Preparing wireless attack environment
[Finding the right adapter and preparing the operating system]
Guten_Tag cybermonkeys,
I felt it was time to write about preparing yourself for wireless attacks since you can get really frustrated when something just won't work out how you expected it. Also, I want to teach you how to set up your operating system and your mindset for these kind of attacks.
Introduction
It might be surprising you hearing that you just cannot simply plug in a generic wlan-usb stick and start hacking stuff. There are various things you will need to consider before starting.
To begin with, let me tell you that these instructions are aimed on a Linux environment.
If you happen to use any type of Kali Linux, like my beloved
ParrotOS, good news: you already have everything installed right away! For other Linux versions you can just apt-get the required programs.
We are using the Aircrack-ng suite for this.
If you are on Windows however, you should still be able to tag along, but you'd need to install a virtual machine or code your way around this.
Here are the points we need to consider before starting WLan-attacks:
- Find a compatible adapter
- Activate Monitoring Mode on the adapter
- Spoof your Mac address
- Scan for networks (passive)
- Find your target network
Consider this post more as a guideline than a tutorial. Especially the first point on the list is hard to describe in a universally correct way.
Have fun!
Finding a compatible adapter
Finding a compatible adapter is not that hard, but it is still a pain in the ass (at least for me lol). Many vendors scratch functionality off their products to make them cheaper. Especially listening, monitoring and injecting are no "standart" features, so we might need to search around a bit. The good thing is, many laptops have pretty good network cards build in, this holds true especially for Thinkpads. For some reasons, my ancient Windows XP laptop had a better WLan adapter build in than my new one (hp pavillion). The old one could even hop onto 5 GHZ which is the frequency most IPhones operate on.
The makers of
Aircrack, one of the most popular tools (and the one we are going to use), already wrote
an article about how to find the correct cards.
The authors of
Wonder how-to wrote an useful blog post as well, and since I'm a lazy soab, I will just point you towards these 2 links encouraging to read them.
Tl;dr look out especially for an adapter that supports
monitoring mode. The Wonder how-to should provide some links to good adapters, so don't claim I sold you cheap shit, claim Wonder how-to did.
There really is not much more to say to this point, you will need to invest some bucks into it, but it should not be more than around 30€ (
or 3500 ¥ if you're a weeb).
Activating Monitoring Mode
So, after finding the correct WLan adapter for your needs, it is time to set it up into monitoring mode.
Monitor mode is required for the adapter so it can scan all frequencies and hop between channels, something it wouldn't do if it just connected to an access point.
For this purpose we are going to use the
Airmon-ng program.
But first we need to find our adapter and remember it's name. On your favourite shell, type
iwconfig
The output should look something like this (taken from ubuntuusers.de):
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11g ESSID:"MeinHeimnetz"
Mode:Managed Frequency:2.452 GHz Access Point: 12:34:56:78:90:AB
Bit Rate:11 Mb/s Tx-Power:18 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Power Management:off
Link Quality=26/94 Signal level=-69 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
As you can see, on this specific machine there are 3 networking interfaces.
The first one is lo for loopback and uninteresting.
The second one is called eth0 and is a "classic" LAN adapter.
The third one is the one we are looking for, in this case it is called
wlan0.
You can find some additional information about your adapter here, but at this point I assume you already have an adapter that is compatible.
Based on this information, we can start monitoring mode by typing
airmon-ng start wlan0
Careful tho, there are sometimes running processes on your system that interfere with airmon. But we are lucky, the writers already considered this and gave us a build-in function to kill these processes. Just type in
airmon-ng check kill
Now, if you again use iwconfig to check for adapters, you should find a newly spawned monitoring device called wlan0mon. At this point you are good to go and everything worked.
Spoofing your Mac address
At this point we created a monitoring device. But it still has our mac address on it. The mac address is something like a hardware id, burned onto the device by the hardware vendor. If you are curious about how to get information out of a mad address, here is
a list containing most vendors.
For now, just remember that if you use the same mad address for hacking than you use for everyday Internet surfing, sysops in your network should find out who you are pretty easily.
To spoof your mac address, you first need to deactivate your networking device. We are speaking about taking it down. Then change the address and take it back up.
The actual change of mac addresses is achieved by the use of the command
ifconfig wlan0 hw ether XX:XX:XX:XX:XX:XX, where the bytes at the end represent the desired mac address delimited by colons, respectively.
So the full chain looks like this:
service network-manger stop
ifconfig wlan0mon hw ether XX:XX:XX:XX:XX:XX
service network-manager start
As you see, taking down the wlan device here involves the stopping of the network-manager service. This is hard to remember and not really intuitive. Luckily, there is an alternative route to go: the use of
Macchanger!
Macchanger is a program that takes has different switches, it can f.e. set your mac address to a specific value, but let's focus on the -a flag here. If you are using this, the program will randomize your mac address! Easy as this. (If you want to know more about the other switches, use the man tool).
To randomize your mac address, use this command chain:
ifconfig wlan0mon down
macchanger -a wlan0mon
ifconfig wlan0mon up
It's much more intuitive and more easy to remember than the first way.
There are some other ways for this, and ofc. you can
permanently change your mac address, too.
Look at this ubuntuusers.de discussion for this (It is in German, but auto-translate should work for it).
You can verify all steps up until now with the help of this image:
Scanning for networks
At this point we are ready top scan the aether for networks. We will be using a method called passive scanning, because it will leave behind no traces of us. The idea behind this technique is to capture beacons from stations and access points (user devices are called stations, I know this is kind of confusing somehow). Access points will, from time to time, scream out their presence to everybody around with a beacon. Kind of like people talking way too loud on their phone lol.
Connected clients (stations) however are easy to find since they should communicate all the time with their respective access point. But even if the device is not connected to anything, you can sometimes be lucky and catch scanning attempt of theirs. It is good practise to deactivate wlan on your phone when you are not connected to anything.
[Note that sometimes networks are not sending any beacons because they are in silent mode, or invisible mode. You can still catch packets from these networks if you patiently wait until someone connects to them, but this might take a while, and also this is no normal behaviour, so ignore it for now]
To start scanning, simply use
airodump-ng wlan0mon
Here is a sample output of this operation:
The first list contains access points, the second list will show you stations.
You can see the mac address of each device, the connection strength, the channel, sent packets and their bssid. This represents the name of the wlan network. For the stations, it will also show you the mac address of the access point they are connected to. As you see on the picture, not being connected to anything does not, by any means, make your device "invisible".
Another interesting field is called Auth. This will show you the authentication type of this access point, in the example most APs are using Pre Shared Keys. It might be interesting at another time, for now just remember it.
I encourage you to fire up Airodump-ng and look around in your neighbourhood. Depending on where you live, there could be TONS of networks and devices around, so it might be very irritating at first. Fortunately, you can limit the focus of airodump-ng by specifying a specific channel of bssid.
A channel is nothing more than a slight frequency shift.
The standard frequency of the wlan protocol aimes at 2.4 GHZ with a channel width of around 80 MHZ. This means that although every access point operates at around 2.4 GHZ, station a could be using exactly 2410 MHZ while access point b is sending on 2460 MHZ.
Can you see how the protocol trys to avoid collisions between networks here?
If you found an "interesting" channel, you can limit the scope to this specific channel by setting your wlan device to this specific frequency. There are again 2 methods of doing so, one is the "native" way, and one is a more comfortable way. The native way includes using these commands:
ifconfig wlan0mon down
iwconfig wlan0mon channel X
ifconfig wlan0mon up
The more comfortable way is to just pass the desired channel as parameter to airodump-ng, like this:
Sometimes even this is still too much, since there can be multiple access points on the same channel or the network is split up. To limit the scope on one specific AP, use the -bssid flag like this:
Comments
Post a Comment