On Setting Up a WiFi Hacking Environment
I haven't been playing around with WiFi hacking for some time, so I wanted to put my skills to the test once again. To my surprise, setting up the environment is more complicated than I thought it would be. I ended up on many forums, went through a lot of troubleshooting procedures, and it took me two days to make it work. For your benefit, I'd like to share with you how to avoid the trouble that I went through.
In short, to perform WiFi hacking, there are 2 (extremely) macro steps:
- Choose a WiFi adapter.
- Dive into hacking.
That's how I divided my efforts. The adapter part was much more troublesome and took me much more time. Hacking itself means understanding concepts, tools, having patience, and obtaining proper authorization before attacking other people's networks.
Choosing an adapter
A good adapter needs to:
- Ideally be made using the Atheros chipset instead of Ralink, Realtek, or any other chipset. So the brand of the adapter doesn't matter that much. What matters most is the chipset, but the vendor may not tell you in advance which chipset it has. The aircrack-ng wiki page was an invaluable resource during my hunt. You can find more tips there on how to identify the chipset.
- Be genuine. Yes, genuine. One of the most popular adapters that use the Atheros chipset is from Alfa. The problem is that it has become too popular, and some Chinese manufacturers started counterfeiting it. This finding was shocking for me. To verify if what you bought is counterfeit or not, you can ask Alfa directly by sending them the MAC Address, Serial Number, and other information that you can find, so they can verify it. But it may fail, as it is susceptible to "Replay Attacks," right? So you need to verify more things like shape, color, and size. After that, carefully plug it into a PC and check if the MAC Address and Serial number match using
sudo lspci -vv(as root, you see more details). You can also perform a vendor lookup based on the Organizationally unique identifier (OUI) present in the MAC Address (e.g., 01-23-45-67-89-ab-cd-ef). Also, expect to find many fakes on eBay and related sites.
- Support monitor mode (equivalent to promiscuous mode) to capture packets.
- Be powerful enough to inject packets into the target network. Choosing the right antenna will surely help here. Please check the article "What is the best WiFi antenna for me?" to learn more about antennas. One more thing: just because you can receive packets and see all the networks doesn't mean you can inject packets. It didn't work at all on my Ubuntu. It only worked when I used the same adapter on Kali Linux. In hindsight, the reason seems to be the kernel version. To test this, you just need to see the results of
aireplay-ng --test <monitoring interface, e.g., mon0>. To execute
aireplay, you'll need aircrack-ng to be installed. Use it right from Kali instead of downloading it to your own machine, although it may not enable packet injection if Kali is running on a Virtual Machine initially. In case this happens, remember to use
airmon-ng check killbefore setting the monitor mode and install Linux kernel backports. More information is available in the Kali docs. If it still doesn't work, try an older version of Kali with an older kernel here and the older repository.
- Have the proper driver to work with your operating system. For example, my adapter was recognized right from the start when I plugged it into Ubuntu, but after running
lspci -vv, I noticed that it was using the driver from a previous model of this adapter, so it wasn't performing at its best. However, when I found the correct driver, it wasn't compatible with the newest kernel version. So, for now, I'm sticking with the native driver in Kali. By the way, you can check which driver Kali is using by typing
lsusb -t, as USB devices won't appear in
lspci. You can find more ways to identify drivers here.
- Be a USB adapter. Yes, if you want to work from a Virtual Machine, such as using VirtualBox, it can only recognize the Ethernet adapter, not the wireless one. That said, your only option is to share the USB device (USB adapter) from the host to the guest.
Diving into hacking
After the hard part of choosing your adapter and making it work, you need to understand how WEP and WPA work, how to break each of them, and how to use the right tools to support your attack. I won't go into specific commands because you can find them in this article and many others on the internet. After all, tools change more often than concepts.
On breaking Wired Equivalent Privacy (WEP): It was deemed vulnerable because it makes use of a broken algorithm called RC4 and repeated Initialization Vectors after every 5000 packets with a probability of 50%. In other words, it is possible to break WEP networks in minutes by analyzing captured packets. This attack was demonstrated as early as 2001. So, to hack such networks, you only need to put your interface in monitor mode, capture many packets, and analyze them. All those tools come out of the box in the aircrack-ng suite, although there are other tools available as well.
On breaking Wi-Fi Protected Access (WPA/WPA2): While it is secure against the previous flaw in WEP, WPA and WPA2 can only be attacked for now using brute force. The attacker must put their interface in monitor mode and capture the four-way authentication handshake in its entirety (not missing any packets) and use a wordlist to brute-force the encrypted secret. So, the password strength matters a lot here. It may not be possible to break through, but there is a vulnerability in Wireless Protected Setup (WPS), an attempt to make it easy for laymen to set up their wireless network, which introduces 3 vulnerabilities that ease exploitation. The oldest and most popular vulnerability is the online PIN brute force vulnerability that allows attackers to gain access to the network. To exploit this vulnerability, Reaver was developed. However, it was discontinued in that repository and was embraced by the community here. In short, you can scan networks with WPS enabled and attack them using Reaver. Unfortunately, it's not always possible to disable WPS from a defense perspective. It depends on each vendor, but it's worth the time to verify if you could lock WPS. You can verify this using the
wash command that comes with Reaver or by using Reaver directly. It's also possible that your router automatically rate-limits requests that aim to hack WPS. Again, it depends on each vendor. I recommend you to check for yourself.
That's all I have for now. Stay tuned and sign up below if you liked this article :)