NOTE: The information contained in this tutorial is directed toward the Kali Linux distribution, but can also apply to other Linux varieties if the appropriate tools are installed. All tools used in this tutorial are freely available.
For the purposes of this article, all ESSIDs and BSSIDs have been pixelated. When you run actual scans, you will be able to see these values.
SETTING YOUR WIRELESS CARD TO MONITOR MODE:
Before using any wifi pen testing tool, you will need to set your wireless interface to Monitor mode. First, find out which wireless interfaces are available by running iwconfig from the command line.
The response to this command tells you a few things. We know that the wireless interface on this system is wlan0 (Be wary as this may not be wlan0 after a reboot. Some systems shuffle the interface name on reboot.), we know that Wlan0 is not associated with an access point (not connected to a wireless network), and we know that the Tx-Power (transmit power) of this interface is 15dBm. Depending on your drivers, you can bump this setting as high as 30dBm, though most systems are now limited to 20dBm to conserve power and avoid over-heating your wireless card.
To adjust your transmit power, run the following:
# iwconfig wlan0 txpower 30
In order to set an interface to Monitor Mode (Using the example of wlan0), you should run airmon-ng start wlan0.
Airmon-ng (part of the Aircrack suite) has now created a new interface called mon0 which is a sub-interface of wlan0 and is set to Monitor Mode. You can now use the command airodump-ng mon0 to view the wireless traffic in your area.
THIS IS NOT AN ATTACK OF ANY KIND - IT SIMPLY LISTENS TO PASSING TRAFFIC IN YOUR AREA. FEEL FREE TO TRY IT OUT
While using airomon-ng, the BSSID field shows the MAC addresses of nearby wireless networks. ESSID shows the names (SSIDs) of these networks. PWR shows the power of each network, which helps to determine its location and your likelihood of cracking the wifi password (the greater the power, the better your chances. NOTE: Power is never negative, but is shown that way in airodump-ng depending upon the version of the rt18187 module that is installed. This can be fixed by accessing the terminal and running airdriver-ng unload 36, then running airdriver-ng load 35.) CH shows the channel on which a given network is broadcasting. ENC shows the encryption standard employed by each network. WEP networks are the easiest to crack, followed by WPA, and then WPA2. CIPHER and AUTH both provide further information as to how the network is secured.
In the lower section of the terminal, you will notice that each BSSID entry is associated with a STATION. The STATION is a device which is reaching out for a network. PROBE indicates the network that the STATION is trying to reach. More often than not, you’ll see a response of (not associated), meaning that the desired network isn’t available, the device didn’t connect, etc. If you see a real MAC address in the BSSID field, then the STATION has just connected to that network.
Now it’s time to actually do something with all this traffic!
USING FERN-WIFI-CRACKER TO PEN TEST WIRELESS NETWORKS
Fern-Wifi-Cracker is a free, GUI-based tool that uses the aircrack suite to attack wireless networks. Fern can be launched from the Kali Linux application menu under Wireless Attacks >> Wireless Tools >> fern-wifi-cracker.
The Fern interface is pretty intuitive and will allow you to point and click your way through a wireless assessment (to an extent). In order to search for available networks, simply choose an interface from the dropdown Interface list and click the button to Scan for Access Points.
After a few seconds, you’ll see networks begin showing up next to both the WEP button and the WPA button.
Click either the WEP or WPA button to choose a target. As the names suggest, each button is related to an encryption standard and will list the available wireless access points using that particular encryption standard.
Now choose your target network from the list, click the Attack button, and wait...
NOTE: If you choose to update Fern, it will stop working. This is because the updater is broken. Don’t worry though – it’s an easy fix. From the command line, run the following: chmod +x /usr/share/fern-wifi-cracker/resources/execute.py. As soon as you run this command, Fern will begin operating normally again.
USING WIFITE TO PEN TEST A WIRELESS NETWORK
If you are comfortable using the command line, a somewhat more powerful tool available to you is Wifite. You can call wifite directly from the command line by running wifite.
Wifite will begin scanning for local networks and start gathering data on devices which connect to these networks. Once you are satisfied that you have gathered enough data (I recommend waiting about 3-5 minutes), hit CTRL + C to stop scanning and select a target.
Enter the number of your target network and hit ENTER to begin an attack against that network. You want to target networks that are marked with client or clients - These networks are actively communicating with a wireless device, making them even more vulnerable.
Wifite automatically iterates through multiple attack types supported by Aircrack-ng in order to give you the best chances of success.
Further Information on Aircrack-ng:
For more information / tutorials around Aircrack-ng, visit http://www.aircrack-ng.org/doku.php?id=Main#tutorials.