The Invisible Guest: Revealing The Company’s Wireless Network With Kali Linux And Raspberry Pi
Today, let’s look at the way how to test the security of a company’s wireless network relatively invisibly. The Raspberry Pi, which supports installing Kali Linux, will be used as the basis. Installing the distribution is quite simple:
- Download the official image from the site kali.org;
- Write it to an SD disk using Win32image for Windows and Gparted for Linux;
- Launch the Raspberry Pi with the installed SD card.
After installation, you can optionally update packages if they are available. But you don’t need to do anything else to work properly. The required memory card size is 8Gb or higher. In order for the system to function properly, it is advisable to use a larger volume.
The article is informational. Do not break the law.
Now, when the system is ready for operation, it remains only to configure the launch of programs at system startup. it is assumed that the Raspberry Pi will be installed directly in range of the desired access point for autonomous collection of Wi-Fi authorization data. There are many tools for working with WPA2-Personal, with varying degrees of interactivity, but the aircrack-ng suite is an ageless classic. It includes various auxiliary modules that allow you to fully test wireless networks from switching the interface to monitor mode to brute-force password detection. In our case, we only need to intercept Wi-Fi handshakes and save them for later analysis.
This can be done using the crontab job scheduler. The relevant lines need to be added to run the wifi.sh and eaphammer.sh scripts:
Wifi.sh will switch the wireless interface to monitor mode and launch the airodump-ng tool, saving the found WPA2-Personal handshakes to a file for further analysis.
In the airodump-ng launch command, it is necessary to set the parameters of the wireless interface and the file which the received handshakes (data that are transmitted when the user connects to the access point) will be saved in using the -w switch. Additionally, it is recommended to set the BSSID (MAC address of the access point) using the — bssid key and the channel on which it operates using -c. It is not necessary, but if you do this, then only the necessary data will be intercepted.
The second script will launch the eaphammer tool designed to hijack account data when using the WPA2-Enterprise protocol.
The tool works on the principle of an “evil twin”, therefore, in the tool launch parameters it is necessary to indicate:
- -i — is the name of the network interface. If several tools are running together using a wireless network, then additional interfaces must be added;
- — essid — access point name;
- — channel — channel which the access point operates on;
- — auth — authentication method;
- — creds — collection of accounts.
Also, to carry out an attack, you must generate a certificate by running the command ./eaphammer — cert-wizard. In the interactive menu, you can point out absolutely any information, it will not affect the quality of the attack.
You should save the settings, and in the future the scripts will run along with the system start.
For testing, you need to position the Raspberry Pi in any convenient way within the range of the access point so that no one will notice it while the data is being collected. The installation needs to provide 5V and 2–2.5A power supply to work. Having excluded the possibility of using an adapter to connect to an outlet, you need to think about a powerbank type battery to ensure uninterrupted operation for the entire duration of testing.
In the end, it remains only to pick up the installation and analyze the data obtained. When using eaphammer, the data will be written in the form of a handshake to the loot folder, which is located in the same place as the tool itself, but it is better to play it safe and add output redirection to write to a file in the tool launch script. Then the analysis will only be to find the account data in the output file.
If it was possible to intercept data for connecting to WPA2-Personal, then all that remains is to try to guess the password using a dictionary. Enumeration can be performed using different tools:
- using Aircrack-ng;
- using the Pyrit tool, which allows you to use the power of a video card while enumeration;
- CowPatty — provides brute force rainbow tables.
And also with the help of some popular brute force tools:
- John The Ripper and Hashсat — it also has support for brute force on rainbow tables and use the power not only of the CPU, but also the GPU.
Rainbow tables are specially calculated hashes that are used for very fast password recovery. They are databases where a password corresponds to a pre-calculated hash. If we talk about Wi-Fi, then calculating rainbow tables takes the same time as a normal password search, but searching for a password in the already created rainbow table will take a few seconds. Therefore, if you need only to check one handshake for an access point, there will be no difference between brute-force passwords and creating rainbow tables. Using rainbow tables only makes sense when checking two or more handshakes, because checking multiple handshakes against rainbow tables takes the same amount of time as checking one. It is also worth noting a significant disadvantage of rainbow tables — they take up a lot of space, much more than a regular dictionary with passwords.
If you compare the performance of tools that allow you to use the CPU and GPU power when searching, the difference between, for example, Aircrack-ng and Hashcat will be quite significant. Even if we compare the search modes using the CPU and GPU capacities separately when searching through Hashcat, in the first case, using, for example, the Xeon E5450 CPU, the speed will be ~3500 PMK/s, and when using a GPU, for example, GTX 1050Ti, the speed will increase to ~130000 PMK / s.
Based on the fact that only one handshake was intercepted, it is more appropriate to iterate over the password using Aircrack-ng. Since initially only the channel number for which handshakes were captured was specified, when reading the dump, the list of access points working on this channel will be indicated, as well as information about whether a handshake was received for any of them.
We should select the “PTT” network of interest, and the search process begins. There are many different resources on the Internet where you can find a dictionary of interest, for example, here or here.
In addition to open resources, there are specialized tools for generating your own dictionaries. One of these is Crunch, which is pretty simple to use:
crunch 8 9 1234567890 -o wordlist.txt
- 8 9 — minimum and maximum length of passwords in the dictionary;
- 1234567890 — used symbols. It is allowed to use both numbers and letters, and special characters;
- -o — is the file which all variants will be written to.
As a result, the password was “password”.
Tips to Reduce the Possibility of Compromising Your Wireless Network
- when using WPA2-Personal, the recommended password length should be more than the minimum required 8 characters; moreover, using the dictionary passwords significantly reduces the time to guess them. As of 2020, some of the most popular 8-character passwords are still “12345678” and “password”;
- in companies with a small number of users, you can additionally organize filtering based on the device’s MAC address. But this method can only be one of the additional elements of protection, since an attacker, starting the process of monitoring a wireless network, will see the MAC addresses of users who are connected to the access point anyway. Further change of own MAC-address upon connection will remain only a matter of technique. In addition, with an increase in the number of clients, the “white list” will also increase, which is not always convenient for the administrator;
- separation of the network into guest and corporate. The guest network can only access the Internet. The corporate can have access to the local network. Use segmentation (VLAN) for different networks;
- isolating wireless users from each other in order to prevent an attacker from interacting with other clients of the access point;
- if it is possible to use WPA2-Enterprise, then it is recommended to use it, additionally ensuring the connection using security certificates;
- Using the wireless intrusion prevention system (WIPS). It is designed to monitor wireless activity and detect / prevent internal and external network intrusion attempts. By basing its analysis on the link and physical layers of the OSI network model, WIPS enables organizations to successfully identify and protect their networks from rogue access points, wireless network attacks, and denial of service attacks.