Skip to main content

Wireless Hacking Part-1

What is Wifi?
It is wireless Internet connection through a wireless router which is transmitting data in specific high frequency radio signal.

Evolution of 802.11
1:802.11 legacy
2:802.11a – 5.4GHz,1999,orthogonal frequency Multiplexing
3:802.11b—2.4GHz ,CSMA/CA,11mbps
4:802.11g—2003,backward compatible,54mbps
5:802.11n – MIMO,150mbps,2.4-5GHZ
6:802.11ac – underdevelopment,6.9Gbps,8-MIMO streams etc…

There are 6 modes of wifi :
1. Monitor
2. Master
3. Managed
4. Ad-hoc
5. Mesh
6. Repeater

To know the wireless mode that you are running can be checked by following command :

iw phy phy1 info 

1. Master : It is Access Point or Base Station, it€™s an embedded device with a proprietary OS or slim down Linux installation setup to provide network access to clients.
2. Managed : Infrastructure Mode, are considered clients or stations and are the devices connected to an access point. Your laptop, Nintendo, iPhone, etc..
To connect in managed Mode:
iwconfig wlan0 mode managed
iwconfig wlan0 essid Hostelj (Hostelj is the access point name it may be different I have taken it for the sake of the example)
iwconfig wlan0 (see if it has associated with the access point)

3. Ad-hoc: Also know as peer-to-peer.
Ad-Hoc network to communicate with each other, they must use the same ESSID
iwconfig wlan0 channel 1 essid myadhocnetwork mode ad-hoc
(myadhocnetwork is the name if the access point)
4. Mesh :
It is a planned ad-hoc network.
Mesh networks, or mesh clouds, are comprised of radios acting as routers, gateways and clients.
Mesh network node communicate as long as there is a common communication channel
Lets take and  example that node A can talk to node C if they are both within range of node B. Likewise, if a node were to go down a mesh can heal itself by routing through other nodes in the network.

5. Repeater : In this mode it connect to a wireless network, and repeat the signal.

 Wifi Frames
Following Types of wireless frame exist:
1:Management Frames
a)Beacons:Beacons frames are like someone shouting 'I am Here' and telling about his presence.Access     point shout loudly in their vicinity telling every client about his existence. 
b)Probes:Probes frames comes in two flavour.Probe Request and Probe Response.When a client need some info about an access point it sends a probe request and access point respond to it by sending what we call probe Response.Probes Response contain info about access point like channel it uses,frequency,band available,data rates etc.
c)Authentication:Two types are request and response.client send request for authentication that contain   some secret and AP replies according to it by sending auth Response 
d)Association:whenever a client passes authentication step it moves to association step in which it send a association request and AP respond by sending association response.Its a way the AP allocate resource for new client.Association frame have three types:1:Association Request,2:Association Response,3:Disassociation

2:Control Frames
 RTS(Request to send):Name clearly tells what these frames are meant for. 
CTS(Clear to send)
Ack to send

3:Data Frame
 Meat of whole 802.11 protocol structure.

Thats all for part one,this may be little boring to read all this theory but believe me if you really want to
hack something then you should  known its basics clearly.
In Next Part We will do Some practicals  to understand  the importance of what we have just studied.


Popular posts from this blog

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8. Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv

Animated Cursor Vulnerability

Step1: create two file on attacker side 1) default index.html and 2) cursor file to load Now save the proof of concept in a txt file(cursor.txt). use above command to cut down the hex part from proof of concept and paste it in buffer.ani Step2 :upload the above two files in your apache webserver.  Step3: Try to open index.html from window-xp and analyse the behavior of IE using ollydgb in order to find the offset address where EIP will get over written. Attach IE in ollydgb and put malicious url in it. As we can see now that EIP is overwritten with 42424242 that means this place is our offset. Now we will put the address of jump instruction in place of 42424242 which we will get from user32.dll by searching for command JUMP DWORD [EBX],now we jumped at ebx because it contain the malicious .ani file address. Just go into view=>executable=>user32.dll , press enter. Now try to find a jump [ebx] instruction in user32.dll by pressing ctrl

Assignment 01(Enroll TO Offensive-Security Course)

Steps 1:download the page. 2:open fc4.js in your favourite editor and add following lines in it or just replace it with vode given below. 3:then open the download html file in browser and fill the form with your email and a garbage value string. 4:thats it? it will show you the real security string?? yeah but  ...theirs another challenge waiting for you ... :D function fc4me(srvstr) {    if(! || !document.pleazfc4me.securitystring.value) {       alert("Please fill in all the required fields!");       return false;    }    else {       document.pleazfc4me.submit();     }    var t=hexMD5("\x74\x72\x79\x68\x61\x72\x64\x65\x72"+srvstr) alert(t) document.write(t) } Finally Got In :-)