Download code from GitHub
"If I had eight hours to chop down a tree, I'd spend six hours sharpening my axe." | ||
| --Abraham Lincoln, 16th US President | ||
Behind every successful execution is hours or days of preparation, and wireless penetration testing is no exception. In this chapter, we will create a wireless lab that we will use for our experiments in this book. Consider this lab as your preparation arena before you dive into real-world penetration testing!
Wireless penetration testing is a practical subject, and it is important to first set up a lab where we can try out all the different experiments in this book in a safe and controlled environment. It is important that you set up this lab first before moving on in this book.
In this chapter, we will take a look at the following:
Hardware and software requirements
Installing Kali
Setting up an access point and configuring it
Installing the wireless card
Testing connectivity between the laptop and the access point
So let the games begin!
We will need the following hardware to set up the wireless lab:
Two laptops with internal Wi-Fi cards: We will use one of the laptops as the victim in our lab and the other as the penetration tester's laptop. Though almost any laptop would fit this profile, laptops with at least 3 GB RAM are desirable. This is because we may be running a lot of memory-intensive software in our experiments.
One wireless adapter (optional): Depending on the wireless card of your laptop, we may need a USB Wi-Fi card that can support packet injection and packet sniffing, which is supported by Kali. The best choice seems to be the Alfa AWUS036H card from Alfa Networks, as Kali supports this out-of-the-box. This is available on www.amazon.com for a retail price of £18 at the time of writing. An alternative option is the Edimax EW-7711UAN, which is smaller and, marginally, cheaper.
One access point: Any access point that supports WEP/WPA/WPA2 encryption standards would fit the bill. I will be using a TP-LINK TL-WR841N Wireless router for the purpose of illustration in this book. You can purchase it from Amazon.com for a retail price of around £20 at the time of writing.
An Internet connection: This will come in handy for performing research, downloading software, and for some of our experiments.
We will need the following software to set up the wireless lab:
Kali: This software can be downloaded from the official website located at http://www.kali.org. The software is open source, and you should be able to download it directly from the website.
Windows XP/Vista/7: You will need any one of Windows XP, Windows Vista, or Windows 7 installed on one of the laptops. This laptop will be used as the victim machine for the rest of the book.
Kali is relatively simple to install. We will run Kali by booting it as a Live DVD and then install it on the hard drive.
Perform the following instructions step by step:
Burn the Kali ISO (we are using the Kali 32-bit ISO) you downloaded onto a bootable DVD.
Boot the laptop with this DVD and select the option Install from the Boot menu:
If booting was successful, then you should see an awesome retro screen as follows:
This installer is similar to the GUI-based installers of most Linux systems and should be simple to follow. Select the appropriate options in every screen and start the installation process. Once the installation is done, restart the machine as prompted and remove the DVD.
Once the machine restarts, a login screen will be displayed. Type in the login as
rootand the password as whatever you set it to during the installation process. You should now be logged into your installed version of Kali. Congratulations!I will change the desktop theme and some settings for this book. Feel free to use your own themes and color settings!
We have successfully installed Kali on the laptop! We will use this laptop as the penetration tester's laptop for all other experiments in this book.
We can also install Kali within virtualization software such as VirtualBox. If you don't want to dedicate a full laptop to Kali, this is the best option. Kali's installation process in VirtualBox is exactly the same. The only difference is the pre-setup, which you will have to create in VirtualBox. Have a go at it! You can download VirtualBox from http://www.virtualbox.org.
One of the other ways in which we can install and use Kali is via USB drives. This is particularly useful if you do not want to install on the hard drive but still want to store persistent data on your Kali instance, such as scripts and new tools. We encourage you to try this out as well!
Let's begin! We will set the access point up to use Open Authentication with an SSID of Wireless Lab.
Follow these instructions step by step:
Power on the access point and use an Ethernet cable to connect your laptop to one of the access point's Ethernet ports.
Enter the IP address of the access point configuration terminal in your browser. For the TP-Link, it is by default
192.168.1.1. You should consult your access point's setup guide to find its IP address. If you do not have the manuals for the access point, you can also find the IP address by running theroute –ncommand. The gateway IP address is typically the access point's IP. Once you are connected, you should see a configuration portal that looks like this:
Explore the various settings in the portal after logging in and find the settings related to configuring a new SSID.
Change the SSID to Wireless Lab. Depending on the access point, you may have to reboot it for the settings to change:
Similarly, find the settings related to Wireless Security and change the setting to Disable Security. Disable Security indicates that it is using Open Authentication mode.
Save the changes to the access point and reboot it if required. Now your access point should be up-and-running with an SSID Wireless Lab.
An easy way to verify this is to use the Wireless Configuration utility on Windows and observe the available networks using the Windows laptop. You should find Wireless Lab as one of the networks in the listing:
We have successfully setup our access point with an SSID Wireless Lab. It is broadcasting its presence and this is being picked up by our Windows laptop and others within the Radio Frequency (RF) range of the access point.
It is important to note that we configured our access point in Open mode, which is the least secure. It is advisable not to connect this access point to the Internet for the time being, as anyone within the RF range will be able to use it to access the Internet.
We will be using the wireless adapter with the penetration tester's laptop.
Please follow these instructions step-by-step to set up your card:
Plug in the card to one of the Kali laptop's USB ports and boot it.
Once you log in, open a console terminal and type in
iwconfig. Your screen should look as follows:
As you can see, wlan0 is the wireless interface created for the wireless adapter. Type in
ifconfig wlan0to bring the interface up. Then, type inifconfig wlan0to see the current state of the interface:
The MAC address
00:c0:ca:3e:bd:93should match the MAC address written under your Alfa card. I am using the Edimax that gives me the preceding MAC address80:1f:02:8f:34:d5. This is a quick check to ensure that you have enabled the correct interface.
Here we go! Follow these steps to connect your wireless card to the access point:
Let's first see what wireless networks our adapter is currently detecting. Issue the command
iwlist wlan0scanningand you will find a list of networks in your vicinity:
Keep scrolling down and you should find the Wireless Lab network in this list. In my setup, it is detected as
Cell 05; it may be different in yours. The ESSID field contains the network name.As multiple access points can have the same SSID, verify that the MAC address mentioned in the preceding
Addressfield matches your access point's MAC. A fast and easy way to get the MAC address is underneath the access point or using web-based GUI settings.Now, issue the
iwconfig wlan0 essid "Wireless Lab"command and theniwconfig wlan0to check the status. If you have successfully connected to the access point, you should see the MAC address of the access point in theAccess Point: field in the output ofiwconfig.We know that the access point has a management interface IP address
192.168.0.1from its manual. Alternately, this is the same as the default router IP address when we run theroute –ncommand. Let's set our IP address in the same subnet by issuing theifconfig wlan0 192.168.0.2 netmask 255.255.255.0 upcommand. Verify the command succeeded by typingifconfig wlan0and checking the output.Now let's ping the access point by issuing the
ping 192.168.0.1command. If the network connection has been set up properly, then you should see the responses from the access point. You can additionally issue anarp –acommand to verify that the response is coming from the access point. You should see that the MAC address of the IP192.168.0.1is the access point's MAC address we noted earlier. It is important to note that some of the more recent access points might have responses to Internet Control Message Protocol (ICMP) echo request packets disabled. This is typically done to make the access point secure out-of-the-box with only minimal configuration settings available. In such a case, you can try to launch a browser and access the web interface to verify that the connection is up-and-running:
On the access point, we can verify connectivity by looking at the connection logs. As you can see in the following log, the MAC address of the wireless card
4C:0F:6E:70:BD:CBhas been logged making DHCP requests from the router:
We just connected to our access point successfully from Kali using our wireless adapter as the wireless device. We also learnt how to verify that a connection has been established at both the wireless client and the access point side.
Here is a challenging exercise for you—set up the access point in a WEP configuration. For each of these, try establishing a connection with the access point using the wireless adapter. Hint: check the manual for the iwconfig command by typing man iwconfig to see how to configure the card to connect to WEP.
Q1. After issuing the command ifconfig wlan0, how do you verify the wireless card is up and functional?
Q2. Can we run all our experiments using the Kali live CD alone? Can we not install the CD to the hard drive?
Q3. What does the command arp –a show?
Q4. Which tool should we use in Kali to connect to WPA/WPA2 networks?
This chapter provided you with detailed instructions on how to set up your own wireless lab. Also, in the process, you learned the basic steps for:
Installing Kali on your hard drive and exploring other options such as Virtual Machines and USBs
Configuring your access point over the web interface
Understanding and using several commands to configure and use your wireless card
Verifying the connection state between the wireless client and the access point
It is important that you gain confidence in configuring the system. If you aren't confident, it is advisable that you repeat the preceding examples a couple of times. In later chapters, we will design more complicated scenarios.
In the next chapter, we will learn about inherent design-based insecurities in WLANs design. We will use the network analyzer tool, Wireshark, to understand these concepts in a practical way.
