From the Archive of 2015: Wireless Network Hacking: Fuzzing, Aircrack and more!
Let’s talk about hacking.
In this article, I am going to discuss the introductory methodology behind penetration testing a wireless network, utilizing Kali Linux. I am also going to discuss the concept of fuzzing, and other methods that can be utilized to introduce you to wireless network security.
Wireless networking is a technology that is still in its infancy; and never has this technology been more vulnerable to penetration testing than it currently is today. The current IEEE 802.11 wireless LAN technology that we utilize allows attackers (and information security specialists) to proceed with a myriad of methods and tools that can be utilized against the technology to gain unauthorized access to the wireless network. With the level of ease, and the tools that are readily available, attacking a wireless network can be performed by just about anyone with an above-average understanding of networking and information technology. It is for that reason alone that we must properly configure and prepare our networks against attacks of this nature.
However, before we get into that, we need to cover some highly important ground rules.
This website covers many different topics related to information security, ethical hacking and intelligence gathering. Often times, the articles within this website will utilize common penetration tools that are readily available to the public. However, this does not mean that the tools are legal to use in a majority of the given scenarios. Utilizing any of the articles, tutorials or methodology within this website on a system that you do not have permission to penetration test against is illegal. If you choose to utilize this information maliciously – you are on your own. I, nor anyone else associated with this website, will be liable or held responsible for any of the illegal decisions you decide to make, utilizing the methodology and tools that are described within the articles on this website.
To get started, we need to make a few foolish assumptions about you.
- You are comfortable, and possibly even familiar, with basic networking and computer usage (including Linux.)
- You have a successful installation of Kali Linux.
- You have a wireless NIC/adapter that is capable of monitor mode (and injections.)
- You have some familiarity with, or the willingness to learn, python.
- You have obtained written permission to utilize these methods on the network you are using, or you are the direct owner of the network.
- You have some basic understanding of what exploits are, and how to develop, or in the very least, how to work with, them.
- You have a basic understanding of the debugging process.
Now, let’s go take some looks at different approaches to wireless network security.
When it comes to wireless penetration testing and wireless network auditing, one of the most important things that you can do for yourself, and the success of your future testing, is ensure that you have developed a strong, robust platform in which you will be initiating your attacks from. Now, this can be a simple process – however, it can be complicated by user errors, as well. For this foundation, the axiological operating system can be whatever you are most comfortable with. On a personal level, I prefer to utilize Fedora, as my go-to platform for this type of thing.
Whatever you pick, make sure that the first thing you do is to update the kernel of your platform; make sure that everything is up to date before proceeding. I am going to make another assumption, and assume that you can do that without direct assistance from me. For the point of this article, I have suggested (and assumed) that your primary platform will be Kali Linux. You’re welcome to use any other operating system, however, you do so only knowing that you’ll have to substitute any instructions I give here for Kali (a Debian-based distribution) into whatever is necessary for your operating system.
Now that you have an understanding of your foundation, let’s take a look at a technique known as fuzzing.
If network fuzzing is the technique you plan on utilizing, building the proper environment will be necessary. In this section, we will look at some of the things you will need to do for the fuzzing process. Before we do, though, let’s quickly look at what fuzzing actually is, shall we?
Fuzzing: Contextually speaking, fuzzing is the act of injecting every possible combination of malformed data into a device or service, and then monitoring that device or service for unusual results.
Now, if you look at that definition, you can see why that would be useful. For instance, if the system responds in an unusual way, such as crashing, you can utilize further tools (such as packet analysis tools) to determine what went wrong and where it went wrong, and will have then discovered that the device or service may be vulnerable to that type of an attack, through further research.
As I mentioned earlier, configuring the proper environment for auditing is necessary for most wireless attacks; this is especially true for fuzzing attacks. The first thing you’re going to need are a few common dependencies; you can use yum or apt-get, depending on what your platform is. Some things you’ll want to pick up, if you don’t already have them, will be: libpcap-dev, libnl-dev and python-dev.
Now, one common configuration to use for fuzzing would be Python and Scapy. This will allow for TCP fuzzing. Scapy, as you might assume, is a Python module. Similar to LORCON from nearly a decade ago, Scapy will allow you to craft wireless packets effortlessly, to inject into the host. If you have been working with networking any at all, you’ll know that what we’re doing here is, essentially, attempting to create a three way handshake.
To begin the exercise of fuzzing, you will start with crafting your SYN packet with Scapy. So, go ahead and start Python, import Scapy and begin crafting your SYN packet. Now, using Scapy, you can realistically craft just about any kind of wireless packet that you could possibly imagine. You could, for instance, craft a packet that looked similar to:
tcp_syn=IP(src=”Source IPA Here”, dst=”Target IPA Here.”)/TCP(dport=80, flags=”S”, seq=20000)
Then, just transmit your SYN packets, however you designed them, and capture the SYN/ACK from your target. It’s really that easy. After that, all you have to do is calculate the final ACK and transmit the acknowledgement.
Now, it’s important to understand that in doing this, you will have to track the SYN and ACK numbers yourself, and, further, increment them accordingly. Also, because you are transmitting crafted packets, the TCP stack on the target computer will send RESETS; as such, you’ll have to create additional IPTable rules to block these resets. That will prevent the RESETS from the real TCP stack from affecting your connections.
Next, we’re going to look at Aircrack-ng. Another simple method that can be utilized to crack open a wireless network. Now, this method is a bit more straight forward than fuzzing; but, fuzzing is also a whole lot more fun than this method, too. For those of you not familiar with Kali, Kali is a penetration testing platform. It has a lot of different tools, so I would encourage you to get familiar with each one of them, in the future. You may recall my previous OSINT article discussing tools such as The Harvester and Metagoofil. Those are both found on Kali; albeit, they can also be installed on other distributions as well. One of its most notable features, though, is its ability to penetrate wireless networks. And it has tons of tools that you can use to do that with. This method is, as stated, going to use the aircrack suite, and a password dictionary. I assume you already have one, or know how to find one online, if you do not.
At the start of this article, I made a list of assumptions. One final assumption I am going to make, now, is that you are a patient person and you have plenty of time on your hands. We’re all adults here, right? We know that hacking is not like its portrayed in Hollywood. It isn’t fast (most of the time), and it takes time and preparation. And more so than that, sometimes it just doesn’t work the first time, at all. And that is the fun in it; finding out what went wrong and continuing to try to make it work. So, let’s take a look at some steps that you are going to need to perform to utilize Aircrack-ng.
- Go ahead and boot up Kali.
- Log in. If you know how to sudo, good – else, log in as root.
- By this point, I assume that your NIC supports monitor mode and injections. If not, plug in an adapter that does.
- If you’re connected to any wireless networks, disconnect.
- Open up your terminal and type: airmon-ng.
At this point, we have currently requested a terminal output to demonstrate whether or not we have a card that is capable of entering monitor mode. If, after running airmon-ng in your terminal, you do not see your wireless card listed under Interface/Chipset/Driver, quit now until you can obtain a card that is capable of monitor mode and packet injections.
Monitoring a specific target:
- Type: airmon-ng start INTERFACEWhere I have INTERFACE, put in the interface for your card. In most cases, this will be wlan0, however, refer to the output from airmon-ng to determine the interface for your card. If you are successful in this step, you will see: (monitor mode enabled on newMonInterface). The new monitor interface is usually mon0 but may be different for you.
- Type: airodump-ng newMonInterface. Where newMonInterface is the new monitor mode interface that was created in the last step. This will usually be mon0, but may be different for you, so take note of that.
- At this point, Airodump will output an entire list of all of the networks in your area, including your own wireless network. It will list the ESSID, Authentication type and more. Find the ESSID for the network that you have written permission to penetrate (or your own network), and take note of everything in that line. If you want, screenshot this area or copy and paste the entire line.
- Now, copy the BSSID of your target network.
- Next, type the following command: airodump-ng –c xChannel –bssid xBSSID –w /root/Desktop/ xMonInterface.Before you hit enter: Let’s look at some of what is above. First off, invoking airodump-ng with the following arguments: -c, -BSSID, and -w. Where I have xChannel put the channel that was listed in the airodump-ng list that you generated earlier, for your target. That’s why I said to take a screenshot, not clear the terminal or copy it all somewhere else. Also, where I have xBSSID, put your target’s BSSID. And where I have xMonInterface, replace that with your monitor mode interface.
- If you’ve built your command correctly, it should look similar to: airodump-ng –c 7 –bssid xx:xx:xx:xx:xx:xx –w /root/Desktop/ mon0. If you haven’t already done so, go ahead and press enter if your command is built correctly.
At this point, what we have told airodump to monitor only the target network, instead of all of the surrounding networks. This will allow it to capture specific packets, in a more in-depth manner. What we’re waiting for, specifically, is a device to either connect to the network or reconnect to the network. Now, there are ways we could force currently connected devices to reconnect to the network. Remember how I said you need to have patience? Yeah, well… we’re not going to wait around all day. So, let’s go ahead and force some handshakes to happen. What we’re actually going to do is use another fun tool, which is also part of the aircrack security suite, to send devices on that network some de-authentication packets, and trick it into re-authenticating with the network. However, before we can do that, we have to have at least one active client show up in the list. So wait for that single client if you have to, and then we’ll be ready to move on to the next target.
- Open a new Terminal, but do not close the airodump-ng terminal you currently have running.
- Type: aireplay-ng –0 2 –a targetRouterBSSID –c targetClientBSSID monitorModeInterface
Before you press enter: Let’s take a look at the above command and the arguments. First, we begin by invoking aireplay-ng, and giving it the argument -0. This simply tells it that we’re going to be setting it to de-authentication mode. Then we give it 2, which is the number of de-authentication packets we want to send to the client on the target network. Next, we give it -a, followed by the target’s router BSSID collected earlier. And we give it -c followed by the target’s client BSSID which we had to wait for, just two steps ago. Lastly, we indicate the the monitor mode interface that we are using. This is the same interface we have been using, for example: mon0.
- If you built your command right, it should look something like the following: aireplay-ng –0 2 –a xx:xx:xx:xx:xx:xx –c xx:xx:xx:xx:xx:xx mon0. Go ahead and hit enter if you have not already done so, if your command looks similar to the above example.
- At this point, you should see a message appear in your airodump-ng terminal (not your aireplay-ng terminal). It’ll say something along the lines of: WPA Handshake: targetRouterBSSID.
- If you see that message, you’re good to go. It means that the handshake has been captured, and should now be logged to the files that saved to your desktop in earlier steps. So, go look at the files on your desktop to make sure they’re there.
- Go ahead and close the aireplay-ng terminal.
- With the airodump-ng terminal active, hit CTRL+C to cease monitoring the target network.
Cracking the password (hopefully):
From this point on, everything we do will be performed locally. If everything worked as it was meant to, you should have the capture files to work with, right on your desktop. You have already stopped monitoring the target network in the previous step. However, I would suggest that you leave the terminal window up, lest you need to review the information in the airodump-ng window. If you don’t think you will, feel free to close it – but I’d advise you to leave it up until you’re finished.
- Open a new terminal window.
- Type the command: aircrack-ng -a2 -b targetRouterBSSID -w localPathToWordlist /root/Desktop/*.cap.
Before you hit enter: Let’s look at the above command, so we can understand what we’re doing.
First and foremost, we’re invoking the aircrack-ng tool and immediately giving it the arguments -a2. The a indicates the method in which we will utilize to attack the handshake capture file that we downloaded, and the 2 tells it that we are using the WPA attack method. Next, we give it the argument -b which simply tells it that we’re going to give it the target’s router BSSID. Then, we give it the -w argument, followed by a file path on our local system. This tells it that the word list is located at that path; the word list, of course, is the password word list we’re using to crack the handshake. Finally, we give it the location of our capture file; which, we set to the desktop. The asterisk is simply a wild card. However, if you have additional capture files on your desktop, you may want to specific the capture file. If you only have the one capture file, leaving the asterisk in place will work just fine.
- If you built your command correctly, it should look similar to the following: aircrack-ng –a2 –b xx:xx:xx:xx:xx:xx –w /root/Desktop/wpa.txt /root/Desktop/exampleCaptureFile.cap. If your command looks similar to this, go ahead and press enter if you have not already done so.
- Now, you just have to wait. Aircrack will begin testing the word list against the capture file. If your word list is good, and it finds the password, you’ll have a message that looks similar to the following: Key Found! [password123]. Where password123 is, obviously, the passphrase utilized to secure the target network. If a key is not found, better luck next time. Look into different attack methods; such as the aforementioned fuzzing method. It’s funner, anyway!
Hope you enjoyed it. And, again, I leave you with a few words of wisdom: Make sure that you can obtain written consent to utilize any of the methods in this article against a targeted network. I hope you learned something in this very brief introduction to wireless network penetration.