Kali Linux Wireless Penetration test Getting Started Guide chapter II WLAN and inherent insecurity

Chapter II WLAN and inherent insecurity

Vivek Ramachandran, Cameron Buchanan

Translator: Dragon

Protocol: CC BY-NC-SA 4.0

Brief introduction

The higher the building, the deeper the foundation will hit.

– Thomas Campes

Nothing great can be built on the basis of fragility. In our context, security cannot be built on the basis of a solid security.

WLANs are designed with specific insecurity that can be easily exploited, for example, through packet injection and sniffing (which can be done far away). We will use these flaws in this chapter.

2.1 Review WLAN Frames

Since this book deals with wireless security, we assume that you have a basic understanding of the Protocol and the header of the packet. No, or you have been away from wireless for a long time, and now is a good opportunity to review this topic.

Let's review some basic concepts of WLAN now, most of which you probably already know. In a WLAN, communication is done in a frame, and a frame has the following head structure:

Frame ControlThe field itself has a more complex structure:

The Type field defines the following three types of WLAN frames:

1. Manage frames: The management frame is responsible for maintaining communication between the access point and the wireless client. The management frame has the following subtypes:

   • Verify
   • Release validation
   • Associate Request
   • Associated response
   • To re-associate a request
   • Re-associate Response
   • De-Association
   • Beacon
   • Probe request
   • Probe response

2. Control frame: The control frame is responsible for ensuring that the data is properly exchanged between the access point and the wireless client. The control frame has the following sub-types:

   • Request Send (RTS)
   • Clear Send (CTS)
   • Confirmation (ACK)

3. Data frames: Data frames carry real data sent over a wireless network. It has no subtypes.

When we discuss different attacks in later chapters, we discuss each of these security risks in these frames.

Let's take a look at how to sniff these frames on a wireless network using Wireshark. There are other tools too-such as airodump-ng,tcpdump, or tshark–-you can also use for sniffing. We use Wireshark in most cases in this book, but we recommend that you explore other tools. The first step is to create a monitoring mode interface. This will create an interface for your adapter so that we can read all the wireless frames in the airspace, regardless of whether they target us or not. In a wired world, this is often called mixed mode.

Actual combat time – the interface for creating a monitoring mode

Let's now set the wireless card to monitor mode.

Follow these guidelines to get started:

1. Start Kali and keep the adapter connected. Once you have the console open, enter iwconfig and make sure the NIC is detected and the driver is loaded correctly.

2. Use ifconfig wlan1 up the command to start the network card (where wlan1 your adapter is). Verify that the ifconfig wlan1 NIC is running by running. You should see the word in the second line of the output UP , like this:

3. In order to set the NIC to monitor mode, we use airmon-ng it, which comes in Kali. Execute airmon-ng the command first to confirm that it detects the available network cards. You should be able to see the interfaces listed in the output wlan1 :

4. Now enter airmon-ng start wlan1 the command to create wlan1 the monitor mode interface for the corresponding device. The new monitor mode interface is named mon0 . (You can verify it again without using Parameters airmon-ng .) ）

5. Again, ifconfig mon0 the run will show mon0 the new interface called.

What just happened?

We have successfully created an mon0 interface called the monitoring mode. This interface is used to sniff wireless packets in airspace. This interface has already been created in our wireless adapter.

Give it a try – Create multiple monitor mode interfaces

You can create multiple monitoring modes for an interface that uses the same physical NIC. Use the Airmon-ng tool to see how it is done.

That's great! We have a monitoring mode interface that waits for some packets to be read from the airspace. So let's get started.

In the next exercise, we'll sniff packets from the airspace using Wireshark and the mon0 monitor mode interface we just created.

Actual combat time – sniffer wireless packet

Follow these guidelines to get started:

1. Start the access point that we configured in the first chapter Wireless Lab .

2. Start Wireshark by typing in the console Wireshark & , once Wireshark is running, Access Capture | Interfaces .

3. Select the Start packet capture from the interface by clicking the button mon0 , as in. Wireshark will start capturing, and now you can see the packet in the Wireshark window.

4. These are the packets that your wireless adapter sniffs from the airspace. In order to view any of the packets, select it in the window above and the entire package will appear in the middle window:

   Click IEEE 802.11 Wireless LAN management frame the previous triangle to expand and view the details.

Observe the different header fields in the package and associate them with the WLAN frame types and subtypes that were previously known.

What just happened?

We just sniffed the first pack from the airspace. We launched the Wireshark, which uses the monitoring mode interface we created earlier mon0 . By looking at the bottom area of the Wireshark, you should be aware of the speed of the packet capture and the number of packets captured so far.

Try it – discover different devices

Wireshark's record can sometimes be daunting, and even in a reasonable wireless network, you'll sniff thousands of packets. So it's important to go deep into the packets we're interested in. This can be done by using the filters in the Wireshark. Explore how to use these filters to identify the only wireless device in the record – the access point and the wireless client.

If you can't do it, don't worry, it's the next thing we need to learn.

Combat Time – View management, control, and data frames

Now we learn how to use the filters in WIreshark to view management, control, and data frames.

Follow these guidelines gradually:

1. In order to view all the management frames in the captured packet, enter the filter in the Filter window wlan.fc.type and click Apply . If you plan to prevent the packet from scrolling down too fast, you can stop the packet capture.

2. In order to view the control frame, modify the filter expression to wlan.fc.type == 1 .

3. To view the data frame, modify the filter expression to wlan.fc.type == 2 .

4. In order to select sub-types in extra, use wlan.fc.subtype filters. For example, to view the beacon frames in all management frames, use the following filters:

   (wlan.fc.type0) && (wlan.fc.subtype8)

5. Instead, you can right-click any header field in the middle window and choose Apply as Filter | Selected to use the filter.

6. This will automatically Filter add the correct filter expression to the field for you.

What just happened?

We have just learned how to filter packets in Wireshark using a variety of filter expressions. This helps to monitor the selected packets from the devices we are interested in, rather than trying to analyze all the packets in the airspace.

Similarly, we can view the header of management, control, and data frames in plain text, and they are not encrypted. Anyone who can sniff a packet can read these heads. Be aware that hackers can also modify any of these packets and resend them. The protocol does not prevent integrity or replay attacks, which is very easy to do. We will see some of these attacks in later chapters.

Give it a try – play the filter

You can check out the Wireshark manual to learn more about the filter expressions available and how to use them. Try to play a variety of filter combinations until you have confidence in the depth of any level of detail, even in many packet records.

In the next exercise, we'll explore how to sniff the number of transmissions between our access point and the wireless client
According to the envelope.

Actual combat time – sniff the packets on our network

In this exercise, we will learn how to sniff packets on a specified wireless network. For reasons of simplicity, we will look at any packets that are not encrypted.

Follow these guidelines to get started:

2. Start Wireless Lab The wireless access point that we named. Let's configure it to not encrypt.

4. We first need to find Wireless Lab out which channel to run on. To complete it, open the terminal and execute it airodump-ng --bssid <mac> mon0 , which <mac> is the MAC address of the access point. Run the program, and you will see that your access point is displayed on the screen with the channel running.

6. We can see from the previous that our access point is Wireless Lab running on channel 11. Be aware that this may be different from your access point.

   In order to sniff a packet from this access point, we need to lock the wireless card on the same channel, which is channel 11. To implement it, execute iwconfig mon0 channel 11 after execution iwconfig mon0 to verify. You will see the output in the Frequency: 2.462 GHz . This is equivalent to channel 11.

8. Now start the Wireshark and start sniffing the mon0 interface. After WIreshark starts sniffing, enter the filter in the filter area wlan.bssid == <mac> to use the access point BSSID, as in the following. Fill in the appropriate MAC address for your access point.

10. In order to view the data packets for the access point, add the following filters: (wlan.bssid == <mac>) && (wlan.fc.type_subtype == 0x20) . Open your browser in the client notebook and enter the URL of the access point management interface. I'm here, like the first chapter, it is http://192.168.0.1 . This generates a data packet, and WIreshark captures it.

12. Packet sniffing allows us to easily analyze unencrypted data. That's why we need to use encryption in an unlimited number of ways.

What just happened?

We've just sniffed the data in the airspace using WIreshark and a variety of filters. Since our access point does not use any encryption, we are able to see all the data in plain text. This is a major security issue, because if you use a sniffer like WIreshark, anyone who is within the RF range of the access point can see all the packets.

Give it a try – analyze data packets

Use WIreshark to further analyze data packets. You will notice that the DHCP request is generated by the client, and it returns the address if the DHCP server is available. After that you will find the ARP packets and other protocol packets. This is a simple way to passively discover a host on a wireless network. It is important to be able to see the packet record and refactor how the application on the wireless host communicates with the rest of the network. One of the interesting features offered by Wireshark is the ability to track the flow. This allows you to view multiple packets together, which are TCP data exchanges in the same connection.

In addition, try logging in www.gmail.com and other popular sites and analyzing the generated data traffic.

We'll show you how to inject packets into your wireless network.

Actual combat time – packet injection

We use the Aireplay-ng tool to do this exercise, which comes in Kali.

Follow these guidelines to get started:

1. To perform an injection test, start Wireshark first and use the filter expression (wlan.bssid == <mac>) && !(wlan.fc.type_subtype == 0x08) . This will ensure that we can only see non-beacon frames for our wireless network.

2. Now execute the command in the terminal aireplay-ng -9 -e Wireless Lab -a <mac> mon0 .

3. Return to Wireshark and you will see a large number of packets appearing on the screen. Some packets have been aireplay-ng sent, they are sent by us, others are packets that are used by the Wireless Lab access point for response injection.

What just happened?

We have just used aireplay-ng to successfully inject a packet into our network of test environments. Note that our NICs inject these arbitrary packets into the network without the need to actually connect to the wireless access point Wireless Lab .

Try it – Explore Aireplay-ng tools

We'll learn more about packet injection in later chapters. Now explore the other options that the Aireplay-ng tool uses to inject packets. You can use Wireshark to monitor the airspace to verify that the injection is successful.

2.2 Key notes for WLAN sniffing and injection

WLANs typically operate over three different frequency ranges: 2.4 ghz,3.6 GHz and 4.9/5.0 GHz. Not all WIFI NICs support these three ranges and the associated bands. For example, the Alfa NIC only supports IEEE 802.11b/g. This means that the NIC cannot handle 802.11a/n. The key here is to sniff or inject packets into specific bands. Your WIFI adapter needs to support it.

Another interesting aspect of WIFI is that there are multiple channels in each of these bands. Be aware that your WIFI network card can only be on one channel at a time. You cannot adjust the NIC to multiple channels at the same time. It's like a radio on a car. You can only adjust it to one of the available channels at any given time. If you're going to hear anything else, you need to change the channel. The principle of WLAN sniffing is the same. This results in a very important conclusion – we cannot sniff all channels at the same time, we can only select the channels we are interested in. This means that if the channel of the access point we are interested in is 1, we need to set the NIC to Channel 1.

Although we have emphasized WLAN sniffing above, the principle of injection is the same. In order to inject packets into a specific channel, we need to adjust the NIC to a specific channel.

Let's do some exercises now, set up a network card to make channels or channel jumps, set the Spec field and power levels, and more.

Actual combat time – experiment with adapters

Follow these steps carefully:

1. Enter iwconfig wlan0 a command to see the function of the NIC. As you can see, our adapters can work in the B, G, and N bands.

2. In order to set the NIC to a specific channel, we use the iwconfig mon0 channel X command.

3. iwconfigThe command set does not have channel hopping mode. You can write a simple script on it to implement it. An easy way to do this is with the option to use Airodump-ng to jump on any channel, or a subset, or use the selected band. When we do airodump-ng --help , all of these options are shown below.

What just happened?

We know that wireless sniffing and packet injection relies on hardware support. This means that we can only handle the bands and channels supported by the network card. In addition, the wireless card can only be on one channel at a time. This shows that we can only sniff or inject one channel at a time.

Give it a try – sniff multiple channels. If you need to sniff multiple channels at the same time, you need multiple physical WIFI NICs. If you can get an extra nic, try sniffing multiple channels at the same time. 4.3 The role of canonical domains in wireless networks

The complexity of WIFI doesn't end here. Each country has its own unauthorized spectrum allocation strategy. This specifies the allowable power levels and spectrum of the user. For example, the FCC stipulates that if you use Wi-Fi in the United States, you must comply with these rules. In some countries, penalties are received for non-compliance with the relevant regulations.

Now let's look at how to find the default specification settings and how to modify them as needed.

Actual combat time – experiment with adapters

Follow these steps carefully:

1. The restarted computer does not have to connect to the adapter.

2. After logging in, use the tail command to monitor kernel information:

   Plug in the adapter and you'll see something like this. This shows the default specification settings used by the NIC.

3. Let's assume you're in the United States. In order to modify the canonical domain to us, we enter the following command in the new terminal iw reg set US .

   
   If the command executes successfully, we will get such output in the terminal, where we are monitoring /var/log/messages :

4. Now try to set the network card to channel 11, it takes effect. But when you try to set it to channel 12, you get the error. This is because channel 12 cannot be used in the United States.

5. The same principle is used for power ratings. US only allows Max. DBM (500 MW). So even if the power of our adapter is 1 watts (in dBm), we cannot set it to the maximum transmission power:

6. However, if we were in Bolivia, we would be able to use 1 watts of transmission power as permitted here. As you can see, we set the spec domain to Bolivia – iw reg set BO we can set the NIC power to 30DMB or 1 watts. We use Channel 12 in Bolivia, which is forbidden in the United States.

What just happened?

Each country has its own specifications for unauthorized wireless bands. When we set the spec domain to a specific country, our network card will follow the allowed channels and the specified power level. However, it is quite easy to sniff the canonical domain of the NIC to force it to work on an disallowed channel and to transmit data at a power level higher than the allowable value.

Try it – Explore spec domains

See the various parameters you can set, such as channel, power, Spec field, and more. Use the iw command set on Kali. This will give you a deep understanding of how to configure network adapters and modify network card settings in different countries.

Small quiz –wlan packet sniffing and injection

Q1 what type of frame is responsible for authentication in the WLAN?

1. Control
2. Management
3. Data
4. Qos

wlan0What is the name of the second monitor mode interface created on Q2 using AIRMON-MG?

1. mon0
2. mon1
3. 1mon
4. monb

What is the filter expression that Q3 uses to view non-beacons in Wireshark?

1. !(wlan.fc.type_subtype == 0x08)
2. wlan.fc.type_subtype == 0x08
3. (no beacon)
4. Wlan.fc.type == 0x08

Summarize

In this chapter, we have some important observations about the WLAN protocol.

Management, control, and data frames are unencrypted, so people who monitor the airspace can easily read it. Note that the data packet payload can be protected by using encryption to make it more confidential. We'll discuss them in the next chapter.

We can sniff the entire airspace nearby by setting the network card to monitor mode.

Because management and control frames do not have integrity protection, it is easy to inject packets using tools such as aireplay-ng by monitoring them or replaying them as usual.

Unencrypted data packets can also be modified and replayed into the network. If the packets are encrypted, we can still replay them as usual because the WLAN design does not protect the packet replay.

In the next chapter, we'll look at different authentication mechanisms for WLANs, such as MAC filtering and shared authentication, among others. and a practical demonstration to understand a variety of security flaws.

Kali Linux Wireless Penetration test Getting Started Guide chapter II WLAN and inherent insecurity