WiFi Penetration Testing

Learning objectives and notes

I will try to build on the knowledge already available on the Internet. If there is anything I overlooked please let me know. I learn on constructive advice so don't hesitate to post your thoughts and experience. All tests on the networks that I do not own are passive as I do not have a permission to delve deeper and I would like to stay within framework of the law in UK surrounding the subject. It is all for educational purposes, people! The project: To set up fully operational wireless testing environment to cover planning, reconnaissance and scanning phases of penetration testing. It will explore processes of three bottom layers of OSI model: physical and data link.

Planning: Purpose of the assignment is to: 1. Discover local networks and explain their security implementations (data link). 2. Enumerate devices connected to discovered networks (data link). 3. Discuss possible attack vectors and exploitation (own network) methods that a compromised target may unpleasantly experience should their security measures failed to deliver (network and transport). Tools of the trade: 1) Headless RaspberryPi 3 model B 2) Tools available in Kali Linux image 2018.1 Rpi3 with Nexmon firmware thanks to Re4son Kernel at http://whitedome.com.au/ 3) Wireless adapter capable of running in monitor mode with packet injection support - AWUS036AC* - to explore 2.4GHz networks as well as more popular lately due to it's speed (but limited range) 5GHz ones .

*aircrack suite There were issues with driver implementation in earlier versions of Kali Linux regarding 8812au driver (on AWUS036AC wireless adapter - second from the left) eg. airodump-ng not showing output or aireplay-ng wlanX -9 would not confirm packet injection. Solution:

apt-get update
apt install realtek-rtl88xxau-dkms

With above drivers, injection on both bands band works fine once you lock the channel for eg. airodump-ng wlanX -c X (36 and up for 5GHz ). To send de-authentication requests with aireplay-ng without an issue of AP "not being found" use aireplay-ng with -D option to "disable AP detection". I have also noticed that there is no need to call airmon-ng or iwconfig tools to set the card in monitor mode. It works "out of the box". Kismet In order to avoid problems (kismet closing down wlanX source) with AWUS036AC blacklist wlanX in /etc/NetworkManager/NetworkManager.conf by adding to the file: [keyfile] unmanaged-devices=wlanX Scanning and reconnaissance on the data link layer: Preparation: Before we start with using aircrack-ng it would be worthwhile to update OUI database in various tools we will be using. Short for Organizational Unique Identifier, the first 24 bits of a MAC address for a network-connected device, which indicate the specific vendor for that device. The IEEE assigns OUIs to vendors. (The last 24 bits of the MAC address are the device's unique serial number, assigned to the device by the manufacturer.) In short we should be able to see more recognized devices (instead of unknown MAC addresses) whilst we conduct our tests. Vital information if you want to focus your attack vectors on specific manufacturer. airodump-ng can update its database by running airodump-ng-oui-update. This will update the existing one in /var/lib/ieee-data//oui.txt We can use this information to include an option --manufacturer in airodump-ng to identify unusual routers and their make. Kismet can take advantage of this database as well. In order to do that run: $ sudo mkdir -p /usr/share/wireshark/ $ cd /usr/share/wireshark/ $ sudo wget -O manuf http://anonsvn.wireshark.org/wireshark/trunk/manuf $ sudo cp manuf /etc/manuf

Picture showing Kismet updating its OUI database we created earlier. Above card is also capable of increasing its txpower - setting specifies the strength of the signal that the adapter produces during the times it is transmitting. Have not tested the maximum yet, but you can safely increase its power to 30dBm from 18dBm by running iwconfig wlanX txpower 30. Option most useful if you try to reach long distance networks or increase connection quality when running the tools. Scanning. Getting to know the capabilities of airodump-ng. Default, simplest airodump-ng wlan2 (in my case) will return sweep of local Accesss Points broadcasting on 2.4GHz network in the vicinity and its associated clients belonging to each AP. 45 seconds run has gathered 32 different networks. Not bad, let's see what else it can do. root@RPiKali:/# airodump-ng --help Airodump-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe http://www.aircrack-ng.org usage: airodump-ng <options> <interface>[,<interface>,...] Options: --ivs : Save only captured IVs --gpsd : Use GPSd --write <prefix> : Dump file prefix -w : same as --write --beacons : Record all beacons in dump file --update <secs> : Display update delay in seconds --showack : Prints ack/cts/rts statistics -h : Hides known stations for --showack -f <msecs> : Time in ms between hopping channels --berlin <secs> : Time before removing the AP/client from the screen when no more packets are received (Default: 120 seconds) -r <file> : Read packets from that file -x <msecs> : Active Scanning Simulation --manufacturer : Display manufacturer from IEEE OUI list --uptime : Display AP Uptime from Beacon Timestamp --wps : Display WPS information (if any) --output-format <formats> : Output format. Possible values: pcap, ivs, csv, gps, kismet, netxml --ignore-negative-one : Removes the message that says fixed channel <interface>: -1 --write-interval <seconds> : Output file(s) write interval in seconds Filter options: --encrypt <suite> : Filter APs by cipher suite --netmask <netmask> : Filter APs by mask --bssid <bssid> : Filter APs by BSSID --essid <essid> : Filter APs by ESSID --essid-regex <regex> : Filter APs by ESSID using a regular expression -a : Filter unassociated clients By default, airodump-ng hop on 2.4GHz channels. You can make it capture on other/specific channel(s) by using: --channel <channels> : Capture on specific channels --band <abg> : Band on which airodump-ng should hop -C <frequencies> : Uses these frequencies in MHz to hop --cswitch <method> : Set channel switching method 0 : FIFO (default) 1 : Round Robin 2 : Hop on last -s : same as --cswitch --help : Displays this usage screen By adding: airodump-ng wlan2 --output-format netxml --manufacturer --uptime --wps --band a -c 44

Output of the command. We are able to add --output-format netxml format of an output file where the scan will be saved for future analysis. With --manufacturer we will be able to see manufacturer providing an AP. --uptime will display the time since a router has booted. --wps will reveal WPS option set up on the router, --band a will be able to lock the band (5Ghz in this case) we are trying to focus on and -c 44 channel will lock the scan to that one particular channel for faster and more concentrated view of associated clients as well as faster update of the behavior of the network itself we are trying to observe. "The Data layer is synonymous with the MAC addresses of machines. This is the basic way that computers are able to create data channels among themselves - it all begins with the unique device identifiers called MAC addresses. These identifiers are like hardware fingerprints. (Changing your mac address with a tool like Macchanger is akin to changing your fingerprints, and can potentially raise Hell on a network.) MAC addresses usually encode information about the manufacturer in the first 6 hex digits; for example, most or all Apple computers share a set of MAC prefixes. These prefixes can be looked up online or using software libraries in the kernel, and will tell you the manufacturer of a given device. " Fun with the data link layer: IT enthusiasts like to solve problems using our knowledge of electronics around us. My problem is that I get so engrossed in my subject that I forget to do the house chores before my partner arrives. That frustrates both her an me! I needed a solution to that problem. One idea was to implement some kind of system that will notify me when my partner with her mobile phone is in the vicinity of my flat so I can quickly spruce up the place before she comes in! Creating WiFi surveillance system. Using the information we are able to collect through our data gathering activities we can potentially design a system that allows us to track devices connected to the network and locate their approximate distance using their PWR or dBm strength (distance from our WiFi adapter). As I am just starting my endeavors in IT security I am not yet proficient enough with the Python programming language to write my own scripts, therefore I need to rely on people who had similar ideas in the past. One such program already created by more knowledgeable folks is WUDS - WiFi User Detection System that relies on gathering probe requests (described in First Steps of this blog) emitted from internal WiFi cards of said mobile phones. With a slight modification of the code I was able to run the code on my RPi which allowed me to listen to connection attempts from many meters away (thanks to directional antenna) and text my mobile via Pushover app. No more surprises and unintended visits! She seemed quite impressed with it too! All those things men do to impress their women ;).d

Interesting perspective on WiFi security

There are many concepts in cybersecurity that can be aided by creative thinking skill. Take for example a PSK (pre shared key) exchange between wireless device and a router that allows you to connect to the internet and watch Netlifx or cute cats on the Internet. To look at this process imagine you (station) are going to the secret Pub (access point) called Tribeca (ESSID) where they ask you for the password to get in. You knew in advance what kind of place it was - it had a huge banner advertising its services (beacon) and security measures (WPA2) were not a surprise for a guy willing to visit (probe request) that sort of place - you had a password (PSK) in advance after all. Bouncer (authentication server) on the door asks for the password (PSK) , and unless you have it, you cannot come in because what happens is "the station and the authentication server negotiate and authenticate until both sides are convinced that they are talking to whom they expect and that each side knows the proper secrets. At this point, the authentication server sends an EAP success message" opens the door and invites you to come in. From this point on you are connected to the network! This happens within milliseconds when you enter a vicinity of a known "WiFi" in simple terms. What is interesting is that the device you carry in your pocket will send probe requests with saved connections all the time, authenticating automatically to the places you have used WiFi in. So, yeah if you have ever connected to Tribeca chances are this information can be easily captured with the use of wireless adapter in a monitor mode and create a profile of what kind of person you might be. Have you connected to Shopping Center-WiFi, ate at the restaurant-WiFi, went to the Library-WiFi on your lunch break to came back to work-WiFi within 2 miles from Home-WiFi? All conveniently mapped with the use of www.wigle.net. If I had asked you years ago if you would agree to have your location information exposed for others to see would you say yes? I am not trying to make anyone anxious but point out that with the use of technology we need to consider being comfortable with giving up on certain amount of our privacy to make our lives easier in 2018. .