Table of Contents
- Preparing Wireless Infrastructure for WiFi Hacking Operations
- Enable Network Monitor Mode on
- Approach 1: Enabling Monitor Mode via ifconfig and iwconfig
- Approach 2: Enabling monitor mode with Airmon-ng
- Verifying Packet Injection Functionality with Aireplay-ng
- Monitoring Beacon Frames on Wireshark
- Monitoring the traffic using Airodump-ng
Over time, many homes and organizations have moved toward wireless networks. One of the reasons, why people are switching to wireless networks is, to overcome physical limitations. From a hacker’s perspective, wireless networks are an easy target; when compared with wired networks, they are easy to sniff and attack.
Throughout this series, we'll explore a range of attacks targeting wireless networks. We'll begin by examining methods to bypass common low-level security measures employed by network administrators, such as hiding SSIDs and enabling MAC filtering. Then, we'll delve into the core of this series, demonstrating the simplicity of cracking WEP/WPA/WPA2 pre-shared keys. Lastly, we'll discuss setting up a fake access point and compromising anyone connecting to it.
Preparing Wireless Infrastructure for WiFi Hacking Operations
- A wireless access point.
- A wireless adapter is capable of packet injection.
These two components are essential for our purposes. We use our own access point to ensure ethical behavior; attacking a neighbor's network would be unethical. As a penetration tester or ethical hacker, it's crucial to uphold ethical standards.
The second requirement, a wireless adapter, is paramount. It must support packet injection and be capable of operating in monitor mode for sniffing. Personally, I recommend the TP-Link AC600 wireless adapter for its affordability and compatibility with both 2.4 and 5 GHz frequencies. You can also explore additional options listed in my blog.
.png)
Once you have a tp-link AC600 adapter that supports packet injection, then plug in the adapter to your computer, and since we are running Parrot Security OS from our virtual machine, we need to attach the network adapter to our Parrot security Operating system machine.
This can be done by going into the menu
at the bottom of your PC → USB → Click on the Realtek 802.11ac WLAN adapter. It will automatically manage to detect our network adapter.
Next, we will execute the “iwconfig” command to confirm that our Parrot security machine has been able to detect our network adapter.
Our Parrot Security machine has managed to detect our wireless network adapter; however, as we can see, it is not associated with any access point.
We could use the network manager from the top of the window to check the available wireless networks.
.png)
Once we have connected to the appropriate access point and executed “iwconfig”, we will see that the interface contains information regarding ESSID, MAC address, etc.
Reasons for Avoiding Kali Linux for WiFi Penetration Testing
One major issue encountered with Kali Linux was the need to manually install drivers when connecting a WiFi adapter. To check if your adapter is recognized, use the " lsusb " command.
As you can see my adapter is listed here. To install the adapter, I used the command:
This command downloads the preferred Realtek adapters. After installation, it's essential to reboot the system. However, even after these steps, running " iwconfig " showed no wireless extensions detected.
I thought there would be a problem with the Virtual Box Guest addition. So, I attempted to address this issue by installing VirtualBox Guest Additions, which involved copying the disk contents to the desktop and running the installation program:
.png)
Unfortunately, I encountered a problem where the kernel headers were not found for Kali Linux's latest version, even after attempting a distribution upgrade.
Given these challenges, I opted to switch to the Parrot Security operating system.
Enable Network Monitor Mode on
To effectively conduct Wi-Fi penetration testing, we first switch our network card to monitor mode. This mode, also known as RFMON (Radio Frequency MONitor) mode, enables a wireless network interface controller (WNIC) to capture all traffic on a wireless channel.
Monitor mode is crucial for sniffing on wireless networks. The TP-Link AC600 card offers this capability, ensuring your network card can sniff in monitor mode for this task.
In monitor mode, your card can capture every packet in its vicinity.
By default, wireless devices operate in "Managed" mode, which restricts them to capturing packets with their own MAC address as the destination.
Approach 1: Enabling Monitor Mode via ifconfig and iwconfig
To switch the network card to monitor mode, use the following command:
So now we can see that we have successfully enabled monitor mode on the wlx5ca6e6d99859 interface. We can use the "iwconfig" command to confirm all the interfaces that have monitor mode enabled.
There is another tool that is used in terms of enabling monitor mode. The tool is mostly used tool is airmon-ng.
Approach 2: Enabling monitor mode with Airmon-ng
|
|
|
Before using the airmon-ng tool, firstly we have to change the mode to manage. Once you did, we can use the airmon-ng start and paste the interface name command to change the network card to the monitor mode.
.png)
So now we can see that we have successfully enabled monitor mode on the wireless interface. We can use the iwconfig command to confirm all the interfaces that have monitor mode enabled.
Verifying Packet Injection Functionality with Aireplay-ng
Let’s check if the wireless adapter is capable of packet injection or not using the aireplay-ng --test <adapter name> .
.png)
On execution, it will check and you can see the result on my screen, which means it is capable of packet injection.
Monitoring Beacon Frames on Wireshark
Now that we have the monitor mode enabled, we will sniff on the network interfaces, which will bring us beacon frames containing the SSID that is being broadcasted. If the SSID is not broadcasted, it won’t show up.
Firstly start Wireshark, and select the appropriate interface.
.png)
We selected the appropriate interface to sniff on. Now, we can see beacon frames from other access points, which we are not associated with.
.png)
Whenever the client authenticates against the access point with the hidden SSID, it will send an SSID parameter; therefore, we can easily figure out what the real SSID is.
Monitoring the traffic using Airodump-ng
The easy way around this is to use airodump-ng to start monitoring the traffic; as soon as the client authenticates, the SSID will be revealed.
Airodump-ng is a packet capture utility that captures and saves raw data packets for further analysis.
To capture the packets use airodump-ng and specify the interface name.
Before executing let me start the hotspot of my smartphone. One of them is broadcasting a 2.4 GHz frequency band and another one is a 5GHZ frequency band.
On execution, it will start sniffing all of the information of access points around me. As you can see we have one access point listed, which is a 2.4GHz band access point. So it means
By default, the airodump-ng is set to the 2.4 GHz band. So we have to specify the band while on execution.
On execution, you will be sniffing all of the information of access points that are not listed previously, which means sniffing is set to the 5 GHz frequency band.
I hope you understand, how a wireless adapter is important for wireless penetration testing.
