The
following techniques are essential in the process of penetration
testing for a wireless network.
1.1
- Connecting the wireless interface card
- We
start plugging-in the Alpha USB device to the computer "kali"
and then booting it. From the console, we can use iwconfig to
confirm that the wireless card has been detected and the drivers
properly loaded. The virtual interface used for wireless connections
will be wlan0:
- Next,
bringing the interface wlan0 up:
- Checking
that wlan0 is actually up:
1.2
– Sniffing packets
- The
first step in the sniffing process would be to use the command
airmon-ng in order to put the card into monitor mode, also
known as promiscuous mode in the wired networks. It means that the
wireless interface will accept all the packets off the air in the
working channel, regardless its destination.
- The
command airmon-ng, without options, detects the
available card wlan0:
- Because
It is not possible to use directly wlan0 in monitor mode, a monitor
mode interface is created, called mon0, virtually attached to wlan0,
that will be able to read wireless frames off the air:
- Checking
that mon0 has been properly created:
- Verifying
that mon0 is working in monitor mode:
- Its
MAC address is 00-c0-a0-71-1a-36, same as wlan0:
1.3
- Capturing packets
- For
the purpose of capturing and analyzing the sniffed packets, the tool
Wireshark can be launched:
Under
Capture -> Interfaces:
- The
interface mon0 is picked up, and then Start:
1.4
– Analyzing packets
- At
next image, captured broadcast packets from Alfa Network interface
card can be seen. The Protocol field is 802.11, as expected for
wireless packets:
- Expanding
the third row, the additional information is telling that the frame
includes a "Probe Request" broadcast , because the client's
Alfa wireless card is requesting information from any available
access point:
- Next,
with the purpose of expanding a little bit this practice, the client
is connected to the network created by the Access Point, whose SSID
is "spaniard":
- The
Acces Point asks for authentication to allow the client to join the
network "spaniard":
- Again,
from Wireshark, captured packets sniffed by the interface mon0:
- Now,
there are a lot of different frames in the air:
- In
order to filter packets created by the Access Point, the filter
wlan.bssid == 00:25:f2:9b:91:23 is used, being the hexadecimal
number the Motorola AP's MAC address:
- These
packets are coming from source Motorola_9b:91:23 and destination
broadcast, being its type Beacon frame. With these packets, the AP is
announcing itself to any client that could be listening. As expected,
the BSSID is the AP's MAC address, 00:25:f2:9b:91:23. A lot more
information of the AP is available from capturing packets with
Wireshark, as it will be seen alongside later chapters.
1.5
– Working with channels
- A
very interesting command is airodump-ng, which helps to
determine in which channel the interface is running on. It is very
important to remember that a wireless interface can work only in one
channel at a given instant. This means that it is not posible for a
wireless card to sniff on all channels and bands at the same time.
- With
the purpose of sniffing packets from and to an specific AP, it is
necessary to lock up the wireless card on the same channel that the
AP, the 6 in this case:
- Setting
mon0 on channel 6:
- After
the airodump-ng command, it is necessary to add the MAC
address of the AP and the monitoring interface mon0:
- Then,
all the information about the AP and the clients connected to it is
seen. Also, the encryption methods used, and son on. Anyway, these
concepts will be studied in more details at next chapter:
- As said before, the working channel for the wireless interface is the 6:
- It
can be verified that now the working frequency is 2.437 GHz,
corresponding to channel 6 center:
- Another
useful utility of airodump-ng is the ability to make the
interface hopping from different bands and channels:
- As
the time goes by 4, 12, 24, 32, 40 seconds …, the interface hops
between channels 6, 5, 3, 13, 2 …
- As
previously said, the interface is working in a single channel for a
given second, regardless it can hop to another channel some seconds
later.
- This
option is essential so that the wireless interface card can detect
different Access Points in the sorrounding area, each of them working
in a different band or channel. Again:
1.6
- Injecting packets
- This
practice consists of the Alfa card being able to inject arbitrary
packets into the air without actually being connected to the AP. So,
first of all we need to disconnect the attacker "kali" from
the "spaniard" network.
- Injecting
packets from the client “kali” means that it will be acting as a
new AP, in other words a “spoofed AP”. For that, “kali” will
be creating arbitrarily beacon frames as if it would be an AP
broadcasting its SSID “example”.
- One
of the commands to achieve this goal is mkd3, adding the mon0
interface, option b for “beacon flood mode”, option -n for name
SSID “example”:
- These
packets are captured by Wireshark:
- Also,
from the client “roch” the spoofed AP's SSID “example” can be
detected:
- Another
option could be to use the aireplay-ng command, to inject
packets into a network, for instance “spaniard” In this case,
the wireless interface detects the AP and then injects “probe
request” packets, even without actually being connected to the AP.
The used options are -9 (tests injection and quality), -e (setting
the target AP's SSID), -a (setting the target AP's BSSID or MAC
address), and finally the used interface mon0.
- From
this practice it can be deduced that anyone can create and broadcast
beacon frames (imitating a real or legitimate AP, being SSIDs in
clear text or unencrypted), or inject probe request packets. These
security tricks will be very valuable for attacks seen at next
chapter.