Wi-Fi total PWN. Mastering actual Wi-Fi pentesting techniques from scratch

The best way to check the network’s security is by trying to hack it. In the past, HackMag had published materials about auditing Wi-Fi networks. Unfortunately, such guides quickly become obsolete. Today, I will share some practical and up-to-date experience in this area.

What equipment is required to audit wireless networks?

In fact, you don’t need a lot: a Linux laptop and a USB Wi-Fi adapter. In theory, you can try using a smartphone as well, but some attacks require two USB ports. As a last resort, a laptop without a hard drive and, accordingly, with no OS installed would suffice, too.

WARNING

All information provided in this material is intended for educational purposes only. Neither the author nor Editorial Board can be held liable for any damages caused by improper usage of this publication.

What OS to use for wardriving?

Linux allows to control devices (including dongles) via open-source drivers. You may pick virtually any distribution, but the most handy ones are ready-to-use builds, for instance, BlackArch, BackBox, Parrot Security, and Kali Linux.

Kali Linux builds are the most popular because they include, out of the box, some hacking utilities, drivers for the majority of chipsets suitable for wardriving, and special configuration tweaks.

INFO

Most recent versions of Kali have undergone significant transformations compared to the older ones. Today, Kali can visually impersonate Windows (to make sure weird things don’t appear on the victim’s monitor); root access is disabled by default (you may either enable it or type sudo before commands requiring super-user privileges); and, most importantly, Kali now supports the new 802.11ac dongles and allows to boost the power of Wi-Fi adapters.

How to use Linux without removing Windows?

The developers don’t recommend installing Kali on a hard drive although technically, a multiple boot option is possible (e.g. with GRUB). The point is the potentially dubious legitimacy of your actions during an audit; so, for your own security, it is preferable to use the Live Persistence mode. For the purposes of a Wi-Fi audit, this mode is not much different from the installed OS. All updates, configs, new scripts, and your personal files will be saved in the persistent volume and applied at the next restart in the Persistence mode. To raise the security level even higher, you can also encrypt it.

In my opinion, an SD Card is better than a flash drive because it doesn’t require a USB port. USB ports, especially individually powered ones, are in limited supply on laptops. You may use a Class 10 card (the declared sequential write speed is 10 MB/s), but the best variant is a UHS-I V30 or faster (provided that the built-in card reader supports it).

How to create a boot-up Kali flash drive with a persistent volume?

You have to create two partitions on the USB flash drive or SD card. The first partition (FAT32) stores the OS: the image downloaded from kali.org should be unpacked on that partition. The second partition (ext3) will store the OS settings and user session data.

Disk partition scheme with a persistent volume

Disk partition scheme with a persistent volume

Windows neither can work with flash drives having more than one partition, nor does it support ext3. However, you can use a free utility, Rufus, for that purpose. Important: use the ‘regular’ version (not the portable one).

Creating a boot-up flash drive

Creating a boot-up flash drive

How to select a Wi-Fi adapter for wardriving?

You will need a dongle that can switch to the sniffing mode and inject network packets (the latter feature is preferable but not mandatory). The list of functions supported by the adapter depends on its chipset and the driver. A large chart of Linux wireless drivers is available on kernel.org.

Check this chart for drivers with “yes” in the “monitor” column, “N” or “AC” in the “PHY modes” column (to make sure that the driver supports relatively new standards), and “USB” in the “Bus” column.

More information on the drivers can be found in these two tables. The main principle is the same: search for the combination “802.11n(ac) + monitor mode + USB”.

At the time of the writing (January 2020), the list of drivers meeting these criteria was not too long: ath9k_htc, carl9170, mt76, mt7601u, p54, rt2800usb, rt2x00, rtl8187, rtl8192cu, zd1211, and zd1211rw.

Clicking on each of the drivers, you can see the respective lists of supported chipsets and adapter models. Take, for instance, ath9k_htc: its page provides the list of chipsets (the only one having the USB interface is AR9271) and a link to the device list. Upon reviewing it, you can see that the TL-WN722N model is suitable for wardriving because it is equipped with a removable external antenna.

I recommend reviewing other combinations of drivers, chipsets, and models following the same scheme and composing a list of suitable devices. Then you can select adapters that fit your needs and purchase one or several dongles to start with. Important: check the device version carefully. Sometimes models having the same model number but different revisions are, in fact, different devices in identical cases.

The above lists of drivers are updated by volunteers; accordingly, unpredictable delays with new entries are inevitable. In reality, the list of suitable chipsets is much longer. In the past, it consisted mostly of Ralink and Atheros devices, but now it includes Realtek RTL8812AU and RTL8814AU as well. The latter model supports 802.11ac, the monitoring mode (packet sniffing), and packet injection. However, it requires a USB 3.0 (900 mA and 5 Gbps instead of 500 mA and 0.48 Gbps in USB 2.0).

Why buy several Wi-Fi adapters?

You will need several Wi-Fi adapters to perform sophisticated attacks (e.g. Evil Twin) and raise the success rate for other attacks. There are no universal adapters in the world. Each device has specific features. For instance, above-mentioned AR9271-based dongles are better for attacks on WPS. Devices based on the RT3572, RT5572, and RTL881xAU chipsets can attack targets in the 5 GHz range, while old models based on the RTL8187L chip see targets located hundreds of meters from you because they support 802.11g. Of course, this standard is obsolete, but many new 802.11ac/ax routers still support it in the compatibility mode.

Why Alfa Network dongles are recommended for wardriving?

This Taiwanese manufacturer specializes in wireless equipment and makes slightly better (and much more expensive) wireless dongles than its competitors. For instance, many of Alfa Network adapters feature shielding (which increases the receiver’s sensitivity) or add built-in signal amplifiers (that raise the peak power of the transmitter). Almost all models are equipped with removable antennas, allowing you to attach a better one if needed. A special section on its website, Kali WiFi USB, is dedicated to adapters supporting the sniffing mode in Kali Linux. If you have no time but have some extra money, Alfa Network is your choice.

How to configure the system for pentesting?

If you run Kali in its default configuration and use an out-of-the-box Wi-Fi adapter, you can probably hack only your own router located in the same room. To perform remote attacks from the street (or adjacent premises), you must perform the following steps:

  • disable the power saving feature in the Wi-Fi adapter;
  • increase the dongle’s power;
  • prepare dictionaries for password attacks;
  • update integrated software and install additional tools; and
  • check and save the changes.

How to disable Wi-Fi power saving in Kali?

Type the following lines in the terminal:

iw dev # Displaying the list of Wi-Fi adapters and identifying the external dongle by its MAC address
iw dev wlan1 set power_save off # In this particular example, the name of the external dongle is wlan1

If you disable the power saving feature and boost the adapter’s signal, don’t forget to arrange its cooling. It is preferable to use USB 3.0 or powered USB 2.0 ports.

How to increase the power of your Wi-Fi adapter?

This can be done in two ways. The first one involves tweaking the global settings in Kali; this method is suitable for adapters reading the regional code from the OS.

Method 1

First, check the current parameters:

  • iw dev displays the list of wireless adapters and their maximum power permitted by the current settings. In most cases, you will see txpower 20.00 dBm (+20 decibel-milliwatts). In theory, this means that the power of your router is 100 mW; in reality, the target routers likely won’t hear your ‘whistle’;
  • iw reg get displays global settings restricting the Wi-Fi usage, including the country code according to the ISO 3166-1, available frequency ranges, and channel width. If the output is country 00, then the country is not set, and severe restrictions are in place.

Guyana (GY) and Belize (BZ) have the most liberal standards allowing tenfold the power level for Wi-Fi adapters. The respective record in the database looks as follows: country BZ: DFS-JP. (2402 – 2482 @ 40), (30). (5735 – 5835 @ 80), (30). DFS means Dynamic Frequency Selection. It may be implemented according to the American (FCC), European (ETSI), or Japanese (JP) scheme. No need to change it.

Then the frequency windows in the 2.4 and 5 GHz ranges and the channel width (in MHz) are specified. These parameters determine how many channels you can see.

To change the region, type the following lines in the terminal:

iw reg set BZ # Imaginatively teleporting to Belize together with the laptop 
ip link set wlan1 down # Disabling the external dongle marked as wlan1
iw dev wlan1 set txpower fixed 23 mBm # Doubling the transmitter's power

A logarithmic scale applies here: a doubled power level translates into an increase in the signal by 3 dBm (from 20 to 23 dBm). In other words, TxPower(dBm) = 10 * LOG(P/1) where P is the power in milliwatts.

Changing the region and increasing the power to 1000 mW

Changing the region and increasing the power to 1000 mW

Don’t rush to maximize your dongle’s power. Each device has its optimum power range that can be identified only experimentally. For instance, one of my adapters works more stable at 27 dBm (500 mW) than at 30 dBm (1000 mW). Another one reaches its maximum at 23 dBm.

If you have purchased a high-quality dongle with a significant power reserve (e.g. designed for outdoor use), try the PA region. This is Panama; it permits transmitters up to 4 W (36 dBm). Note however, that the USB 2.0 port won’t be able to supply enough power for it; you will need a USB 3.0 or an additional power source.

Method 2

This method is suitable for Wi-Fi adapters with a hardcoded regional code (e.g. all Alfa Network dongles I had dealt with). They ignore the global settings (including iw reg set BZ); therefore, you have to change the country-specific restrictions embedded in the dongle’s memory.

iw reg get # Checking the country the adapter was manufactured for 
git clone https://kernel.googlesource.com/pub/scm/linux/kernel/git/sforshee/wireless-regdb # Cloning the wireless regulatory database 
cd wireless-regdb/ # Opening this folder
gedit db.txt # Editing the database
Altering power constraints for a Wi-Fi transmitter in its regional settings

Altering power constraints for a Wi-Fi transmitter in its regional settings

Find the required country by its code and replace everywhere the maximum power level of 20 (dBm) in brackets with 30 (or even 33, i.e. 2000 mW). Similar changes should be made for the country 00 (and for other countries, if you want) and saved in db.txt.

In the past, in order to compile the database from a text file and sign it, you had to install the Python shell from the OpenSSL library; but newer versions of Kali include it (python3-m2crypto). Therefore, after entering the make command, you will get a new regulatory.bin where all restrictions are lifted (i.e. replaced by significantly higher values).

The modified database enables a more powerful Wi-Fi signal

The modified database enables a more powerful Wi-Fi signal

Delete the old (original) database and overwrite it with the modified one, then copy the open user key (because the database has a digital signature) and reboot.

rm /lib/crda/regulatory.bin
cp regulatory.bin /lib/crda/regulatory.bin
cp $USER.key.pub.pem /lib/crda/pubkeys/
reboot
Altering power constraints in the regional settings

Altering power constraints in the regional settings

Voila! After rebooting in the Live USB Persistence mode, you can set higher power levels for the adapters using the standard commands.

ip link set wlan1 down # Disabling the dongle
iw dev wlan1 set txpower fixed 23 mBm # Doubling the power
ip link set wlan1 up # Enabling the dongle

Checking the result:

iw reg get

The displayed information should be similar to that shown on the screenshot below (the power increased by 10 dBm).

The Wi-Fi adapter's power increased by 10 times

The Wi-Fi adapter’s power increased by 10 times

How to select an antenna for wardriving?

This depends on your goals. Some antennas cover a wider angle, while others can reach a remote access point by focusing the electromagnetic impulses in a narrow beam.

Dipole antennas with wide radiation angles but low antenna gain (AG) values are suitable for radio reconnaissance. These two parameters are interrelated because the antenna does not increase the power – it just focuses electromagnetic waves. Therefore, when it is vertically oriented, the horizontal communication improves, while the communication with upper and lower storeys deteriorates.

Tiny antennas with AG up to 5 dBi have the widest directional diagram. For marketing purposes, instead of decibel-milliwatts, vendors often provide the decibel gain relative to an isotropic emitter (a mathematical model of an antenna with a spherical diagram). Don’t be tricked: the power of an antenna labeled “5 dBi ” is roughly equivalent to the one labeled “3 dBm”.

Some dongles are shipped with simple dipole antennas, which are good for starters. I recommend trying the Alfa ARS-N19 whose AG is 9 dBi; this is optimal for omnidirectional antennas. It looks like a fishing rod and has a narrower radiation angle but longer receiving range.

The main disadvantages of such antennas is their size (ARS-N19 is 39 cm long, you can’t hide it in your pocket) and narrow frequency ranges (either 2.4 or 5 GHz). Therefore, one antenna will not be enough.

The Alfa APA-M25 is a more compact and universal solution. This a panel (i.e. partially directional) dual-band antenna. Its AG is 8 dBi at 2.4 GHz and 10 dBi at 5 GHz. It is convenient for attacks targeting access points whose location is known to you (at least approximately). To aim the antenna at the target router, you may need to turn it up and down and rotate horizontally.

The most hardcore option are directional antennas with high AG values and very narrow beams (the sector-shaped pattern). They can reach a target located 1 km from you, but it is extremely difficult to precisely aim and fix such an antenna. They are mostly designed for 802.11b/g standards, which are long-range but slow. Only in exceptional circumstances, these antennas can be used for the 802.11n and 802.11ac standards.

How to position the antenna?

The easiest way is to run the Wifite2 script. In its new version, the signal level from all identified access points is refreshed every second, both during the scan and attack. Slowly rotate the antenna vertically and then horizontally and fix the position with the highest signal values.

Important: the signal-to-noise ratio changes depending on the adapter location, especially if its mainboard is not shielded. In my experiment, changing the Alfa Tube-UNA’s position from vertical to horizontal has added 7 dBm with the same antenna orientation. The target access point went out of the marginal reception area and was successfully… inspected. 🙂

How to connect a nonstandard antenna?

To be able to use various antennas, select adapters with slots for external antennas. The problem is that such slots are different and incompatible with each other. Indoor devices normally have the miniature RP-SMA plug, while the more powerful outdoor adapters (e.g. Alfa Tube-UNA) feature the large N-type plug. Coaxial adapters are used to connect them together. Pick adapters of the highest quality; otherwise, the signal-to-noise ratio (SNR) may decrease significantly. The picture below shows an N-Type RP-SMA adapter. I used it to connect ARS-N19 and APA-M25 antennas to an Alfa Tube-UNA adapter with a built-in signal amplifier.

Connecting an RP-SMA antenna to an N-Type adapter

Connecting an RP-SMA antenna to an N-Type adapter

How to automate the audit of Wi-Fi access points?

The minimum requirements to the hacker’s skill level are steadily dropping; virtually anybody can hack a Wi-Fi network nowadays. The range of simple and efficient utilities automating the various attack types has significantly increased in the last few years. In the past, Kali (then-BackTrack) included only unrefined scripts; today the number of ready-to-use tools makes you dizzy.

You don’t even have to study the Aircrack-ng package constituting the basis of almost all Wi-Fi hacking tools. The WiFi-autopwner script by Alexey Miloserdov and Wifite2 script by Derv Merkler enable you to gain practical results quickly and relatively easily.

Both scripts are great, but personally, I am more accustomed to Wifite2 and its public fork. The script masterfully uses additional utilities to raise the audit effectiveness and allows to automatically perform the five most common attack types targeting either all the identified access points or only selected ones.

Wifite2 uses bully, tshark, and reaver to attack WPS using either the PixieDust method or enumeration of known pins. It also uses coWPAtty and pyrit to check handshakes captured during an attack on WPA(2) and performs the newly-invented PMKID attack with hashcat.

PMKID successfully captured

PMKID successfully captured

All attack types are sorted by their implementation speed. First, the most rapid attacks (WPS, WEP, and PMKID) are unleashed on the selected access point; if all of them fail, the script proceeds to other variants. In the verbose mode (-vv), the terminal displays all the used commands and their results. In fact, this is a training and debugging mode.

What Wi-Fi attack is the fastest?

In the past, I would say that an attack on WPS is the fastest one. If Wi-Fi Protected Setup is enabled on the access point, chances are high that it can be hacked by enumerating the known pins or performing the elegant PixieDust attack. The list of pins for enumeration is taken from default configs of the manufacturer who is identified based on the MAC address of the device. In most cases, brute-force attacks are useless: after a certain number of failed WPS authentication attempts, the router blocks further attempts for a long period of time.

WPS PIN successfully guessed with WiFi-Autopwner

WPS PIN successfully guessed with WiFi-Autopwner

A successful attack on WPS takes up to five minutes; you neither have to wait for a WPA handshake to capture it, nor do you spend time on its subsequent brute-forcing. However, a new attack type, PMKID (Pairwise Master Key Identifier), allows to capture a handshake on vulnerable routers in just a few seconds and in the absence of clients connected to it! No need to wait and deauthenticate; all you have to do is make an authentication attempt, and it does not even have to be successful.

Therefore, the optimal hack… er-r-r… audit algorithm is as follows: determine whether the WPS mode is enabled on the target access point. If it is, launch a PixieDust attack. No success? Try pin enumeration. Still no success? Check whether the WEP encryption is on as it can be easily bypassed. If it is not, perform a PMKID attack on WPA(2). If it fails… well, time has come to remember the classics and either wait for a handshake (to avoid detection) or deauthenticate the clients to capture their authentication sessions.

I’ve got the WPS PIN, what’s next?

Next, you can use it to connect to the router and find out its password, no matter how long it is. In fact, WPS is a huge hole in the Wi-Fi security. I always disable it on my equipment and then test it with a Wi-Fi scanner to make sure that WPS is off.

I captured a handshake. What to do with it?

Wifite2 saves a copy of the 4-way handshake in a file with the .cap extension.

WPA handshake captured

WPA handshake captured

TCPdump, Wireshark, Nmap, and other programs use the .pcap format. A PMKID handshake will have the .16800 format.

By default, Wifite2 uses Aircrack-ng for password enumeration. It sends a command based on the following template:

aircrack-ng yourhandshake.cap -w /yourwordlist.txt

In simple cases, this is sufficient. However, in most situations, you have to convert the handshakes using hcxtools for subsequent processing with one of the advanced password enumeration utilities, for instance, John the Ripper or hashcat.

Personally, I prefer hashcat. To use it, you have to convert the .cap file into the .hccapx format first. This can be done either online or locally using the cap2hccapx utility (the source code must be downloaded and compiled).

wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c
gcc -o cap2hccapx-converter cap2hccapx.c

The best way it to place the resultant executable file cap2hccapx-converter in the /bin folder to have access to it in any situation.

mv cap2hccapx-converter /bin
The Wi-Fi password was successfully cracked in Hashcat using WPA2 handshake

The Wi-Fi password was successfully cracked in Hashcat using WPA2 handshake

PMKID hashes are brute-forced in a similar way. You just have to specify the handshake type and dictionary for hashcat.

hashcat64 -m 2500 -w3 Beeline.hccapx "wordlist\wpadict.txt" # Enumerating passwords to the WPA(2) handshake hash contained in the file Beeline.hccapx using the dictionary wpadict.txt
hashcat64 -m 16800 -w 3 RT-WiFi.16800 "wordlist\rockyou.txt" # Using the PMKID handshake contained in the file RT-WiFi.16800 and the rockyou.txt dictionary
Hashcat brute-forces PMKID

Hashcat brute-forces PMKID

How to brute-force Wi-Fi passwords?

The best brute-forcing rig is a desktop PC with a powerful GPU (one or more video cards). If you don’t have one, use online services such as Amazon EC2. They don’t offer much functionality for free, but in many situations, it is sufficient.

Cracking two passwords online

Cracking two passwords online

Another interesting option is to use a distributed computing network. Elcomsoft Distributed Password Recovery and some other tools make this possible. EDPR is a universal program that understands dozens of password and hash formats, including .cap, .pcap, and .hccapx. Up to ten thousand computers may work on the same task at a time combining the resources of their processors and video cards.

Distributed brute-forcing of WPA hashes

Distributed brute-forcing of WPA hashes

In addition, it features an advanced approach to dictionary attacks: you can use masks, prefixes, and mutations, thus expanding the number of possible combinations based on dictionary words by orders of magnitude.

Why use dictionary attacks instead of brute-forcing?

The length of a WPA(2)-PSK key is 256 bits. The number of possible combinations (2^256) is so high that it takes years to try them all even for a powerful server with graphic accelerators. Therefore, a dictionary attack is more feasible.

Normally, Wifite2 performs this attack automatically. After capturing a handshake, the script checks its quality. If it contains all the required data, an attack is launched using the dictionary wordlist-top4800-probable.txt. As you can guess, it includes only 4800 most common passwords.

This dictionary can be used even on an old laptop; however, chances are high that it does not contain the required combination. Therefore, the best way is to create your own dictionary.

How to create a dictionary?

First, I collected a number of dictionaries from various sources, including preinstalled dictionaries from password enumeration programs, the /usr/share/worldlists/ catalog in Kali Linux, databases of real passwords to various accounts that had leaked online, and password collections available on specialized forums. Then I converted them into the same format (coding) using the recode utility. Finally, I renamed the dictionaries according to the template dict## where ## is a two-digit number. In total, I have got 80 dictionaries.

Merging 80 dictionaries concurrently removing identical records

Merging 80 dictionaries concurrently removing identical records

At the next stage, I merged them together while removing the duplicates and then launched PW-Inspector to clear the resultant dictionary from garbage. The length of Wi-Fi passwords is 8 to 63 characters; so, I removed all records shorter than 8 and longer than 63 characters.

cat * > alldicts | sort | uniq
pw-inspector -i alldicts -m 8 -M 63 > WPAMegaDict

At this point, I realized that the file is too large, and it can be further reduced without compromising the efficiency of the attack. Had you even seen in the real life a Wi-Fi password longer than 16 characters? Neither had I.

pw-inspector -i WPAMegaDict -m 8 -M 16 > WPADict_8-16

The resultant dictionary is available on Kim Dotcom’s file hosting site (the ZIP archive is 647 MB in size; the unpacked file is 2.8 GB).

How to switch to the 5 GHz frequency range?

First, you have to install a Wi-Fi adapter supporting 5 GHz and equip it with a suitable antenna (they are also designed for different frequency ranges). Then run Wifite with the -5 key, and you will see 5 GHz access points. Their number is normally less in comparison with 2.4 GHz access points. This is because such devices have lower wireless ranges. The higher is the frequency, the faster the signal deteriorates under otherwise equal conditions.

Enabling the 5 GHz mode in Wifite

Enabling the 5 GHz mode in Wifite

Is it possible to attack a hidden network?

Yes. Even if the network name (ESSID) is hidden, you can still see the MAC address of the access point during the scan. The first client who connects to it will disclose the network name to you. Therefore, either wait for a connect or expedite the process by transmitting deauthentication packets.

Finding out the name of a hidden network

Finding out the name of a hidden network

Conclusions

The purpose of this article was to explain the basics and enable our readers to achieve practical results from scratch . Hopefully, it was of interest to you and inspired you to new endeavors.

I had repeatedly noted that commercial pentesting courses mostly deliver obsolete information. In response, teachers normally say that they provide the basics that don’t change over time – while the up-to-date details are available online, and I should Google them myself. In my humble opinion, Wi-Fi audit is all about details that change very quickly. Therefore, I hope that my brief synopsis was beneficial for your learning curve.

WWW

  • OnlineHashCrack a cloud password recovery service

  • Pyrit, a password enumeration utility for the central and graphic processors.


3 Responses to “Wi-Fi total PWN. Mastering actual Wi-Fi pentesting techniques from scratch”

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>