KaliTut

Kali Linux tutorial and Linux system tips

Everything you need to know about wifi pentesting

Last Updated on by Leave a Comment

The use of wireless WiFi networks has now become very common. Many users think about the security of their networks and computers, sometimes they have questions, how to hack WiFi, how real is this threat?

wifi pentesting
wifi pentesting

In this article, I propose to ordinary users, perhaps far from the security audit questions of wireless WiFi networks, to look at their WiFi network through the eyes of a hacker, and even to wonder how to hack WiFi ?
Although the material is further described as simple as possible, we cannot do without concepts specific to the WiFi audit.

WiFi network terms

  • Access Point  abbreviated as AP , AP is the device that provides the WiFi network, Clients are connected to it. Most often access points are routers.
  • Client ( Station ) – a device that connects to the Access Point. Most often these are computers, laptops, cell phones, etc.
  • ESSID and SSID are the names of wireless WiFi networks – you see them when you choose which network to connect to. Strictly speaking, ESSID and SSID are not the same thing, but these terms are often used interchangeably in WiFi auditing. In the screenshot below, the ESSID (network names) are MiAl, wifi88, etc .:
  • BSSID is the MAC address of the wireless card. Example MAC address: 50: 46: 5D: 6E: 8C: 20.
  • Handshake  – data exchanged between the station and the access point at the time of the creation of WiFi connection. This data contains information that allows you to choose a password from the WiFi network.
  • Brute-force (also brute force ) – a method of attacking a password, which consists in enumerating all possible options for a password. It requires a lot of time and computing resources.
  • Dictionary brute force ( dictionary attack ) is a method of attacking a password, which consists in enumerating common password options. It has a good ratio of resources spent to the results obtained.
  • WiFi password brute force online – password guessing method, which consists in connecting to the Access Point with various candidates for passwords. Practically not used due to extremely low speed brute force.
  • Off-line WiFi password brute force – a password selection method that consists in capturing the Handshake and selecting a password that matches this handshake. This selection does not require connection to the Access Point and is performed many orders of magnitude faster than online busting. It can also be performed on the computing power of video cards, which increases the search speed by several orders of magnitude.
  • WPA and WPA2 – WiFi Protected Access Technology, has replaced the outdated WEP technology.
  • Wireless WiFi card (or wireless WiFi adapter ) – any network card that can connect to a WiFi network. In laptops and phones, they are embedded inside the case; in desktops, they usually represent an external device connected via USB.
  • Monitor mode ( Monitor Mode WiFi adapter ) – the property of some wireless cards receive data packets, which are designed not only for them but also for other wireless devices.

Network interface – name, symbol in Linux network cards / adapters.

A WiFi network channel is a conditional numerical designation of the frequency on which the Access Point is currently operating.

What do i need to hack a wifi network?

  • A computer on which to install Linux
  • Specialized software, for Linux it is free (i.e. distributed for free and its source code is open)
  • Wireless WiFi card that supports monitor mode. List of current maps.
  • The relevant knowledge and skills – this you will find in this article.

WiFi cards with monitor mode support are commercially available, their price corresponds to the prices of other wireless cards with similar characteristics. In my laptop, the integrated card turned out to support monitor mode — that is, this is not uncommon and anyone can get it.

As already mentioned, specialized software for auditing WiFi networks is distributed freely, by default it is present in specialized distributions, for example, in Kali Linux (refer to general information and installation instructions).

As you can see, all the components necessary for hacking WiFi are very affordable.
All further actions are performed in Kali Linux.

How to put wifi adapter in monitor mode

By default, wireless adapters are in “managed” mode. This mode allows you to connect to the Access Point as a regular Client.

Monitor mode (monitor) is designed to analyze WiFi networks. In this mode, the wireless card receives frames (they are also called frames) from any sources on the same channel.

Since we need to grab a handshake, which consists of data that the Station sends to the Access Point and the Access Point sends the Stations (that is, which are not intended for us at any stage), we need to transfer our WiFi card to monitor so that she is able to see this data and save it for further processing.

To enter commands to put the WiFi adapter into monitor mode, we need to know the name of the wireless interface. To do this, open the console and enter the command:

sudo iw dev
sudo iw dev

The name of the wireless interface is indicated in the line with the word Interface , i.e. in my case the name is wlan0 . Remember this value, because in the future we need it.

Monitor mode is not normal for the operating system, so some programs without demand silently put the WiFi adapter into a controlled mode. This can interfere with us, so the next two teams close the programs that may prevent us:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

Now, finally, we can put the wireless card into monitor mode. To do this, follow the sequence of commands

sudo ip link set INTERFACE down
sudo iw INTERFACE set monitor control
sudo ip link set INTERFACE up

replacing with the real name of your wireless interface (mine is wlan0 ):

sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

It seems that nothing happened, but typing

ip link set wlan0 up

In it, the type monitor line says that our wireless card is in monitor mode.

What is handshake?

As already mentioned, a handshake is data that is transmitted in several stages between the Station and the Access Point at the moment when the Station is connected to the Access Point. This means that in order to capture a handshake, we need to switch to the channel on which the Access Point is operating, to listen to the radio signals and wait for the moment when the Station is connected to it. Since the wait can be delayed, a technique called Attack Deauthentication is applied, which consists in forcibly dropping the WiFi connection between the Access Point and the Station. Immediately after such a shutdown, the Station tries to connect again, and at this moment we seize a handshake.

Unfortunately, this method does not work if no one is connected to the Access Point.

Overview of WiFi networks

To attack a WiFi network, we need to know some of its characteristics. To get a list of all available networks within the range of WiFi access, run the following command:

sudo airodump-ng wlan0

Please note that if you have a different wireless interface name, then instead of wlan0 you need to enter this name.

The attack described is applicable only to networks with WPA2 or WPA protection — the vast majority of them.
A similar list of networks will be displayed:

airodump-ng wlan0

When you see the network in the list that you want to attack, then stop the program, to do this, press CTRL + c .
Suppose I am interested in a network with the ESSID (name) dlink . As you can see from the screenshot, its characteristics are: BSSID is 00: 1E: 58: C6: AC: FB, it uses WPA2, it works on the sixth channel. Also, the non-zero value of #Data (the captured data sent by this TD) suggests that one or more stations are connected to it.

To capture the handshake, use the following command:

sudo airodump-ng -c CHANNEL --bssid MAC_ADDRESS -w FILE INTERFACE

Where:

  • CHANNEL is the channel on which TD operates
  • MAC_ADDRESS is the BSSID of the attacked TD.
  • FILE – the name of the file where the handshake will be written
  • INTERFACE – the name of the wireless interface in monitor mode

For my data, the command looks like this:

sudo airodump-ng -c 6 --bssid 00:1E:58:C6:AC:FB -w capture wlan0

In the next screenshot, the TD we are interested in is again visible, and also the section with stations is now visible:

sudo airodump-ng

The section with stations was also present in the full list of TDs, but it went beyond the bottom edge of the screen, so I didn’t get the screenshot.

For the station, we can see in the BSSID field the value that corresponds to the BSSID of the Access Point, i.e. 00: 1E: 58: C6: AC: FB, this means that at the moment this Station is connected to the TD we are interested in. Now there are two options:

  1. wait until the Station disconnects and reconnects to the AP for natural reasons
  2. perform a deauthentication attack to speed up the process

Perform deauthentication attack

To perform deauthentication, without stopping recording traffic that was started in the previous step, open a new console window and enter the command like this:

sudo aireplay-ng -0 3 -a MAC_ADDRESS INTERFACE

In my case, the command looks like this:

sudo aireplay-ng -0 3 -a 00:1E:58:C6:AC:FB  wlan0

The program will display something like the following:

aireplay-ng
08:17:30  Waiting for beacon frame (BSSID: 00:1E:58:C6:AC:FB) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c ).
08:17:30  Sending DeAuth to broadcast -- BSSID: [00:1E:58:C6:AC:FB]
08:17:30  Sending DeAuth to broadcast -- BSSID: [00:1E:58:C6:AC:FB]
08:17:31  Sending DeAuth to broadcast -- BSSID: [00:1E:58:C6:AC:FB]

And in the upper right corner of the screen to capture data, a new entry will appear:

capture handshake
WPA handshake: 00:1E:58:C6:AC:FB

It means that the handshake has been successfully captured.

WiFi password dictionary attack

Now we need to run the data lookup.
Prepare a dictionary: rockyou.txt Password dictionary

cp /usr/share/wordlists/rockyou.txt.gz .
gunzip rockyou.txt.gz
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt

The dictionary file in this case is called newrockyou.txt . To find out the name of the captured handshake, run the following command:

ls -l capture*

At the same time, something like the following will be displayed (there may be more records if you repeatedly grabbed handshakes):

-rw-r--r-- 1 root root 73164 сен 30 08:24 capture-01.cap
-rw-r--r-- 1 root root   478 сен 30 08:24 capture-01.csv
-rw-r--r-- 1 root root   583 сен 30 08:24 capture-01.kismet.csv
-rw-r--r-- 1 root root  2766 сен 30 08:24 capture-01.kismet.netxml

We are only interested in the file capture-01.cap – it contains the handshake. The dictionary uses the following command:

aircrack-ng -w newrockyou.txt capture-01.cap

This command starts password guessing, the following window is displayed during the search:

aircrack-ng

Password matched:

aircrack-ng

This is what the KEY FOUND entry says ! [pattayateam] , in which the password from the WiFi network is pattayateam. Using this password, you can connect to a wireless access point from any device (computer, phone) as other legitimate users do.

Conclusion
As you can see, hacking WiFi is not extremely difficult, although it requires knowledge of some Linux commands. It shows only one example of the many variations of attacks on WiFi

Leave a Reply

Your email address will not be published. Required fields are marked *