Table of Contents 0 SETTING UP THE LAB 1 HARDWARE REQUIREMENTS 1 SOFTWARE REQUIREMENTS 2 KALI LINUX INSTALLATION: 3 INSTALL KALI LINUX UNDER VMWARE 3 INSTALLING KALI LINUX ON PC 11 Kali Linux on USB: Advantages 11 HD Install Kali Linux: Prerequisites 11 Stop wasting Time 12 Create Kali Linux Bootable USB 13 REMOVE KALI LINUX HD INSTALL 16 SETTING UP WIRELESS ADAPTER 18 CONFIGURING ALFA CARD 20 SUMMARY 25 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26 WIRELESS NETWORKS(WI-FI) AND ITS NEED 26 WHAT IS WI-FI? 27 WHAT IS THE NEED FOR WI-FI? 27 TYPES OF ENCRYPTION AND THEIR NEED 27 WHAT ARE THE TYPES OF ENCRYPTION? 27 WHAT IS THE NEED? 28 HOW WPA2 IS DIFFERENT FROM WPA? 28 UNDERSTANDING PUBLIC AND PRIVATE IP 29 PUBLIC IP 29 PRIVATE IP 29 Classes, Subnet and Pool Size 29 HOW TO CHECK PUBLIC IP? 30 USES OF PUBLIC IP 30 POSSIBLE ATTACKS ON A WI-FI ACCESS POINT (AP) 30 FUTURE OF WI-FI 31
2 CRACKING THE WIRELESS NETWORK SECURITY 32 INTRODUCTION TO AIRCRACK-NG SUITE OF TOOLS 32 WHAT IS AIRCRACK-NG? 32 DOWNLOAD AIRCRACK-NG 33 INSTALL AIRCRACK-NG 33 AIRMON-NG 34 AIRODUMP-NG 35 CONCLUSION 36 INTRODUCTION TO WIRESHARK 37 HISTORY 38 Why Ethereal was renamed? 38 INSTALLATION AND SETUP 39 Monitor mode 40 Select Sniffing Interface 41 Stop sniffing 42 FILTERS AND PACKET ANALYSIS 42 Display filters 42 Capture Filters 43 Capture filter is not a display filter 43 SAVE PACKETS 45 COLOUR CODING 45 CONCLUSION 45 WEP CRACKING USING AIRCRACK-NG 46 OVERVIEW 46 ANOTHER WAY TO FIX THE MONITOR MODE ERROR IN KALI LINUX 50 WPA2-PERSONAL CRACKING [AIRCRACK-NG] 51 WHAT IS WPA2-PSK? 51 4-WAY HANDSHAKE 51 WHAT IS A DICTIONARY ATTACK? 53 COUNTERMEASURES 57 CONCLUSION 58 WPS CRACKING 59 WHAT IS WPS? 59 WHAT IS REAVER? 59 AN UGLY TRUTH ABOUT WPS [FOR PENTESTERS] 62 SUPPORTED WIRELESS DRIVERS 62 COUNTERMEASURES 63
3 AUTOMATED WI-FI CRACKING 64 WIFITE: AUTOMATED WIRELESS HACKING/AUDITING TOOL 64 DOWNLOAD WIFITE 65 INSTALLING A TOOL (WIFITE) AS A COMMAND IN LINUX 65 CRACKING WEP USING WIFITE 66 Things to note 67 CRACKING WPA/2 USING WIFITE 69 HOW TO FIX WPA/2 HANDSHAKE CAPTURE ERROR IN WIFITE? 70 Using airodump-ng to fix Wifite Handshake issue 71 Use latest version of Wifite to fix Handshake capture issue 71 LASER FOCUSED WIFITE 72 4 SPEEDING UP WPA/2 CRACKING 74 INTRODUCTION 74 WHAT IS PMK? 75 WHAT IS COWPATTY? 76 WHAT IS PYRIT? 76 What is space-time-trade-off? 76 INSTALLATION AND CONFIGURATION 77 INSTALLING COWPATTY FROM SOURCE CODE 77 INSTALLING PYRIT FROM SOURCE CODE 77 GENERATE PMKS USING GENPMK 78 GENERATE PMKS USING PYRIT 79 CRACK WPA2-PSK [ COWPATTY VS. AIRCRACK-NG] 80 CRACKING WPA2-PSK WITH AIRCRACK-NG 80 [ EXTRA!] PYRIT + COWPATTY STDIN 81 USING GPU BASED TOOLS 84 USING GPU FOR CRACKING WPA/2 PASSWORDS 85 WHAT IS HASHCAT? 85 WHY USE HASHCAT AT FIRST PLACE? 85 Supported Attack types 87 SETTING UP THE LAB 87 Installing Graphics driver 87 Download Hashcat 87
Pcap file compatibility with Hashcat 87 Convert.cap file to <.hccap> file 88 CRACKING WPA/2 PASSWORDS USING HASHCAT 88 WPA/2 Mask attack using Hashcat 89 Hybrid attack. 91 WPA/2 Cracking Pause/resume in Hashcat (One of the best features) 92 How to restore? 93 AIRCRACK BOOST SCRIPT 94 FEATURES 94 DEPENDENCIES 94 MAKE THE SHELL SCRIPT EXECUTABLE 94 EXECUTE 95 Execute via Command line arguments 95 Execute via Standard Input 95 5 POST-EXPLOITING THE NETWORK 98 INTRODUCTION 98 WHAT IS A SUBNET? 99 TOOLS USED 100 INSTALLATION AND CONFIGURATION 100 SCANNING THE SUBNET 101 SCAN THE SUBNET USING NMAP 101 HOW DOES ARP POISONING WORK? 104 PREVENT SNIFFING ATTACKS 107 JAMMING THE WI-FI NETWORK 108 DISSECTING A WIRELESS CLIENT 109 6 ROGUE ACCESS POINT: INTRODUCTION 110 OVERVIEW 110 ATTACK SUMMARY 111 TOOLS USED 111 ATTACK PREPARATION 111 ROGUE ACCESS POINT: SETUP 112 CONFIGURE APACHE MYSQL AND DHCP SERVER 113 Configure isc-dhcp-server 114
(OPTIONAL) AIRMON-NG, NETWORK-MANAGER CONFLICT 114 INFORMATION GATHERING 115 Enable monitor mode 115 Information Gathering with airodump-ng 115 (OPTIONAL) BRING THE TX-POWER TO MAX: 1000MW 115 Why we need to change region to operate our card at 1000mW? 116 CONFIGURE NETWORKING 116 Fire up the Fake Access Point 116 Allocate IP and Subnet Mask 116 Set Firewall rules in Iptables 117 Enable IP forwarding 117 Start the Services 118 ATTACK! 118 ROGUE AP SETUP: AN EASIER WAY 121 UNDERSTANDING THE BASIC ATTACK SCENARIO 121 CONFIGURATION SETUP 122 OPTIONAL CONFIGURATIONS 125 7 ROGUE AP: A DEEPER DIVE 127 HACKING WPA2 ENTERPRISE 127 INTRODUCTION 128 Difference between WPA2 - Personal and Enterprise? 128 INSTALLATION 128 CRACK THE HASH 130 INTERFACE VIRTUALISATION: SINGLE CARD FAKE AP 132 INTRODUCTION 132 WHAT IS A VIRTUAL INTERFACE (VIF)? 132 HARDWARE USED 134 SOFTWARE USED 134 SETUP SINGLE CARD ROGUE ACCESS POINT + HOTSPOT 135 CONNECT TO A WI-FI HOTSPOT 136 POWER UP THE ROGUE AP 137 (Optional) Enable Internet access for victim 137 Enable iptables forwarding 137 Spoof incoming HTTP traffic 137 "NO INTERNET ACCESS" WARNING FIX 138 EXAMPLES OF "NO INTERNET ACCESS" ERROR ON WIN 7/10 139 What exactly is causing "No internet access" error? 139
8 CAPTIVE PORTALS 144 IN THEORY 144 INTRODUCTION 145 BASIC STRATEGY BEHIND CAPTIVE PORTAL DETECTION 145 DIFFERENCES BETWEEN CLIENT DEVICES 146 Captive Portal Detection method by various Operating Systems 146 Apple's secret "wispr" request 147 IN REAL WORLD 149 WHAT IS MOD_REWRITE? 149 Advantages of mod_rewrite 149 mod_rewrite Basics 149 Defining Rules 150 Server Variables 150 Rule Syntax 150 USER AGENT BASED REDIRECTION 151 CONFIGURE APACHE FOR MOD_REWRITE 152 Captive Portal configuration for Apple Devices 152 Captive Portal configuration for Android Devices 152 Captive Portal configuration for Windows 153 Set up iptables for redirection 154 Enable modules 154 PROTECTION AGAINST THIS ATTACK 154 9 ULTIMATE FAKE AP 155 OVERVIEW 155 SETUP ACCESS POINT 156 STEP 1: KILL TROUBLESOME PROCESSES 156 STEP 2: START DHCP SERVER 156 STEP 3: CONFIGURE APACHE2 WEBSERVER 156 STEP 4: SPOOF DNS 157 STEP 5: HARVEST THE KEYS 157 STEP 6: WRAPPING UP 158 STEP 7: THE SECRET SAUCE 158 STEP 8: MAKE IT STEALTHIER (OPTIONAL) 159
10 WI-FI HACKING [APPENDIX] 165 WAR DRIVING: INTRODUCTION 165 CALCULATING ACCESS POINT LOCATION 166 FIND LOST/STOLEN DEVICES 167 LOCATE WI-FI DEVICE WITH PROBEMON 167 Installation 167 What is IEEE OUI List 168 HANDSHAKE VALIDATION 170 REQUIREMENTS: 170 MANUALLY: USING WIRESHARK PACKET ANALYSER 170 USING TOOLS LIKE: AIRCRACK-NG, PYRIT 172 Conclusion 174 Interested?