Network Cracking
(Auditing) Module
WAIDPS also include with
the Network auditing Module which allow user to crack a WEP encrypted access
point (AP), capturing of WPA/WPA2 Handshake for cracking of WPA Passphase and
also bruteforcing the PIN of a Wi-Fi Protected Setup (WPS) enabled router which
thereafter revealing the WPA passphase. Apart from cracking of encrypted acess
point, WAIDPS also include a “Live Monitoring” of Access Point which will show
the detail of wireless clients associated to the specific Access Point.
WARNING : The Network Cracking Module is strictly for auditing your
own network or mutual consent of auditing someone network. It is ILLEGAL to attack on someone access point and it is the user's
responsibility to obey all applicable laws. Developer assumes no liability and
is not responsible for any misuse of WAIDPS.
Network Auditing Main Menu
In order to get into the
‘Network Auditing’ selection menu, user can press [Enter] on the main menu
followed by [A] to get into the auditing module. In the Auditing menu, it will
display the list of detected access points sorted in the order of WEP, WPS
enabled router, WPA Access Point with clients and WPA Access Point. To display
more information on the operation, type [Help].
Note : Please allow the
WiFi Harvester to harvest for access points and clients detail in the main
screen before selecting the “Auditing Network” module.
Cracking of WEP Encrypted Access Point
WAIDPS allow user to
crack a WEP encrypted access point with various attacking methods such as ARP
replay, interactive ARP replay, Korek & Hirte attack (Developing). It also
provide the options of deauthing existing clients and spoofing of MAC address.
To select the target to attack, simply enter the number reflected or the MAC
address of the Access Point (BSSID). User can also filter the encryption type
by typing “WEP”.
Once the target Access Point
(AP) is selected, WAIDPS will display the existing AP/Clients detail and also
information found on the database which was previously harvested by the “WiFi
Harvester”. WAIDPS has also spoofed the MAC address of the attacking interface
and also allowing user to spoof their MAC address.
After all information at
set, WAIDPS will first attempt to associate with the AP by performing a “Fake
Authentication” with the AP. After associated with the AP, WAIDPS will then
continue with the default ARP Request Replay attacks. At the same time of
attacking the AP, WAIDPS will also attempt to crack the WEP key after obtaining
sufficient IVs. Once the WEP encryption is cracked, the WEP key is be displayed
and stored in a database for reference.
Example of displaying of
cracked Access Point in the Auditing main menu
Apart from the default ARP
Request Replay attack mode, WAIDPS also provide other attacking mode such as
interactive replay, KoreK Chopchop, Café Latte, Fragmentation and Hirte attack
method (Not ready yet). User can enter the WEP Auditing Menu by press [Enter]
during the attacking process. Other than the attack methods, in the WEP
auditing menu, it also allow user to deauth clients, spoofing of attacking MAC
address and also other method of cracking the WEP key.
Cracking of WEP Encrypted Access Point (Usage of
previous captured IVs)
WAIDPS
will also store the previously captured IVs for subsequent use in cracking of
WEP key if user does not have enough time to crack the WEP key. These IVs dump
will be added to the current IVs to increase the number of IVs for faster
chance of cracking.
Cracking of WEP Encrypted Access Point (Beating
MAC Filtered AP)
Some
Access Point may have the MAC Filtering option turn on prevent unauthorized
client from associating with the AP and also harden cracking of the encryption
by newbie. WAIDPS will display error message of possible “MAC Filtered Access
Point” if a MAC filtered AP is detected during the fake authentication process.
WAIDPS
will provide user with the option of spoofing the existing client MAC address
or MAC address found in database that was previously harvested. Simply press
[Enter] to display the WEP Auditing Menu and select “4” - Spoof MAC Address to
spoof the attacking interface MAC address.
Cracking of WEP Encrypted Access Point (Shared
Key Authentication – SKA AP)
A
“Shared Key Authentication” (SKA) WEP encrypted network is much more complex
than the commonly used “Open” WEP network. WAIDPS will display error message
reporting a possible SKA WEP encrypted access point. An existing legitimate
client must be present in-order to obtain the 140 Bytes keysteam. User can
manually send deauth signal to the AP trying to obtain the keysteam or WAIDPS
will automatically attempt to send deauth signal in order to obtain the
keysteam. To increase the chances of beating SKA, user can also spoof the
existing client MAC address.
Cracking of WPA Encrypted Access Point
In
order to crack the WPA encrypted access point, user must first obtain a 4-way
handshake between the legitimated client and access point. Similar the WEP cracking, WAIDPS will display
the AP information and also allowing user to spoof MAC address before proceeding
with the deauthentication of clients to obtain the handshakes.
WAIDPS
will attempt to send broadcast deauthentication signal to the Access Point and
attempt to detect connected clients. Once client is detected, WAIDPS will then
proceed to send deauthentication signal to the specific client MAC address
attempting to capture the handshake. Similar to WEP attack, user can display
the list of options by pressing on [Enter] during the capturing process.
After
sending deauthentication signal to the AP and clients, WAIDPS will detect the
present of handshake and list out the detail individually by client MAC. Once a
successful handshake is captured, the captured handshake file will be saved to
“/SYWorks/Saved/” directory. WAIDPS will then proceed with the cracking of WPA
passphase basing on the captured handshake detail.
If
the passphase is found in the default dictionary, WAIDPS will then display the
cracked passphase and also store into a database for reference.
Cracking of WPA Encrypted Access Point (Manually
selecting handshake file)
If
any existing handshake was captured on a specific access point, it will show
“[Handshake]” directly behind the ESSID on the main auditing screen. User can
then select the access point to perform a manual cracking of handshake file
using other dictionary.
Customising Dictionary Location
User
can specify the location of other dictionaries to be use for cracking by typing
“C” – Application Configuration on the WAIDPS main menu, thereafter selecting
“9” for Dictionary Detail and Setting.
Cracking of WPS Enabled Access Point
Cracking
of WPS enabled access point option is only available for WPA/WPA2 encrypted
network since WEP is consider to be easily cracked. Similar to the WEP/WPA
cracking, user can enter the list number of the access point or MAC address of
the AP (BSSID) to select the target. Options are provided for user to select
whether to proceed with “WPS Bruteforce” or “WPA handshake”. Bruteforcing
detail will be shown on the screen to enable user have a better analysis of the
PIN tried, remain PINs and also other status of the bruteforcing process.
Once
the WPS PIN is found, WAIDPS will display the WPS PIN and WPA Passphase of the
cracked network and also store the detail into the database for reference.
Cracking of WPS Enabled Access Point (Manually
entering PIN)
During
the cracking process, user can also manually enter the WPS PIN to try by
pressing on [Enter] to display the menu and then “P” to enter the PIN. This is
particularly useful when the WPA passphase is changed but not the WPS PIN.
Live Monitoring of Access Point
WAIDPS
also provide user with the option to perform a live monitoring of a Access
Point to get the activities status of AP and wireless clients associated to the
AP. It will display the detail of the detected devices and whether the devices
are active or not sending any data. To monitor the specific access point, user
can put a “M” infront of the listing number or “M” infront of the BSSID.
