NPT(NETWORK PENETRATION TESTING)
install driver for monitor adapter
$ uname -r
$ apt search linux-headers-$(uname -r)
$ ls -l /usr/src/linux-headers-$(uname -r)
$ sudo apt update
$ sudo apt install linux-headers-$(uname -r)
$ ls -l /usr/src/linux-headers-$(uname -r)
change mac address
can use for whitelist
$ ifconfig wlan0 down
$ macchanger --random wlan0
$ ifconfig wlan0 up
Enable monitor mode
In Default mode, our wireless device will only receive packets, or will only try to capture packets that have our device's MAC address as the destination MAC. It will only capture packets that are actually directed to our computer.
What we want is enable it to capture any packet that's around us—any packet that is within our range. To do that, we're going to use a mode called monitor mode. It tells the wireless card to capture everything around it, even if the destination MAC is not our MAC. Basically, we'll then be able to capture all of the packets within our range, even if they aren't directed to our device.
Three methods to do that:
airmon-ng method(Not working for my rtl8188gu driver)
airmon-ng start wlan0start monitor mode
which outputs following content:
mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]wlan0
[phy0]wlan0 can change, use your own.
Note sth:
- First of all, when we enable monitor mode, the card will lose its connection. So, if it was connected to a wireless network, it will get disconnected. This is normal, because the card will not be in managed mode, and it will be capturing all of the packets that are available to it, instead of only capturing the packets that are directed to it. This doesn't really matter, because when we enable monitor mode, we actually want to hack into a different network or capture packets from networks that we don't have passwords for. So, it's completely normal to lose our internet connection.
- The next thing is to make sure to use the name that monitor mode is enabled on. As mentioned previously, this was wlan0mon; it will change from system to system, so make sure to use the name that the airmon-ng command uses.
- The third note is that if we enable monitor mode and run an attack in the future, and get unexpected results, we can come back and try one of the other methods for enabling monitor mode.
airmon-ng stop wlan0 can stop the monitor mode.
Enable monitor mode manually
$ ifconfig wlan0 down
$ iwconfig wlan0 mode monitor
$ ifconfig wlan0 up
$ iwconfig wlan0
This card now works perfectly, and monitor mode is enabled on it. We can choose any method we want, but this method will work on all cards, whereas the aircrack and airmon-ng methods will only work on some cards.
using airmon-ng(not working for me)
All of these methods achieve the same objective, which is enabling monitor mode on your wireless card. Which method works for you will depend on your operating system, your host system, and the compatibility of the wireless cards in the systems. In many cases, all of the methods will enable monitor mode on your card, but not all of the attacks will work. Sometimes, injection will not work, or creating a fake access point will fail.
Basic idea is if we know our card supports injection (if it's an alpha card such as 036H or 036NHA, or one of the known cards that support injection), but the injection isn't working well, then we can just unplug the card, plug it back in, and try another method of enabling monitor mode.
$ ifconfig wlan0 down
# kill all process airmon thinks will interfere with enabling monitor mode
$ airmon-ng check kill
$ airmon-ng start wlan0
$ iwconfig
If an attack doesn't work, all we have to do is unplug the card, plug it back in, and try another method for enabling monitor mode. Hopefully, one of them will work, and we can carry on with the attacks.
PRE-CONNECTION ATTACK
PACKAT SNIFFING
We set the Wi-Fi card into monitor mode, so that we can sniff packets that are within our Wi-Fi range, even if they're not directly connected to our device, and even if we are not connected to a network with a username and password.
airodump-ng, part of the Aircrack-ng suite. A packet sniffer, and it allows us to capture all of the packets around us.
- run it against all of the networks around us and collect any packets within our range.
- run it against a certain access point (AP) so that we only collect packets from a certain Wi-Fi network.
Run irodump-ng wlan0
- list all of the networks around us
- identify all of the devices connected to the networks around us.
In the preceding screenshot, there are a few parameters we have to familiarize ourselves with, so that we can analyze the output:
-
The BSSID is the MAC address for the AP; as we know, each network device has a MAC address.
-
PWR is the power—how far the AP is from our Wi-Fi card. Test is the test router that we will be running a few attacks against. As you go down, you can see that the networks are further and further away. The closer the network is, the easier it will be for you to sniff the packets. The closer the network is, the more effective the attack will be, and the quicker you will gain access and achieve your goal.
-
Beacons are the signals that the AP sends; each AP sends a certain type of packets, to tell the clients around that it exists. So, even if the network is hidden, it will still send these beacons, to tell everyone around that it is there. Our BSSID is EC:1A:59:5A:E1:46, and we are running on -34 information. So, 50 is the number of Beacons that each AP is sending.
-
The Data is the number of useful packets that we have sniffed; we'll talk about this in detail later on, when we study WEP decryption and encryption.
-
S is the number of data packets that we have collected in the past 10 seconds; as we can see, we have a 0 here, so 0 data packets have been collected in the past 10 seconds.
-
The Channel is the number of channels that the AP is broadcasting on. Each AP broadcasts on a certain channel, used so that there will be no interference between APs that are beside each other. Suppose that we have an AP, and five meters away, there's another one; if both of them are running on the same channel, there will be interference between those two APs, and the signal between them will be shorter, so their range will be shorter.
-
MB is the maximum speed supported by this AP; it can go up to 54.
-
ENC is the encryption that's used in the AP; we have WEP, WPA, WPA2 encryptions. If it's an open network we will see OPN in the encryption.
-
CIPHER is the cipher that's used to decrypt the packets. For WEP it's WEP but for WPA2, it can be CCMP or TKIP; we'll talk about these later when we get into WPA cracking.
-
AUTH is the type of authentication that's required for this AP. We can see pre-shared key (PSK), and also MGT. We'll also talk about these later when we get into WPA cracking.
Targeted packet sniffing
Use airodump-ng --channel 10 --bssid EC:1A:59:5A:E1:46 --write test-upc wlan0
All of the clients that are associated with the APs. 88:c3:97, that's the MAC address of the network that the client is connected to. The MAC address in the first section is the same as the MAC address in the second section. That means that this client is connected to network 88:c3:97.
The STATION is the MAC address of the client—the MAC address of the device that is connected to the network.
The PWR is the distance between us and the device.
Rate is the maximum speed that the device is running on.
Lost is the number of packets that we have lost (that we couldn't capture from the target device).
Frames is the number of useful packets that we collected from that device.
Now, we are going to use Ctrl + C to stop sniffing. All of the data has been logged into a file called test-upc, and we will use ls, which is a command to list files in Linux; if we add * after it, we will see that airodump-ng automatically created four file formats:
Use wiresharks to open wiresharks.
Deauthentication attack
Now, we're going to run aireplay-ng, to disassociate one of the devices from the network. We can run it to disassociate all devices, but I have found that when we do that, it doesn't really disassociate all of them, because there are too many targets to disassociate. So, we will choose one target, which will be the device B6:01:41....B6.
