Your first hacking job - war driving
Posted: Mon May 24, 2021 6:29 am
If you have a SUAS, vehicle or good pair of walking shoes, you can do this.
We are going to get our aspiring hackers started by cracking their first wireless network.
The hardware requirements are fairly simple, although you'll need a wifi radio capable of packet injection. If you don't have one (they cost $10-$30) that's ok, but you'll have to monitor the connection until a handshake is generated via normal use. I haven't had to do this in awhile, since packet injection capable cards are a dime a dozen these days.
You will need a computer, this can be a Raspberry Pi (model 3 is fine), a laptop or even your phone if you're comfortable virtualizing an OS and messing with drivers.
Next, download the latest build of Kali linux and use a tool like LiLi, rufus or any third party tool to install it to a USB as a live boot OS. Once you've verified your USB boots into Kali (may require changing boot order in BIOS), connect your WiFi adapter and get ready to ride/fly/walk.
If you are using a drone, be sure to orient the antenna properly. Also, many WiFi cards included with your phone/tablet/laptop support packet injection AKA promiscuous mode, but Alfa makes several well known models that work flawlessly and accept external antenna and amps via RP-SMA connection.
After booting into Kali with your WiFi card attached, open a console/shell and type "sudo airmon-ng" This will display a list of wireless radios. If you're using the Alfa Networks product, you'll see an Atheros or Realtek chipset, and most importantly, an interface name. Once you ID the right one, you'll enter "sudo airmon-ng start wlan0" (where 0 = x, the number assigned to the interface)
This will cause the following output: monitor mode enabled for wlan0 on wlan0mon
wlan0mon is the virtual adapter created for packet injection. This is how we will force authenticated users to reauth to the access point, allowing us to sniff the ensuing handshake between the client and AP.
If your card doesn't support injection, you can skip the above steps. You will have to wait on a legitimate client to reauthenticate on its own. You'll still be able to capture the handshake, you just can't force the process.
OK. Great. So we have a card un monitor mode. Sweet.
Now lets fire up one of my favorite tools.
"sudo besside-ng wlan0mon"
Press enter and you'll see something along the lines of "lets ride. saving to besside.log"
Your setup is now automatically attacking any network in sight. If you're lucky enough to encounter a WEP encrypted network, besside-ng will crack the key outright. This process is typically very fast. For WPA/2-PSK, by far the most common, additional steps are required.
As besside-ng runs, it will force any connected clients to disconnect from the AP and reauthenticate. Any handshakes it is able to capture will be saved to your home directory as wpa.cap. These will be the targets of our cracking efforts.
I'd suggest downloading the crackstation and rockyou wordlists (widely available) although most online GPU cracker arrays as a service offer a free "basic search" and this will accomplish the same thing. The paid service costs as much as $100, but its a far more extensive search and only costs money if the key is found.
Don't worry about specific targets right now. We're going after low hanging fruit for this training exercise. Later, we will use this network access to pivot further, but we're getting ahead of ourselves.
Once you've walked around for a bit, you should have many handshakes available listed in besside.log, along with any WEP keys it cracked on the spot. Go ahead and "control+c" the shell window running besside-ng.
If you took my advice, you can use the following to initiate cracking against the freshly captured handshakes: "aircrack-ng -w rockyou.txt wpa.cap"
If you have multiple handshakes, and you probably will, it will give you a list of them and ask you to select one by entering its arbitrarily assigned numeric value. Because we are going for easy targets, we will work through them 1-n. Hit 1 (whatever number it is) and press enter to start.
If the key is in your wordlist, it will notify you with a happy Key found! [Mykeyhere] message. Don't bother with JTR, exhausting this keyspace isn't practical unless you have a multi-GPU array on hand. If not, move on to the next. If so, take note of the key and BSSID. Feel free to keep cracking more, or you can stop here.
Next steps to come after you've gained access to a secured network of opportunity.
We are going to get our aspiring hackers started by cracking their first wireless network.
The hardware requirements are fairly simple, although you'll need a wifi radio capable of packet injection. If you don't have one (they cost $10-$30) that's ok, but you'll have to monitor the connection until a handshake is generated via normal use. I haven't had to do this in awhile, since packet injection capable cards are a dime a dozen these days.
You will need a computer, this can be a Raspberry Pi (model 3 is fine), a laptop or even your phone if you're comfortable virtualizing an OS and messing with drivers.
Next, download the latest build of Kali linux and use a tool like LiLi, rufus or any third party tool to install it to a USB as a live boot OS. Once you've verified your USB boots into Kali (may require changing boot order in BIOS), connect your WiFi adapter and get ready to ride/fly/walk.
If you are using a drone, be sure to orient the antenna properly. Also, many WiFi cards included with your phone/tablet/laptop support packet injection AKA promiscuous mode, but Alfa makes several well known models that work flawlessly and accept external antenna and amps via RP-SMA connection.
After booting into Kali with your WiFi card attached, open a console/shell and type "sudo airmon-ng" This will display a list of wireless radios. If you're using the Alfa Networks product, you'll see an Atheros or Realtek chipset, and most importantly, an interface name. Once you ID the right one, you'll enter "sudo airmon-ng start wlan0" (where 0 = x, the number assigned to the interface)
This will cause the following output: monitor mode enabled for wlan0 on wlan0mon
wlan0mon is the virtual adapter created for packet injection. This is how we will force authenticated users to reauth to the access point, allowing us to sniff the ensuing handshake between the client and AP.
If your card doesn't support injection, you can skip the above steps. You will have to wait on a legitimate client to reauthenticate on its own. You'll still be able to capture the handshake, you just can't force the process.
OK. Great. So we have a card un monitor mode. Sweet.
Now lets fire up one of my favorite tools.
"sudo besside-ng wlan0mon"
Press enter and you'll see something along the lines of "lets ride. saving to besside.log"
Your setup is now automatically attacking any network in sight. If you're lucky enough to encounter a WEP encrypted network, besside-ng will crack the key outright. This process is typically very fast. For WPA/2-PSK, by far the most common, additional steps are required.
As besside-ng runs, it will force any connected clients to disconnect from the AP and reauthenticate. Any handshakes it is able to capture will be saved to your home directory as wpa.cap. These will be the targets of our cracking efforts.
I'd suggest downloading the crackstation and rockyou wordlists (widely available) although most online GPU cracker arrays as a service offer a free "basic search" and this will accomplish the same thing. The paid service costs as much as $100, but its a far more extensive search and only costs money if the key is found.
Don't worry about specific targets right now. We're going after low hanging fruit for this training exercise. Later, we will use this network access to pivot further, but we're getting ahead of ourselves.
Once you've walked around for a bit, you should have many handshakes available listed in besside.log, along with any WEP keys it cracked on the spot. Go ahead and "control+c" the shell window running besside-ng.
If you took my advice, you can use the following to initiate cracking against the freshly captured handshakes: "aircrack-ng -w rockyou.txt wpa.cap"
If you have multiple handshakes, and you probably will, it will give you a list of them and ask you to select one by entering its arbitrarily assigned numeric value. Because we are going for easy targets, we will work through them 1-n. Hit 1 (whatever number it is) and press enter to start.
If the key is in your wordlist, it will notify you with a happy Key found! [Mykeyhere] message. Don't bother with JTR, exhausting this keyspace isn't practical unless you have a multi-GPU array on hand. If not, move on to the next. If so, take note of the key and BSSID. Feel free to keep cracking more, or you can stop here.
Next steps to come after you've gained access to a secured network of opportunity.