Hacking Wireless Networks

• Course Materials

IMPORTANT!: Gaining access to networks without permission is considered an illegal act or crime in most countries. Know the law and obey.

Aircrack-ng http://www.aircrack-ng.org/ is a set of tools for auditing wireless networks. The goal of these exercises is to introduce some of their capabilities. The man pages are very thorough and are more than enough to complete the exercises without “cheating”. You are encouraged to find the solutions in the man pages. Please pay attention to the large variety of features the toolset offers as we will only be able to cover a tiny fraction.

You will need to be root to use most of these utilities.

NOTE: This exercise will require multiple terminals open at the same time. It’s recommended to use a terminal multiplexer like tmux, or use the VNC feature and open multiple terminals.

Exercise 1: Recon

Task 1.1

Use airodump-ng to start capturing packets on your wireless interface.

NOTE: you may need to widen your terminal to see every column. The last column is ESSID.

• How many networks do you see? What are they called?
• Take note of the ESSIDs, BSSIDs, channels, and encryption types.

Next, in order to sniff a wireless network, the adapter needs to be put into monitor mode. Some processes may interfere with the adapter while in monitor mode.

airmon-ng check

If we were doing normal wireless testing, now would be an appropriate time to run (DO NOT RUN THIS COMMAND!) airmon-ng check kill, which kills the conflicting processes. It will break the lab environment, so don’t run it. If you did run this command on accident, you can to wipe your Kali machine in CML and start it again.

Put the wireless interface wlan0 in monitor mode:

NOTE: the next command fails on current Kali instances. To fix this, run sudo rfkill toggle 0, and try running it again. It will still complain about an error, but if you select [y], it will work.

airmon-ng start wlan0

You should see a new network interface on your Kali machine called wlan0mon. Now, when you run airodump-ng, this interface will be in monitor mode. Remember that interfaces in monitor mode:

1. Constantly switch between channels to catch traffic on any channel.
2. Will sniff traffic even on wireless networks you aren’t associated to.

Exercise 2: Cracking WEP

Task 2.1

Run airodump-ng to start capturing packets on the target network utilizing WEP. Let this capture continue.

airodump-ng --write $output_cap_file --channel $target_channel --bssid $target_bssid wlan0mon

Task 2.2

Try to use aircrack-ng PTW (Pyshkin, Tews, Weinmann) method to crack the WEP PSK. Did it work? Take note of any error messages and consider your next step. Move on to Task 2.3.

# -a 1 specifies we are cracking WEP
aircrack-ng -a 1 [-b $target_bssid] $output_cap_file

Task 2.3

Anywhere from 20k-60k IVs will be needed. Use aireplay-ng to spoof an associated station and replay ARP frames to increase the data rate. Keep trying aircrack-ng from Task 2.2 until you can crack the key.

# -3 indicates replay ARP frames
aireplay-ng -3 -b $target_bssid -h $spoofed_station_mac wlan0mon

Exercise 3: Obtaining the WPA2 PSK

Task 3.1

Use airodump-ng to capture a WPA handshake corresponding to a target network.

# Wait until the WPA handshake appears in the top line.
airodump-ng --write $output_cap_file --channel $target_channel --bssid $target_bssid wlan0mon

Task 3.2

If the handshake doesn’t reveal itself passively, use aireplay-ng to deauthenticate an associated station. This will force a handshake to occur.

# -0 1 indicates send one set of deauth packets
aireplay-ng -0 1 -a $target_bssid -c $authed_station_mac wlan0mon

Task 3.3

Use aircrack-ng to find the WPA PSK using the dictionary /usr/share/wordlists/fasttrack.txt. This dictionary only contains about 250 passwords, so it will complete very quickly.

# -a 2 specifies we are looking for a WPA handshake
aircrack-ng -a 2 [-b $target_bssid] -w /usr/share/wordlists/fasttrack.txt $handshake_capture_file