Portuguese English German

On Setting Up a WiFi Hacking Environment

I haven't been playing on wifi hacking for some time, so I wanted to put my skills to the test once again. For my surprise, to set up the environment is more than complicated than I thought that would be. I ended up in many forums, went through a lot of troubleshooting procedures and took two days to make it work. For your benefit, I'd like to share with you how to avoid the trouble that I went through.

The Basics

In short, to perform WiFi hacking, there are 2 (extremely) macro steps:

  1. Choose a WiFi adapter
  2. Dive into hacking

That's how I divided my efforts. The adapter part is much more troublesome and took me much more time. Hacking itself means knowing concepts, tools, have patience and proper authorization before attacking other people networks.

Choosing an adapter

A good adapter needs to:

  • ideally be made using the Atheros chipset instead of Ralink, Realtek or any other. So the adaptador brand doesn't matter that much. What matters most is the chipset, but the vendor may not tell in advance which is. It's stated in the aircrack-ng wiki page, which was an invaluable resource during my hunt. There you'll find more tips on how to identify the chipset as well;
  • be original. Yes, original. One of the most popular adapters that use the Atheros chipset is from Alfa. The problem is that it became too much popular, thus some chineses started to faking it. This finding was shocking for me. To verify if what you bought was counterfeited or not, you can ask Alfa directly by sending to them the MAC Address, Serial Number and other information that you could find, so they can verify it. But it may fail, it is susceptible to "Replay Attacks", right? So you need to verify more things like shape, color, size. After that, carefully plug into a pc and check if the MAC Address and Serial number matches using ifconfig and sudo lspci -vv (as root you see more details). You can also perform a vendor lookup based on the Organizationally unique identifier (OUI) present on the MAC Address (e.g., 01-23-45-67-89-ab-cd-ef). Also expect many fakes on eBay and related sites;
  • support monitor mode (equivalent to promiscuous mode) to capture packages;
  • be powerful enough to inject packages into the target network. So choosing the right antenna surely will help here. Please check the article "What is the best WiFi antenna for me?" to know more about antennas. One more thing: it's not because you can receive packages and see all the networks that you can inject packets. It didn't work at all on my Ubuntu. Only worked when I used the same adapter on Kali Linux -- In hindsight the reason seems to be the kernel version. To test you just need to see the results of aireplay-ng --test <monitoring interface, e.g., mon0>. To execute aireplay you'll need aircrack-ng to be installed. Use it right from Kali instead of downloading to your own machine, although it may not enable packet injection if Kali is on a Virtual Machine at first. In case it happens, remember to use airmon-ng check kill before setting the monitor mode and install linux kernel backports. More info on Kali docs. If it still doesn't work, try an older Kali version with an older kernel here and the older repository;
  • have the proper driver to work with your operating system. My adapter for example was recognized right from the start when I plugged into Ubuntu, but after a lspci -vv I noticed that it was using the driver from a prior model of this adapter, thus not making the best of it. However, when I found the correct driver, it wasn't compatible with the newest kernel version. So far I'm dealing with it by trusting the Kali's native driver instead. By the way, you can check which driver Kali using by typing lsusb -t, because usb devices won't appear on lspci. More ways here;
  • be a USB adapter. Yes, if you want to work from a Virtual Machine, e.g., using Virtualbox, it can only recognize the ethernet adapter, not the wireless one. That said, your only option is to share the USB device (usb adapter) from the host to guest.

Diving into hacking

After the hard part of choosing your adapter and making it work, you need to understand how WEP and WPA works, how break each of them and how to use the right tools to support your attack. I won't go into specific commands because you can see them in this article and many others in the internet. After all tools change more often than concepts.

On breaking Wired Equivalent Privacy (WEP): it was deemed vulnerable because it makes use of a broken algorithm called RC4 and repeated Initialization Vectors after every 5000 packets with a probability of 50%. In other words it is possible to break WEP networks in minutes by analyzing captured packets. Such attack was demonstrated since 2001. So, to hack such networks, you only need to put your interface in the monitor mode, capture many packets and analyze them. All those tools come out of the box on aircrack-ng suite, although there are other tools as well.

On breaking Wi-Fi Protected Access (WPA/WPA2): secure against the previous flaw on WEP, WPA and WPA2 can only be attacked for now using brute force. The attacker must put his interface on monitor mode and capture the four-way authentication handshake in its entirety (can't miss a package here) and use some wordlist to bruteforce the encrypted secret. So the password strength matters a lot here. May not be possible to break through, but a vulnerability on Wireless Protected Setup (WPS), an attempt to make easy for laymans to set up their wireless network, introduced 3 vulnerabilities that eases the exploitation. The oldest and more popular is the online PIN brute force vulnerability that allows attackers to gain access to the network. To exploit such vulnerability, Reaver was developed. But was discontinued in that repository and was embraced by the community here. In short you can scan networks with WPS enabled and attack them using Reaver. Unfortunately it's not always possible to disable WPS, from a defense perspective that is. Depends on each vendor, but it's worth the time to verify if you could lock WPS. That could be verified using the wash command that comes with Reaver or using Reaver directly. It's also possible that your router automatically rate limit requests that aim to hack WPS. Again, depends on each vendor. I recommend you to check for yourself.

That's all I have for now. Stay tuned and sign up below if you liked this article :)

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News

Popular Posts