to managed mode if it is in monitor mode
previously. You can use the command
iwconfig to check all the interfaces that are in monitor mode and then take them down using the command
airmon-ng stop interface-name command. As we can see from the image below, the mon0 interface is in monitor mode.
Hence, lets take it down using the command
airmon-ng stop mon0
.
Now we can add the
-mac option to anonymize the MAC address.
As you can see, Wifite is intelligent enough to change the MAC address
to something that is similar the existing MAC address of the interface
and not to something ridiculous (for e.g AA:BB:CC:DD:EE:FF) which is a
giveaway.
And when you stop the capture, Wifite is nice enough to change the MAC address back to the original one.
PHV.DCXXIV.2016.0128
