Solution to Break Wi-Fi

Penetration testing

11/2/2023

[Author name]
[company name]
1.1 Password crack

1.1.1 Introduction
We will carry out a password crack on the drone's Wi-Fi network, which makes use of
the security protocol WPA2. A user's deauthentication from the drone's network will
accomplish this. The user will attempt to re-authenticate after being unauthenticated, at
which point the attacker will listen and capture the hashed WPA key that is a
component of the handshake. By comparing hashed dictionary entries to the WPA key,
the password can be retrieved. A list of compromised passwords that are used in a
password-cracking attack is known as a password dictionary.
The Tello app allows the user to create a password for the drone, even though there is
no pre-set one. A password from the password dictionary used in this attack was set on
the network to show a real-world use case. A wireless network adapter with monitor
mode enabled and the Aircrack-ng suite of tools from Kali Linux was used in this
attack.
Objectives:
The main objective of this research is to provide ethical crack to the any type of Wi-Fi
security.
Ghantt Chart

1.1.2 Background

The Aircrack-ng suite of tools, which can be used for a variety of purposes, including
monitoring nearby wi-fi networks, can be utilized by employing a network adapter with
the capability of monitoring. BSSIDs, which are the MAC addresses of wireless access
points that are sufficiently close to the wireless network adapter, can be read and
retrieved. Several Aircrack-ng commands can be used to attack a network if you have
access to its BSSID. When a client attempts to connect to the network, a WPA
handshake is initiated. The hashed WPA key is part of the four-way handshake.

1.1.3 Method

In order to take control of the drone, an Android phone called the Huawei P20 PRO was
used to connect to its wireless network using the Tello app. A network password had to
be set in order to simulate the attack. The password was set to contain the word
"password." The following instructions were given to carry out the attack.
-- New-terminal-window --

IFCONFIG
This expertise is a way to discover the interfaces of the wireless-network adapters named w-lan0

AIRMON-NG CHECK KILL

This prevents all existing procedures that are consuming the Wi-Fi interfaces

AIRMON-NG START WLAN0

This continues the w-lan0 in monitor-mode

AIRODUMP-NG WLAN0MON
This shows all Wi-Fi systems in access and offers the aimed network’s B.S.S.I.D. The
encryption-standard of the system is also observable in that situation is WPA2. The
B.S.S.I.D of the system is observable.

Figure 1: NETWORK SCAN

21
AIRODUMP-NG -C Y --BSSID XX:XX:XX:XX:XX:XX -W /HOME WLAN0MON
Figure depicts the clients that are connected to the target network that has been specified
with the BSSID and Channel using this command. The directory where we want to save
the capture file is specified by the -w flag. The WPA handshake will be included in the
capture file.

Figure 2: FILTERED NETWORK SCAN

AIRPLAY-NG -0 10 -A XX:XX:XX:XX:XX:XX WLAN0MON

The figure depicts how this expertise injects ten deauthentication packs into the target to
cause the client to disconnect. The client attempts to reconnect by sending a WPA handshake
when it disconnects from the network; this is recorded and saved for later use.

Figure 3: FILTERED NETWORK SCAN

22
We receive the capture file shortly thereafter. Open the capture file with Wireshark to
examine the packets sent between the client and the network, i.e. the phone and the
drone. We are able to specifically examine the WPA handshake by employing the filter
eapol, which stands for extensible authentication protocol over LAN, as depicted in
figure.

Figure 4: WPA HANDSHAKE

For additional inspections, the hashed W-PA key is seen in the Authentications section s.

Figure 5: W-PA key

AIRCRACK-NG -A2 -B XX:XX:XX:XX:XX:XX -W ‘DICTIONARY PATH’

‘CAPTURED FILE’
This command can be used to crack the password "offline" after the handshake has been
captured. The -a2 parameter specifies the encryption standard that is utilized by the
target network, the -b parameter specifies the BSSID, and the rockyou.txt password
dictionary, which is included in Kali Linux, is followed by the path to the captured file.
Figure on the following page depicts the command's outcome.

23
 Figure 6: SUCCESSFUL PASSWORD CRACK

1.1.4 Results

This penetration test was successful, as shown in Figure 6. The attacker now has access
to both the network and the drone because the password for the wireless network was
broken.

1.1.5 Discussion

Since it can break Wi-Fi passwords on networks that use WEP, WPA, and WPA2, the
most prevalent wireless network protocols, this attack can be applied to other networks.
This kind of attack, which is also known as an offline brute force attack, is able to attack
WPA and WPA2 with a pre-shared key (PSK). The attacker is able to carry out the
password crack part of the attack even though he has captured encrypted network
traffic. Using passwords that are either short or easy to guess in a reasonable amount of
time is the only real way to protect WPA2 from this kind of attack. WPA3-Personal,
which substitutes Simultaneous Authentication of Equals (SAE) for the PSK in WPA2-
Personal, is yet another option. Offline dictionary attacks like this one shouldn't be able
to break SAE, according to theory. A number of additional attacks, such as a denial of
service attack or ARP spoof attack, which require the attacker to be on the network, can
be launched by cracking the password and connecting to the network.

24
1.2 Denial of service attack

1.2.1 Method

• The exploit simulated a scenario in which a user uses their phone as a controller
to control a drone. Due to the fact that the port is open between the drone and the
attacker, who is already on the network, the tool can flood port 9999 on target
192.168.10.1.

• The hping3 command

• -c 15000 specified the number of packets that should be sent and received before
stopping. The following flags were used.

• -d 120, the size of each packet in bytes. -S, which will ignore each SYN/ACK
packet that the drone sends.

• The TCP window size is specified by -w 64, with 64 being the default.

• Flood indicates that the packets should be sent as quickly as possible without
showing any incoming responses.

• hping can send packets from spoofed IP addresses thanks to –rand-source. Once
the flags are up, the attack can be launched.

Figure 9: hping3 DoS command

25
1.2.2 Results

The attack on the denial of service was successful. The user lost control of the drone
and the video stream after executing the hping3 command for a few seconds. The drone
did not initiate an emergency landing protocol, so it had to be manually deactivated
once it was in the air.

1.2.3 Conclusion

The attack was successful both when the user was controlling the drone and when it was
stationary on the ground. It is reasonable to assume that a similar attack would work on
other drones that connect to their controllers via WiFi. A single command using h3ping
with a specified port and IP address was all that was required for the attack, which was
very straightforward.

26
References

Asaad, R. R. (2021). Penetration testing: Wireless network attacks method on Kali Linux OS. Academic
Journal of Nawroz University, 10(1), 7-12.

Astrida, D. N., Saputra, A. R., & Assaufi, A. I. (2022). Analysis and Evaluation of Wireless Network
Security with the Penetration Testing Execution Standard (PTES). Sinkron: jurnal dan penelitian teknik
informatika, 7(1), 147-154.

Gupta, A. K., Srivastava, A., Goyal, T. K., & Saxena, P. (2014). ETHICAL HACKING: An Approach
towards Penetration Testing. International Journal of Modern Communication Technologies and
Research, 2(5), 265792.

Hossain, I., Hasan, M. M., Hasan, S. F., & Karim, M. R. (2019, December). A study of security
awareness in Dhaka city using a portable WiFi pentesting device. In 2019 2nd International Conference
on Innovation in Engineering and Technology (ICIET) (pp. 1-6). IEEE.

Jain, S., Pruthi, S., Yadav, V., & Sharma, K. (2022, March). Penetration Testing of Wireless
EncryptionProtocols. In 2022 6th International Conference on Computing Methodologies and
Communication (ICCMC) (pp. 258-266). IEEE.

Kakarla, T., Mairaj, A., & Javaid, A. Y. (2018, May). A real-world password cracking demonstration
using open source tools for instructional use. In 2018 IEEE International Conference on
Electro/Information Technology (EIT) (pp. 0387-0391). IEEE.

Lu, H. J., & Yu, Y. (2021). Research on WiFi penetration testing with Kali Linux. Complexity, 2021, 1-8.

Visoottiviseth, V., Akarasiriwong, P., Chaiyasart, S., & Chotivatunyu, S. (2017, November). PENTOS:
Penetration testing tool for Internet of Thing devices. In TENCON 2017-2017 IEEE Region 10
Conference (pp. 2279-2284). IEEE.

Vinod, P., Vishnudev, S., Sebastian, S., & Varghese, R. Presenting A Novel Method For Wifi Password
Recovery.

Yaqoob, I., Hussain, S. A., Mamoon, S., Naseer, N., Akram, J., & ur Rehman, A. (2017). Penetration
testing and vulnerability assessment. Journal of Network Communications and Emerging Technologies
(JNCET) www. jncet. org, 7(8).