WiFi Hacking Week
At least it started out that way…
On July 1st of this year my team and I transitioned from our management positions at our then-current place of employment to full-time self employment. We were finally making the jump into focusing entirely on building our start up company, and yes, it was out of our garage. Now you may be wondering what this has to do with WiFi, or hacking, or WiFi hacking specifically. Well, at the time, my focus as a newly self-employed entrepreneur was to build a React Native mobile app which our team had conceptualized over the past year in our previous positions. However, before diving head first into that I thought it might be prudent to get a few of the smaller side projects ideas done and out of the way. After all, they should only take me a few days and then I could move on, right? Enter WiFi Hacking Week. The idea was to go through a little self-administered seven day boot camp which I built based on different articles I’ve read, random notes I’d saved throughout the years, and the compulsive desire to turn every research project into a cohesive training manual.
Well, a week turned into a month, and a month turned into copious notes on the subject of WiFi network card manipulation on Linux, WiFi packet structure, WPA handshakes, Aircrack-ng, evil twin attacks, Bettercap, a custom bash utility, a Raspberry Pi project, and plans to take over the world. With that being said, I wanted to make sure I distilled my notes and process into a blog series in order to give some of it back to the community — something I’ve always been bad about. If you haven’t gotten tired of my long-winded introduction already then pat yourself on the back, I’m finally arriving at the point.
This blog will be written as a four part series. In this first post I’ll cover what I learned about WiFi networking and adapter manipulation on Linux as well as some information on packet structure, and how to actually connect to a wireless network from the command line. If you aren’t using Linux then this tutorial will hold very little meaning for you. Also, if you are already familiar with wireless networking terminology feel free to skip to the next section. Let’s begin.
I’m not really trying to get into a full technical analysis of wireless networking. There are numerous articles and documentation that delve much more in-depth on the subject than I care to. Instead, this section serves as more of a primer and offers some prerequisite terms that may be helpful in the future. If you’d rather not read definitions on the subject of wireless networking, then skip to the next section.
IEEE 802.11: This term will get thrown around frequently when talking about wireless computer networking. This is essentially a standard created by the Institute of Electrical and Electronics Engineers which defines the protocols and controls required to implement WLAN (wireless local area network) communication. I’d rather not waste your time by re-typing the internet so if you like you can read more about it here. For our purposes, just know that if you read the term ‘802.11’ you can safely replace it with the word ‘wireless’.
WiFi Adapter/WiFi Interface: This is the piece of hardware in your computer that transmits and receives radio signals, and thus allows your computer to communicate with wireless networks. There are also external devices that can plug in to your computer via USB to achieve the same thing. These are typically called dongles. Funny name for a piece of hardware, no?
Station: In regards to wireless networking, a station is simply a computer that can communicate on an 802.11 network. There can be fixed, mobile, or portable stations. As a user with a laptop connected to a wireless network, you would be considered a mobile station. In most cases — and for the purpose of this tutorial — we will refer to a user’s computer on a wireless network as a station.
Access Point: An access point is a device that facilitates a mobile station’s access to the internet via a wireless medium. You know this device to be called a router.
Infrastructure mode: A network of stations connected to an access point. The access point maintains the routing table of all connected stations and facilitates a connection between those stations and the internet. If you have a router at home then you are familiar with this operating mode.
Ad-hoc mode: Also known as an Independent Basic Service Set (IBSS). An ad-hoc network is a network of computers connected directly to each other. Each computer maintains their own routing table, which is dynamically changing because routes are constantly adapting based on the best path. The computers can share files and data with each other, but are not connected to the internet unless perhaps one of the computers in the ad-hoc network has a route to the internet via Ethernet. One might set up an ad-hoc network in situations where a small group needs to quickly get set up to share files and data, but may not necessarily need access to the internet. Think something like search and rescue operations, or a pop-up medical center. Keep in mind that a basic ad-hoc setup doesn’t include any type of encryption, so any communications could be intercepted.
Monitor Mode: This mode allows a WiFi adapter to pick up all manner of data packets from any stations in the vicinity whose traffic the network card is capable of detecting. This is very similar to another mode called promiscuous mode. Unlike promiscuous mode — which can sniff any traffic , monitor mode allows the WiFi card to operate independent of an access point, which allows for sniffing any traffic flying through the air.
MAC (Media Access Control) Address: This is a unique identifier in the form of a 48-bit hexadecimal number which looks something like this:
This identifier is assigned to a network interface at the manufacturing stage. In other words it’s burned into your network card in order to identify it on a network.
BSS (Basic Service Set): A network topology that allows all wireless devices to communicate with each other through a common medium. For example, an access point. Another acronym you’ll see quite often is a BSSID (Basic Service Set ID), which is the MAC address associated with the access point.
SSID (Service Set ID): The SSID the actual name of your wireless network. So if the WiFi network you connect to at home is called ‘Chance the Router’, then your SSID is ‘Chance the Router’.
802.11 Association Process
This process describes how a client or station goes from being entirely disconnected from the internet, to being fully associated with a wireless network and able to send and receive data to the access points and any clients on the network. It isn’t all that complicated as far as computer networking is concerned; there are four basic exchanges between a station and an access point, with each one comprising of a request from the station and a response from the access point. This information will come in handy later once we start messing with Aircrack.
The Probe: In this stage a station broadcasts a probe request in the form of a network packet in order to discover any 802.11 networks. This request comes in the form of a network packet which advertises the broadcaster’s supported data rates and 802.11 capabilities (what kind of wireless networks it’s compatible with). An access point which receives this request will check to see if it has any data rates in common with the station, and if so, it sends a probe response back to the station. The response contains the SSID, authentication types, 802.11 capabilities, etc. It’s this probe response which allows you to see the list of available networks when you click your network icon likely located at the bottom right of your desktop screen.
Authentication: This part kind of sounds like the part where you tell the access point your password and then it checks to see if the password is valid and gives you access to the internet, but it’s not. Actually, this part of the handshake takes place during the second request where the station sends an authentication frame to the access point. Originally, authentication frames were designed for something called WEP encryption, which has long since been deemed wildly insecure, and thus this step is only part of the overall process. In this step, the access point receives the authentication frame and automatically authenticates the station.
Association: Now that you’ve authenticated, the next step is to send an association request. This request sends preferred encryption types to the access point and any other relevant 802.11 capabilities. The access point then compares the preferred encryption types to it’s own choice method of encryption. If any of the encryption types match the capabilities of the access point, the access point will then send an association response. You are now considered associated with the network. Your station may no longer send data to any other access points until it disassociates from the current one.
Encryption: Here’s where you actually use a password to be able to use the access point to reach the internet. It’s not as simple as just sending the password to the router through the air. To prevent the password from being sniffed by literally anyone who has the motivation to do so, a special exchange using a protocol called EAPOL (Extensible Authentication Protocol Over LAN) takes place. This is also know as the 4-way handshake. How encryption works is beyond the scope of this article, but feel free to read more.
From this point forward you’re free to move about the cabin. If you’re as bored as I am then I think it’s time we go for a stroll.
Take a walk on the WiFi side
Now that you know enough to be able to find your way around, let’s start exploring. In this part we will go over some simple tasks such as connecting to a WPA2 network, creating adapter aliases, scanning for WiFi networks, killing interfering services, and otherwise freeing ourselves from Network Manager. Oh, by the way, we will be performing all of this on an Ubuntu 20.04 LTS installation with an Alfa AWUS036NEH wireless dongle. I imagine most of these commands will work just fine on another Ubuntu-based installation using another dongle, as long as it supports monitor more as we will be needing that later.
First you’ll want to see what devices you have available.
# iw devphy#3
txpower 20.00 dBm
Yikes. What a name for an interface. The output we are looking at shows you some basic information about the adapter including it’s adapter name, MAC address, type, and output power. Let’s do something about that interface name.
# sudo ip link set wlx00c0caaab78f down
# sudo ip link set wlx00c0caaab78f name alfa
# iw devphy#3
txpower 20.00 dBm
Much better. Here we are simply bringing the interface down in order to be able to modify it’s configuration, and then we are giving the adapter a nice name. Next we can connect to the internet, but you’ll want to get some of the interfering services out of the way.
# sudo service network-manager stop
# sudo service wpa_supplicant stop
# sudo dhclient -r
As long as nothing bad happened, this should have killed Network Manager and wpa_supplicant (the WiFi Protected Access Client), as well as released the current DHCP lease and stopped the client. If you don’t know what I mean by DHCP I recommend reading this article.
Okay, all that’s left to do here is connect.
# sudo -s
# wpa_passphrase Your_SSID >> /etc/wpa_supplicant.conf
<enter the password on stdin>
What we are doing here is adding an entry into the WiFi Protected Access Client configuration file with the name of your desired network and (hopefully) a correct password. If you don’t know the name of the network you are looking for and feel lost without your GUI fear not:
# sudo iw alfa scan |less
Now you can scroll through the output to see all the networks in range as well as some interesting information. If you just want to get straight to the point:
# sudo iw alfa scan |grep SSID
SSID: FBI Surveillance Van 7
SSID: Pretty Fly for a WiFi
Let’s assume we are trying to connect to the network named Arcturus. Finally, you can associate with the router.
# sudo wpa_supplicant -i alfa -c /etc/wpa_supplicant.confSuccessfully initialized wpa_supplicant
alfa: SME: Trying to authenticate with 00:00:00:00:00:00 (SSID='Arcturus' freq=2437 MHz)
alfa: Trying to associate with 00:00:00:00:00:00 (SSID='Arcturus' freq=2437 MHz)
alfa: Associated with 00:00:00:00:00:00
alfa: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
alfa: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=US
alfa: WPA: Key negotiation completed with 00:00:00:00:00:00 [PTK=CCMP GTK=CCMP]
alfa: CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed [id=0 id_str=]
No, my router’s MAC address isn’t 00:00:00:00:00:00. Yes, I did edit it for privacy. In the above command the -i flag specifies the adapter name, and the -c specifies the configuration file where the SSID and password exist. I should mention that you’ll frequently see the above command run with a -B flag. This flag will make the command run in the background and return you back your prompt. I occasionally prefer to leave that flag off so I can see the connection information. Now, to verify.
# iw devphy#1
channel 6 (2437 MHz), width: 20 MHz, center1: 2437 MHz
txpower 30.00 dBm
As you can see we’re associated. All that’s left to get access to the internet is to ask for an IP address from the router.
# sudo dhclient alfa
# ping -c1 188.8.131.52PING 184.108.40.206 (220.127.116.11) 56(84) bytes of data.
64 bytes from 18.104.22.168: icmp_seq=1 ttl=56 time=29.6 ms--- 22.214.171.124 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 29.585/29.585/29.585/0.000 ms
If your output looks like the one above then way to go, you’ve subverted your robot overlords and connected to the internet without the help of a GUI. Go show you friends so they think you’re hacking the Pentagon.
Go take a little nap in the shade. We’re done for now. In the next blog post in this series we will cover how to set the network card into monitor mode, sniff potentially interesting traffic with tcpdump, as well as some wireless reconnaissance with airodump-ng and airgraph-ng. Don’t worry, as the posts go on things will bNow write yourself a script to automate your connection to the internet before realizing you could have just turned NetworkManager back on.