Full Report
Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks. The Software runs on any Linux machine with […]
Analysis Summary
# Tool/Technique: Fern Wifi Cracker
## Overview
Fern Wifi Cracker is a Python-based wireless security auditing and attack software program that utilizes the Python Qt GUI library. Its primary purpose is to aid in penetration testing and security auditing of wireless networks by cracking and recovering WEP, WPA, and WPS keys, as well as performing other network-based attacks on both wireless and Ethernet networks.
## Technical Details
- Type: Attack Tool (Wireless Security Auditing)
- Platform: Linux (Tested on Ubuntu KDE/Gnome, BackTrack Linux, BackBox Linux)
- Capabilities: WEP/WPA/WPS key cracking, network attack execution, session hijacking, geo-location tracking, internal MITM engine, brute-force attacks.
- First Seen: Information not explicitly provided in the context, but the article is dated December 13, 2016.
## MITRE ATT&CK Mapping
As an auditing and exploitation tool primarily focused on accessing networks, the associated techniques likely fall under Discovery, Credential Access, and Initial Access.
- **T1049 - Active Scanning**
- T1049.002 - Network Service Scanning
- **T1595 - Active Scanning** (If used externally by an attacker to find entry points)
- T1595.001 - Scanner used to identify network services
- **T1078 - Valid Accounts** (Implied goal of cracking keys is to gain access)
- T1078.003 - Local Accounts (Gaining access to local devices post-compromise)
- **T1557 - Man-in-the-Middle**
- T1557.001 - ARP Spoofing (Implied by Session Hijacking capability)
## Functionality
### Core Capabilities
- **WEP Cracking:** Supports various methods including Fragmentation, Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay, or direct WPS attacks.
- **WPA/WPA2 Cracking:** Supports Dictionary-based or WPS-based attacks.
- **Session Hijacking:** Capable of performing session hijacking in both Passive and Ethernet modes.
- **Key Management:** Automatically saves recovered keys to an internal database upon successful crack.
### Advanced Features
- **Automatic Access Point Attack System:** Suggests automated or iterative attack sequencing.
- **MAC Address Geo-Location Tracking:** Determines the physical location of the target Access Point (AP).
- **Internal MITM Engine:** Implies the tool can actively facilitate Man-in-the-Middle operations within the network segment it controls or monitors.
- **Bruteforce Attacks:** Can execute brute-force attacks against common services like HTTP, HTTPS, TELNET, and FTP.
## Indicators of Compromise
*Indicators listed below are related to the deployment/execution of the tool, not necessarily persistent malware artifacts.*
- File Hashes: Not provided in the context. (Download link suggests `fern-wifi-cracker-v2.4.zip`)
- File Names: `fern-wifi-cracker-v2.4.zip`
- Registry Keys: Not applicable (Linux tool).
- Network Indicators: Not explicitly listed, but network activity would involve broadcasting crafting packets (e.g., deauthentication frames) and dictionary word attempts against WAPs (defanged: `wpa.auth.request`).
- Behavioral Indicators: Execution requiring Linux tools like `Aircrack-NG`, `Reaver`, and `Macchanger`; high volumes of ARP or association requests during attacks.
## Associated Threat Actors
The article describes Fern Wifi Cracker as a "Wireless security auditing and attack software," typically associated with **Penetration Testers** and **Ethical Hackers**. No specific malicious threat actor groups are named in the context.
## Detection Methods
- Signature-based detection: Signatures for the binary executables (if compiled) or known dependency files/scripts related to Fern.
- Behavioral detection: Detection of processes that utilize low-level wireless injection interfaces (e.g., monitoring mode activity characteristic of `Aircrack-NG` dependencies) and high-frequency dictionary probing against authentication servers.
- YARA rules: Could be written to detect specific Python script structures or embedded strings referencing WEP, WPA, or WPS cracking routines.
## Mitigation Strategies
- Prevention measures: Restricting the use and installation of unauthorized auditing tools on production systems.
- Hardening recommendations:
1. Disable WPS on all wireless access points.
2. Utilize WPA3 encryption where available.
3. Enforce strong, long, complex passwords for WPA/WPA2 networks (mitigates dictionary attacks).
4. Physically secure network infrastructure access points.
5. Regular updates of dependent packages (Python, Scapy, etc.).
## Related Tools/Techniques
- Infernal Twin – Automated Wireless Hacking Suite
- FruityWifi – Wireless Network Auditing Tool
- wifite – Mass Wifi WEP/WPA Key Cracking Tool
- Kismet – Wireless Network Hacking, Sniffing & Monitoring
- **Dependencies/Companion Tools:** Aircrack-NG, Reaver, Macchanger.