Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Wireless Attacks in Kali Linux

Save for later
  • 13 min read
  • 11 Oct 2013

article-image

In this article, by Willie L. Pritchett, author of the Kali Linux Cookbook, we will learn about the various wireless attacks. These days, wireless networks are everywhere. With users being on the go like never before, having to remain stationary because of having to plug into an Ethernet cable to gain Internet access is not feasible. For this convenience, there is a price to be paid; wireless connections are not as secure as Ethernet connections. In this article, we will explore various methods for manipulating radio network traffic including mobile phones and wireless networks.

We will cover the following topics in this article:

  • Wireless network WEP cracking
  • Wireless network WPA/WPA2 cracking
  • Automating wireless network cracking
  • Accessing clients using a fake AP
  • URL traffic manipulation
  • Port redirection
  • Sniffing network traffic

(For more resources related to this topic, see here.)

Wireless network WEP cracking

Wireless Equivalent Privacy, or WEP as it's commonly referred to, has been around since 1999 and is an older security standard that was used to secure wireless networks. In 2003, WEP was replaced by WPA and later by WPA2. Due to having more secure protocols available, WEP encryption is rarely used. As a matter of fact, it is highly recommended that you never use WEP encryption to secure your network! There are many known ways to exploit WEP encryption and we will explore one of those ways in this recipe.

In this recipe, we will use the AirCrack suite to crack a WEP key. The AirCrack suite (or AirCrack NG as it's commonly referred to) is a WEP and WPA key cracking program that captures network packets, analyzes them, and uses this data to crack the WEP key.

Getting ready

In order to perform the tasks of this recipe, experience with the Kali terminal window is required. A supported wireless card configured for packet injection will also be required. In case of a wireless card, packet injection involves sending a packet, or injecting it onto an already established connection between two parties. Please ensure your wireless card allows for packet injection as this is not something that all wireless cards support.

How to do it...

Let's begin the process of using AirCrack to crack a network session secured by WEP.

  1. Open a terminal window and bring up a list of wireless network interfaces:

    airmon-ng

    wireless-attacks-kali-linux-img-0

  2. Under the interface column, select one of your interfaces. In this case, we will use wlan0. If you have a different interface, such as mon0, please substitute it at every location where wlan0 is mentioned.
  3. Next, we need to stop the wlan0 interface and take it down so that we can change our MAC address in the next step.

    airmon-ng stop ifconfig wlan0 down

  4. Next, we need to change the MAC address of our interface. Since the MAC address of your machine identifies you on any network, changing the identity of our machine allows us to keep our true MAC address hidden. In this case, we will use 00:11:22:33:44:55.

    macchanger --mac 00:11:22:33:44:55 wlan0

  5. Now we need to restart airmon-ng.

    airmon-ng start wlan0

  6. Next, we will use airodump to locate the available wireless networks nearby.

    airodump-ng wlan0

  7. A listing of available networks will begin to appear. Once you find the one you want to attack, press Ctrl + C to stop the search. Highlight the MAC address in the BSSID column, right click your mouse, and select copy. Also, make note of the channel that the network is transmitting its signal upon. You will find this information in the Channel column. In this case, the channel is 10.
  8. Now we run airodump and copy the information for the selected BSSID to a file. We will utilize the following options:
    • –c allows us to select our channel. In this case, we use 10.
    • –w allows us to select the name of our file. In this case, we have chosen wirelessattack.
    • –bssid allows us to select our BSSID. In this case, we will paste 09:AC:90:AB:78 from the clipboard.

    airodump-ng –c 10 –w wirelessattack --bssid 09:AC:90:AB:78 wlan0

  9. A new terminal window will open displaying the output from the previous command.Leave this window open.
  10. Open another terminal window; to attempt to make an association, we will run aireplay, which has the following syntax: aireplay-ng -1 0 –a [BSSID] –h [our chosen MAC address] –e [ESSID] [Interface]

    aireplay-ng -1 0 -a 09:AC:90:AB:78 –h 00:11:22:33:44:55 –e backtrack wlan0

  11. Next, we send some traffic to the router so that we have some data to capture. We use aireplay again in the following format: aireplay-ng -3 –b [BSSID] – h [Our chosen MAC address] [Interface]

    aireplay-ng -3 –b 09:AC:90:AB:78 –h 00:11:22:33:44:55 wlan0

  12. Your screen will begin to fill with traffic. Let this process run for a minute or two until we have information to run the crack.
  13. Finally, we run AirCrack to crack the WEP key.

    aircrack-ng –b 09:AC:90:AB:78 wirelessattack.cap

    That's it!

How it works...

In this recipe, we used the AirCrack suite to crack the WEP key of a wireless network. AirCrack is one of the most popular programs for cracking WEP. AirCrack works by gathering packets from a wireless connection over WEP and then mathematically analyzing the data to crack the WEP encrypted key. We began the recipe by starting AirCrack and selecting our desired interface. Next, we changed our MAC address which allowed us to change our identity on the network and then searched for available wireless networks to attack using airodump. Once we found the network we wanted to attack, we used aireplay to associate our machine with the MAC address of the wireless device we were attacking. We concluded by gathering some traffic and then brute-forced the generated CAP file in order to get the wireless password.

Wireless network WPA/WPA2 cracking

WiFi Protected Access, or WPA as it's commonly referred to, has been around since 2003 and was created to secure wireless networks and replace the outdated previous standard, WEP encryption. In 2003, WEP was replaced by WPA and later by WPA2. Due to having more secure protocols available, WEP encryption is rarely used.

In this recipe, we will use the AirCrack suite to crack a WPA key. The AirCrack suite (or AirCrack NG as it's commonly referred) is a WEP and WPA key cracking program that captures network packets, analyzes them, and uses this data to crack the WPA key.

Getting ready

In order to perform the tasks of this recipe, experience with the Kali Linux terminal windows is required. A supported wireless card configured for packet injection will also be required. In the case of a wireless card, packet injection involves sending a packet, or injecting it onto an already established connection between two parties.

How to do it...

Let's begin the process of using AirCrack to crack a network session secured by WPA.

  1. Open a terminal window and bring up a list of wireless network interfaces.

    airmon-ng

    wireless-attacks-kali-linux-img-1

  2. Under the interface column, select one of your interfaces. In this case, we will use wlan0. If you have a different interface, such as mon0, please substitute it at every location where wlan0 is mentioned.
  3. Next, we need to stop the wlan0 interface and take it down.

    airmon-ng stop wlan0 ifconfig wlan0 down

  4. Next, we need to change the MAC address of our interface. In this case, we will use 00:11:22:33:44:55.

    macchanger -–mac 00:11:22:33:44:55 wlan0

  5. Now we need to restart airmon-ng.

    airmon-ng start wlan0

  6. Next, we will use airodump to locate the available wireless networks nearby.

    airodump-ng wlan0

  7. A listing of available networks will begin to appear. Once you find the one you want to attack, press Ctrl + C to stop the search. Highlight the MAC address in the BSSID column, right-click, and select copy. Also, make note of the channel that the network is transmitting its signal upon. You will find this information in the Channel column. In this case, the channel is 10.
  8. Now we run airodump and copy the information for the selected BSSID to a file. We will utilize the following options:
    • –c allows us to select our channel. In this case, we use 10.
    • –w allows us to select the name of our file. In this case, we have chosen wirelessattack.
    • –bssid allows us to select our BSSID. In this case, we will paste 09:AC:90:AB:78 from the clipboard.

    airodump-ng –c 10 –w wirelessattack --bssid 09:AC:90:AB:78 wlan0

    Unlock access to the largest independent learning library in Tech for FREE!
    Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
    Renews at €18.99/month. Cancel anytime
  9. A new terminal window will open displaying the output from the previous command.Leave this window open.
  10. Open another terminal window; to attempt to make an association, we will run aireplay, which has the following syntax: aireplay-ng –dauth 1 –a [BSSID] –c [our chosen MAC address] [Interface]. This process may take a few moments.

    Aireplay-ng --deauth 1 –a 09:AC:90:AB:78 –c 00:11:22:33:44:55 wlan0

  11. Finally, we run AirCrack to crack the WPA key. The –w option allows us to specify the location of our wordlist. We will use the .cap file that we named earlier. In this case,the file's name is wirelessattack.cap.

    Aircrack-ng –w ./wordlist.lst wirelessattack.cap

    That's it!

How it works...

In this recipe, we used the AirCrack suite to crack the WPA key of a wireless network. AirCrack is one of the most popular programs for cracking WPA. AirCrack works by gathering packets from a wireless connection over WPA and then brute-forcing passwords against the gathered data until a successful handshake is established. We began the recipe by starting AirCrack and selecting our desired interface. Next, we changed our MAC address which allowed us to change our identity on the network and then searched for available wireless networks to attack using airodump . Once we found the network we wanted to attack, we used aireplay to associate our machine with the MAC address of the wireless device we were attacking. We concluded by gathering some traffic and then brute forced the generated CAP file in order to get the wireless password.

Automating wireless network cracking

In this recipe we will use Gerix to automate a wireless network attack. Gerix is an automated GUI for AirCrack. Gerix comes installed by default on Kali Linux and will speed up your wireless network cracking efforts.

Getting ready

A supported wireless card configured for packet injection will be required to complete this recipe. In the case of a wireless card, packet injection involves sending a packet, or injecting it, onto an already established connection between two parties.

How to do it...

Let's begin the process of performing an automated wireless network crack with Gerix by downloading it.

  1. Using wget, navigate to the following website to download Gerix.

    wget https://bitbucket.org/Skin36/gerix-wifi-cracker-pyqt4/downloads/
    gerix-wifi-cracker-master.rar

  2. Once the file has been downloaded, we now need to extract the data from the RAR file.

    unrar x gerix-wifi-cracker-master.rar

  3. Now, to keep things consistent, let's move the Gerix folder to the /usr/share directory with the other penetration testing tools.

    mv gerix-wifi-cracker-master /usr/share/gerix-wifi-cracker

  4. Let's navigate to the directory where Gerix is located.

    cd /usr/share/gerix-wifi-cracker

  5. To begin using Gerix, we issue the following command:

    python gerix.py

    wireless-attacks-kali-linux-img-2

  6. Click on the Configuration tab.
  7. On the Configuration tab, select your wireless interface.
  8. Click on the Enable/Disable Monitor Mode button.
  9. Once Monitor mode has been enabled successfully, under Select Target Network, click on the Rescan Networks button.
  10. The list of targeted networks will begin to fill. Select a wireless network to target. In this case, we select a WEP encrypted network.
  11. Click on the WEP tab.

    wireless-attacks-kali-linux-img-3

  12. Under Functionalities, click on the Start Sniffing and Logging button.
  13. Click on the subtab WEP Attacks (No Client).
  14. Click on the Start false access point authentication on victim button.
  15. Click on the Start the ChopChop attack button.
  16. In the terminal window that opens, answer Y to the Use this packet question.
  17. Once completed, copy the .cap file generated.
  18. Click on the Create the ARP packet to be injected on the victim access point button.
  19. Click on the Inject the created packet on victim access point button.
  20. In the terminal window that opens, answer Y to the Use this packet question.
  21. Once you have gathered approximately 20,000 packets, click on the Cracking tab.
  22. Click on the Aircrack-ng – Decrypt WEP Password button.

    That's it!

How it works...

In this recipe, we used Gerix to automate a crack on a wireless network in order to obtain the WEP key. We began the recipe by launching Gerix and enabling the monitoring mode interface. Next, we selected our victim from a list of attack targets provided by Gerix. After we started sniffing the network traffic, we then used Chop Chop to generate the CAP file. We concluded the recipe by gathering 20,000 packets and brute-forced the CAP file with AirCrack.

With Gerix, we were able to automate the steps to crack a WEP key without having to manually type commands in a terminal window. This is an excellent way to quickly and efficiently break into a WEP secured network.

Accessing clients using a fake AP

In this recipe, we will use Gerix to create and set up a fake access point (AP). Setting up a fake access point gives us the ability to gather information on each of the computers that access it. People in this day and age will often sacrifice security for convenience. Connecting to an open wireless access point to send a quick e-mail or to quickly log into a social network is rather convenient. Gerix is an automated GUI for AirCrack.

Getting ready

A supported wireless card configured for packet injection will be required to complete this recipe. In the case of a wireless card, packet injection involves sending a packet, or injecting it onto an already established connection between two parties.

How to do it...

Let's begin the process of creating a fake AP with Gerix.

  1. Let's navigate to the directory where Gerix is located:

    cd /usr/share/gerix-wifi-cracker

  2. To begin using Gerix, we issue the following command:

    python gerix.py

    wireless-attacks-kali-linux-img-4

  3. Click on the Configuration tab.
  4. On the Configuration tab, select your wireless interface.
  5. Click on the Enable/Disable Monitor Mode button.
  6. Once Monitor mode has been enabled successfully, under Select Target Network, press the Rescan Networks button.
  7. The list of targeted networks will begin to fill. Select a wireless network to target. In this case, we select a WEP encrypted network.
  8. Click on the Fake AP tab.

    wireless-attacks-kali-linux-img-5

  9. Change the Access Point ESSID from honeypot to something less suspicious. In this case, we are going to use personalnetwork.

    wireless-attacks-kali-linux-img-6

  10. We will use the defaults on each of the other options. To start the fake access point,click on the Start Face Access Point button.

    wireless-attacks-kali-linux-img-7

    That's it!

How it works...

In this recipe, we used Gerix to create a fake AP. Creating a fake AP is an excellent way of collecting information from unsuspecting users. The reason fake access points are a great tool to use is that to your victim, they appear to be a legitimate access point, thus making it trusted by the user. Using Gerix, we were able to automate the creation of setting up a fake access point in a few short clicks.