Wi-Fi Penetration Testing – Part 1
Hello everyone, this blog series demonstrates how to set up your Wi-Fi Penetration Testing Machine and how you can crack Wi-Fi passwords. This blog is for people who are interested in Wi-Fi Penetration Testing. The Attacks we are going to learn in this blog series will allow us to get the password or the keys. This blog will be divided into 4 parts.
Let’S start the part-1
In this part, we are setting up the enviroment for Wi-Fi penetration testing & also we will be going through the basics of Wi-Fi Networks.
Setting up the Enviroment
Overview, needed software & hardware
So, this blog series, or especially in parts 2,3 & 4 are going to be practical. To do all the practice we need to set up a lab. To set up the lab we require:
- Windows or Mac (host machine) with a minimum 8GB
- Windows or Mac (Victim machine)
- Wireless Adapter Card, which supports monitor mode and packet injection.
- Virtual Box Software
- Kali Linux VirtualBox Image
Installing Kali Linux In VirtualBox
We are installing our OS as virtual machines Because if we break the Virtual machine, it will not affect our Main operating system. Before we install kali Linux, we need to install Virtualization Software as it allows us to create several Virtual computers inside our main Computer. For this, we are installing VirtualBox.
Virtual Box Installation
- Click here to download VirtualBox software
- Install VirtualBox software with all default settings.
- Virtualization must be enabled in the laptop BIOS to run Virtual Machine inside VirtualBox
Kali Linux Installation
- To install the Kali Linux image, go to (https://www.kali.org/downloads/).
- Click Here to download Kali Linux 64-bit VirtualBox Image.
- Double click the downloaded file and it will open itself under VirtualBox software and click “Import”.
- Importing started
- After completion of Importing, click on “Settings” and select “System”
- Give Base Memory Minimum 2GB and click on “Network”.
- Now, Click on Enable Network adapter in “Attached to” select Bridged adapter and click “OK”
Start your VM and Explore Kali Linux
- Click here for Kali Linux tutorial.
- If you want to Dual boot the Kali Linux with Windows 10 Click here
- If you want to Install Kali Linux in Main Machine Click here
Connecting wireless adapter to Virtual Machine
What is wireless card?
A wireless adapter is a USB device that connects to your computer, and it allows you to communicate with a wireless network. Most computers and laptops come with a built-in wireless card.
If we have a Built-in Wireless card, why do we need an external adapter?
The only problem is, first of all, you can’t access built-in wireless cards from a virtual machine, or if you install kali as the main machine, the built-in wireless card is not good for hacking because we need a powerful adapter that supports monitor mode and packet injection. Thus, a built-in wireless card does not support these modes and can’t be used for hacking. That’s why powerful Wi-Fi adapter is recommended.
Let’s Attach the wireless adapter with kali Linux.
- Open the virtual box, and Select the machine in which you want to connect the adapter. Go to settings
- Select USB
- Check that USB is enabled, and we have to select the USB option that is supported by our Wi-Fi adapter. So, it’s either USB 1.1, 2.0, or 3.0 and for the adapter I have USB 3.0 (I am using ALFA AWUS 1900) and then on the right side, click on “add USB”.
- Attach your USB to the computer port and Select it Here and click “OK”
- You can see that your USB is attached click “Ok”
- If you can’t see USB 2.0 & USB 3.0 make sure you install the VirtualBox Extension pack
- Some of the adapters are plug-and-play, but for some adapter, you need to install their drivers.
Basics of Networking
Basic Understanding of Wi-Fi and its Network
Wi-Fi stands for Wireless Fidelity is a wireless networking technology that allows devices such as computers (laptops and desktops), mobile devices (smartphones and wearables), and other equipment (printers and video cameras) to interface with the Internet. It allows these devices and many more to exchange information with one another, creating a network. It transmits the single through the air.
IEEE 802.11 Standards
It is also known as Wireless fidelity (Wi-Fi). It was designed for use in a limited geographical area (homes, office buildings, campuses). Access Method of IEEE 802.11 Wi-Fi is CSMA/CA (Carrier Sense multiple access with collision avoidance). IEEE 802.11 uses various frequencies including, but not limited to, 2.4 GHz, 5 GHz, 6 GHz, and 60 GHz frequency bands. It defines the protocols that enable communications with current Wi-Fi-enabled wireless devices, including wireless routers and wireless access points.
802.11 Wi-Fi Data Frame
Frame Control – It holds information about the protocol in use, type of frame, or type of security used.
Duration – It indicates how long the field transmission will take so that other devices know when the channel will be available again.
Address 1 – It is the Source/Sender’s MAC address
Address 2 – It is the Transmitter address, which refers to AP’s MAC address.
Address 3 – It is the Receiver address, which also refers to AP’s MAC address
Sequence Control – It Indicates how a large packet is fragmented.
Address 4 – It is the destination MAC address
Data – It anything the frame carries, such as an IP packet.
Frame Check sequence – it is an error Checking mechanism to ensure the frame is intact.
Wi-Fi bands 2.4ghz & 5ghz frequency
The two main frequencies used in Wi-Fi network are 2.4GHz & 5GHz
2.4 GHz band is the frequency range from 2.4 GHz to 2.4835 GHz. This band is used by 802.11b, 802.11g, and 802.11n standards. The 2.4GHz band is divided into 14 fixed-frequency channels. Each channel is 20MHz wide
5GHz band is used by 802.11a, 802.11n and 802.11ac standards. 5GHz band is divided into UNII-1, UNII-2 Extended, UNII-3 and UNII-3 and ISM. UNII stand for Unlicensed National Information Infrastructure, ISM stands for Industrial Scientific and medical. They are simply labels, specifications and regulations for different parts of the band for example, UNII-1 band is designed mainly for indoor Wi-Fi networks.
WIFI Security Protocols:
1.WEP (Wired equivalent privacy)
It is the earliest security protocol that was used for wireless network. Developed in 1999. It used 40-bit encryption key. It was found that the encryption it used is vulnerable and not secure.
2.WPA (Wi-Fi Protected access)
It was developed to solve the problems of a WEP. WPA is far better than WEP and this is because it uses a stronger encryption method called TKIP (Temporal key integrity protocol) and TKIP dynamically changes its keys as its being used and this ensures data Integrity. Today WPA is outdated because TKIP did have some Vulnerabilities.
It was developed to provide even stronger security than WPA. WPA uses AES (Advanced Encryption Standard). AES used a symmetric encryption algorithm which makes it strong enough to resist a brute-force attack.
It was introduced in 2018 and according to the official Wi-Fi website https://www.wi-fi.org/ provides cutting-edge security protocols to the market. The WPA3 standard also replaces the Pre-shared key (PSK) exchange with Simultaneous Authentication of Equals(SAE) exchange, a method originally introduced with IEEE 802.11s, resulting in a more secure initial key exchange in personal mode and forward secrecy. The Wi-Fi Alliance also claims that WPA3 will mitigate security issues posed by weak passwords and simplify the process of setting up devices with no display interface.
Understanding how AP and client Communicate (Important)
Now, let understand each stage how this device connects with each other and start transmit data.
This process works in 3 main parts:
PROBE (It is the first stage in connectinng to a wireless network)
- Probe Request(Broadcasting requesting) – when you start your Wi-FI connection Client start Broadcasting Probe requests on all channels to find the Access points.
- Probe Response – Now Access points in range start sending this response to client, this is the time you can see near-by Access point list.
- Authentication Request- One we select the Access point from the list, the client sends the Authentication request packet to the Access point.
- Authentication Response-If Authentication Request is Successful then client recevice the Authentication Sucsessful response from the Access Point.
ASSOCIATION (Final stage)
- Association Request-Now, Client sends this request to AP, it means that they are ready to start communicating with each other.
- Association Response- finally AP sends final response to client.
After completion of this 3 main steps, data exchanging started
In below diagram I capture, my mobile phone’s connection Requests with Access Point(Wi-Fi) Requests in wireshark and you can see each packets that we are talking about.
What is MAC address?
Media Access Control addresses hardware address that uniquely identifies each node of a network. It Assigned by the device manufacturer. The MAC address is used within the network to identify devices and transfer data between devices So each piece of data or packet that is sent within the network contains a source MAC address & Destination. MAC address MAC addresses are 12-digit hexadecimal numbers (48 bits in length).
Why to Change the MAC Address?
MAC Address is a unique physical address to each network device, and it is used to identify devices, then changing it will make you anonymous on the network.
How to hide MAC address?
You may think that how you can change the MAC address if the computer reads it from hardware? You are not going to modify hardware; you are going to change RAM. When the computer starts, the MAC address loads in RAM and we are going to change the already loaded MAC address. So, when you change your MAC address so the victim will find your fake MAC address and they will not be able to trace you.
How to Change MAC address
Boot up your Kali machine from virtual box and open terminal. So, I am going to use the ifconfig command to list all the network interfaces available on our machine
In the upper image you can see eth0 is a Virtual interface created by virtual box, lo is Linux default interface and wlan0 is our wireless adapter.
Method 1 (To change Mac Address)
Now, we want to change the MAC address which is in wlan0 followed by ether. To change any value of the Interface we can see in above image. we have to first disable the Interface. In which we are going to make some changes.
To disable an interface, we are going to do ifconfig followed by the interface name and followed by down to disable it. So, the final Command will be
ifconfig < Interface name> down
(This command will stop every wireless service and it is necessary to stop network card before changing any value of it)
Now we want to change the MAC Address that is represented by ether. So, type ifconfig followed by Interface that we want to change followed by the option that we want to change in this we want to change the hardware address. So, type hw ether then we give it the address that we want to change the current MAC address
Ifconfig < Interface name> < Option> < MAC address>
(example ifconfig wlan0 hw ether 00:11:12:13:14:15 you can use any address that you want to use just follow the same format and make sure that your address start with 00: )
Now, we just need to enable the interface because we disabled it. To enable it type ifconfig followed by interface name followed by up.
Ifconfig < Interface name> up
Do “ifconfig” again and see that the MAC Address is changed
Method 2 (To change MAC address)
Kali Linux has already installed program called “macchanger” which lets us to change loaded MAC address.
We need first to stop our wireless card to change the MAC address.
ifconfig wlan0 down (As we did in Method -1)
Then type in the following command
(This command call macchanger and show help. There are program usage instructions.)
In my case, I will use random MAC address by entering
macchanger –random wlan0
macchanger is a program name, –random is an option and wlan0 is wireless card. If everything is correct, then the screen should look like below image
Wireless mode (managed and monitor mode explained)
If we want to hack Wi-Fi we need to capture “Handshake”. This handshake is connection between Victim computer and the wireless network with this handshake we can hack the password and Wi-Fi Name (Will do this in Part-2)
As all the data is sent as packets in the network devices to that these packets go in the right direction using the mac address. So, each packet has a source MAC address and a Destination MAC address and it flows from the source to destination.
If the MAC address is used to ensure that each packet gets delivered to the right place then how we capture it?
So, this only applied to the default mode of wireless card, which is “managed” mode”.
If we are in the Wi-Fi range then, we are able to capture all of this communication because these packets are sent in the air, so we can capture them even if they do not have our MAC address as the destination MAC.
Monitor mode allows a wireless card to “monitor” the packets that are received without any filtering. When using some wireless drivers, this mode allows for the sending of raw 802.11 frames.
To do this, we need to change the mode of operation of our wireless interface so that it operates in monitor mode.
In the above Image, we can see the mode of this adapter is set to managed. This means that, this is the default mode of all wireless devices and it means this device will only capture packets that has the destination MAC as the MAC address of this device. So basically, it will only capture devices that are directed to our kali Machine but this is not we are looking for what we want is too able to capture all the packets that are within our range, even if they are sent to router and even if they are set to another device so to do this, we need to set the mode to “Monitor Mode”.
Putting card in monitor mode
So, before we change the option of interface, we have to disable it and we can do it by
Ifconfig < Interface name> down
Now we can enable monitor mode but before we do that, we are going to run a command to kill any process that could interfere with, while using my interface in monitor mode. Killing the process is not mandatory but it will actually give you better results in upcoming attacks. Command will be-
airmon-ng check kill
Now you will see that when you run this command it will kill the network manager. So, you’ll lose the internet connection but there is no problem in it because we will only need to be in monitor mode when we are running pre connection attacks. So, we do not need internet connection to run any of the attacks that require monitor mode. (More Discussion on this in Part-2)
Now, we are going to enable the monitor mode
Iwconfig < Interface name> mode monitor
airmon-ng start < Interface name>
Again, we need to enable the interface as we did previously while changing the MAC address.
ifconfig < Interface name> up (Only for Method -1)
I Mentioned both the Methods so you can understand this command easily. So, run all the command in below diagram and you can see the mode is now set to Monitor now.
- After mode is change to monitor the interface name can be change to wlan0, mon0 & wlan0mon0. So, it not an issue just selects the name what you get after iwconfig.
- Not all adapters support the monitor mode
- Click Here If you want to test your Wi-Fi Adapter Support monitor mode & Packet Injection will discuss this more in next part.
So here we end the Part-1 of this Series. Soon we upload the upcoming parts for this Wireless penetration testing Series.
Payatu is a boutique security testing and services organization specialized in Products, Application, and Infrastructure security assessments and deep technical security training. We offer a full IoT ecosystem security assessment, including Hardware, Cloud, Web, and Mobile interface. If you are looking for security testing services then let’s talk, share your requirements:
Get in touch with us. Click on the get started button below.