1. Walks you through the steps of hacking your own WiFi in the light of strengthening the defensive security strategy
What is packet injection?
Packet Injection is a computer networking term which refers to sending a packet on a network into an already established connection. This is accomplished by crafting a packet using raw sockets for testing and improving the security of the wireless network.
Older generation chipsets have lower RF output and are confined to detecting the 802.11b and 802.11b/g wireless networks only; whereas the chipset incorporated in the family of High Power TurboTenna Plug & Play antennae work with both the older and the current 802.11n 802.11ac wireless standards.
Why do you need the High Power antenna?
Apart from the obvious reasons, you need to detect both the 802.11n wireless router, as well as the client stations that usually have lower signal output.
Many buyers have come to us enquiring about the way in which they could utilize their 2200mW NextG USB-Yagi TurboTenna for packet monitoring and injection in the light of testing the security of their own WiFi network.
KALI Linux and 2200mW NextG USB-Yagi TurboTenna
We've done that in our lab with KALI Linux and its attack tools (evolved from BackTrack), which is fully compatible with the 2200mW NextG USB-Yagi TurboTenna.
The KALI is a Debian based Linux distribution whose desktop version resembles pretty much similar to the Windows environment, in which you could use the mouse to natvigate over various applications. You may spend a Sunday afternoon to explore and refresh this powerfupl Linux OS both in desktop style and command line level. We are pretty sure that you'd have great fun like we did.
Although playing with Linux is not as straight forward as Windows, yet it is where the attack software tools and utilities are created - and for this reason Linux is both challenging and rewarding.
To begin with, we chose to install KALI Linux on our Windows 10 64-bit Intel i5 computer with 8GB RAM using the Oracle VirtualBox. VirtualBox is a cross-platform virtualization application that allows KALI to run alongside with Windows 10. This is greatly convenient from the experimental standpoint because you don't have to invest in a dedicated computer for KALI and you can completely wipe off KALI once it is no longer needed.
KALI Linux 64 bit Version 2018.1 (kali-linux-2018.1-amd64) Size 2.81GB
Oracle VirtualBox (VirtualBox-5.2.8-121009-Win) Size 101MB
KALI Linux Installation
Oracle VirtualBox was downloaded and installed on Windows 10 followed by installing the disc image (kali-linux-2018.1-amd64) of KALI. It was crucial to plug in the 2200mW NextG USB-Yagi TurboTenna before started loading up KALI on VirtualBox and running the network configuration to put it online, otherwise you won't be able to update and upgrade KALI later which means that you'd be stuck with the old WPA/WPA2 Brute-Force dictionary.
We successfully created the KALI on VituralBox with 4096MB of RAM and 30GB Dynamic HD.
Update and Upgrade Linux commands:
apt-get update && apt-get full-upgrade
apt-get autoremove
We had also tried installing KALI Linux VirtualBox Image Version 2018.1 (kali-linux-2018.1-vbox-amd64) Size 3.3GB, hoping to save some installation setup procedures but failed. It was found to be incompatible with newer VirtualBox-5.2.8. Both the fresh KALI image and KALI VurtualBox image were supposed to be the same. So save yourself some time by going after the fresh KALI installation.
2. Packet monitoring and injection mode
Once we started KALI on VituralBox, the first thing we did was to map the 2200mW NextG USB-Yagi TurboTenna as the USB Device by selecting "Ralink 802.11 n WLAN [0101]"
On the command line terminal, we entered the commands below.
Check the presence of the 2200mW NextG USB-Yagi TurboTenna (wlan0):
ifconfig -a
Packet monitoring and injection commands:
airmon-ng check kill
airmon-ng check
airmon-ng start wlan0
airodump-ng wlan0mon
3. REAVER - WPS Pin Attack
WiFi Protected Setup (WPS) is a convenient feature that allows the user to configure a client device against a wireless network by simultaneously pressing a button on both the WiFi router and the client device (the client side “button” is often in software) at the same time. The devices exchange information, and then set up a secure WPA link.
Reaver was designed to brute-force the WPA handshaking process remotely, even if the physical WPS button hadn’t been pressed on the WiFi router.
While some newer devices are building in protection against this specific attack, the Reaver WPS exploit remains useful on many networks in the field.
In particular, WPS is the vulnerable system in this case, not WPA. If a network has WPS disabled (which they should, given the existence of tools such as this), it will be immune to the following attack.
To generate a list of WiFi networks that shows the status of WPS Locked:
wash -i wlan0mon
The “WPS Locked” column in the list is far from a definitive indicator, but those WPS Unlocked WiFi networks are much more susceptible to brute forcing.
To launch Reaver against WiFi network with <BSSID> 11:22:33:44:55:66 :
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1
It may take several hours and perhaps even longer to run because better designed WiFi router are getting smarter in terms of rejecting repeated attacks, longer and irregular timeout periods, illogical checksum and NULL pin.
Ideally, the above command works and the attack progresses as expected. But in reality, manufacturers implement smarter protections against Reaver-style attacks, and additional options may be required to get the attack moving.
As a countermeasure, a few optional switches can be added to get Reaver working on more picky devices:
reaver -i wlan0mon -c 11 -b 11:22:33:44:55:66 -vv -L -N -d 10 -T .5 -r 4:20
where
-c 11is channel 11
-L ignores locked WPS state
-N Don't send NACK packets when errors are detected
-d 10 Delay 10 seconds between PIN attempts
-T .5 sets timeout period to half a second
-r 4:20 after 4 attempts, sleep for 20 seconds
Simply type reaver if you to look for more options to experiment:
reaver
Reaver is armed with a pin "12345670" that appears not changing but in fact it is the starting point followed by subsequent variations to attack the router. Knowing that it is only a matter of time to strike a successful hit, clever designers put a NULL pin for which the traditional Reaver programmer had never expected. A patched version of reaver-wps-fork-t6x emerged in 2017 in the light of combating the NULL pin.
Installation was pretty straight forward on a newly created Reaver diractory:
mkdir reaver
cd reaver
git clone https://github.com/t6x/reaver-wps-furk-t6x.git
apt-get install -y libpcap-dev
cd src
./configure
make && make install
The -p option becomes available to foster a NULL pin or a digit sequence of various lengths.
NULL pin:
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1 -p ""
Pin with a length of 4 digits:
reaver -i wlan0mon -b 11:22:33:44:55:66 -vv -K 1 -p "4321"
The verdict #1:
Nothing is unbreakable unless one gives up too early. The best defense is disable WPS on the WiFi router and create a sophticated password and change it as often as possible.
4. Brute-Force Dictionary Attack
Next we moved on to the Brute-Force toolkit.
While Reaver kept bombarding WiFi router with continuous retries, Brute-Force captured successful client handshakes from which a LOCK was crafted to be opened by the keys in a dictionary until a match was found. Rather than meddling with the router like forever, the brief encounter ended by a handshake that transcended into a much longer journey of lonely data processing.
The dictionay such as rockyou.txt was a text file that contained commonly-used passwords or combinations of letters and numbers. A good dictionary thus needed to have "ALL" combinations imaginable. Ours contained 144344394 passwords that was a huge list. So an attack of this nature was time consuming. Success was based on computing power and the number of combinations tried rather than an ingenious algorithm.
Having put the 2200mW NextG USB-Yagi TurboTenna into the packet monitoring and injection mode, we opened two command line terminals. One for capturing the handshake data and the other kept provoking for client handshakes.
To launch Brute-Force against WiFi network with <BSSID> 11:22:33:44:55:66 and <ESSID> MyWiFi at channel 2:
airodump-ng -c 2 11:22:33:44:55:66 -w /root/Desktop/MyWiFi wlan0mon
To provoke client handshakes:
aireplay-ng -0 0 -a 11:22:33:44:55:66 wlan0mon
These processes were stopped once a successful handshake was found. KALI Linux has a dictionary residing in /usr/share/wordlists/rockyou.txt.gz
To make sure that we had the latest update and installed the dictionary on Desktop:
apt-get update && apt-get full-upgrade
cd Desktop
gunzip /usr/share/wordlists/rockyou.txt.gz
To try opening MyWiFi-01.cap with keys in the dictionary rockyou.txt:
aircrack-ng -1 rockyou.txt MyWiFi-01.cap
We edited rockyou.txt to put in our password to verify that these processes actually worked. The key was found in seconds!
To edit rockyou.txt:
nano /root/Desktop/rockyou.txt
The verdict #2:
Nothing comes out of nothing. It's a time waster if the key is not there. The best defense is restrict further attempts after a few unsuccessful logins and make the password uncommonly sophicated.
Disclaimer:
The articles herein are intended for experience sharing and IT education purposes. No part of these experiments should be applied to a WiFi network other than your own without consent of your family members.