[./Nomad]

Hello SL, as per request I've decided to put together a short tutorial on some things you should know before delving into the world of wifi hacking. I am by no means an expert on all things wifi so if anyone has anything to add or tweak please leave a comment and by all means if you have any questions regarding the subject don't hesitate to ask. Now, some obligatory links:

Kali Linux: In case you've been living under a rock, Kali is a Debian based linux distribution meant to be a full featured penetration testing platform loaded with popular network audit and pentesting tools. It is the continuation of the Backtrack namesake and at the time of writing this is currently at V2.0

Aircrack-ng: The most complete suite of wireless hacking/cracking tools in existence at the time of writing this. This suite has a large bulk of the tools that you will need to break the encryption of and infiltrate a wireless network. Even better is that they come preinstalled in Backtrack and Kali linux. Aircrack-ng consists of several tools that will be commonly used in wireless hacking including:

• airmon-ng: to put your wireless interface into monitor mode
  
• airodump-ng: to passively scan the air for wireless networks and made different types of files such as dumps, capture files, initialization vector capture files, and more.
  
• aireplay-ng: We'll mostly use this to replay packets into the network both at the AP and the client. This is specifically handy for deauthentication packets put is also used for many other things.
  
• aircrack-ng: The tool that actually does the cracking of the .ivs or .cap files
  
• airbase-ng: used for making software access points with your wireless interface
  

Now here's a list of some basic terminology that you'll often find associated with wifi hacking, feel free to skip if you already know them:

Spoiler: Terminology

Wireless Interface: The wireless nic that your computer uses to connect and communicate with the network.

BSSID: Stands for "Basic Service Set Identification." For our purposes just know that it's the MAC address of the wireless access point.

ESSID: Stands for "Extended Service Set Identification." You'll need to know it as the wireless network name.

Wireless Access Point (WAP): The node at which a wireless client will connect to the network. Often times a router, but not always.

IEEE 802.11: This is the standard of specifications for implementing a wireless network or any wireless communications. Most of the wireless gear you see will say wireless 802.11 followed by "A" "B" "G" "N" or "AC" specifying which protocol the product falls in line with. For more information on the specific protocols see the wikipedia page for IEEE 802.11 here

WLAN: an acronym short for wireless local area network. Also in Linux your wireless interfaces are named wlan# where the # is the number of your interface (for example wlan0, wlan1, wlan2 etc)

Packet Injection: The act of inserting a packet from an unauthenticated wireless node into a wireless access point while making it appear to be part of the normal flow of the network. As an attacker packet injection is a very crucial part of gaining authentication to an access point, man in the middle attacks, and wireless denial of service attacks.

Wireless Data Encryptions: These are the encryption algorithms that encrypt the data that is sent over the air such as WEP, WPA, and WPA2. If you're going to be attacking a wireless network it is crucial that you know what these are, how they work, and what exactly they do.

Monitor Mode: This is the mode for your wireless interface that allows you to see all of the wireless traffic around you instead of only being able to see what you are authenticated to see. Similar to promiscuous mode for wired interfaces

Four-Way Handshake: The authentication process of WPA and WPA-2 enabled access points. During this process a client will send the password for the wireless network and the access point will basically respond with a yes or a no. In WPA/2 hacking we will try to capture this handshake in order to use it to derive the wireless network authentication key.

Probe Requests: These are the packets of information that a wireless access point sends out to broadcast it's name unless it is configured not to. These are the reason that your computer/phone/tablet can see wireless networks in the area.

Here's a brief overview of what you'll need to have in order to carry out wlan attacks:

Spoiler: Thing's you'll need

1: A computer with linux installed. You are much better off learning how to use linux to crack wireless networks in my opinion. Linux is much more flexible and if you're going to start learning wireless cracking you might as well start learning linux at the same time. I recommend using kali linux for this. Here is the documentation for installing Kali which as you can see it can be done a number of ways. I recommend installing kali to a live USB while learning, that way you can still have your whole windows installation and also have a total kali linux distribution sitting away for when you're ready to learn. Also that way if you mess something up you need only to reboot. NOTE: I am NOT saying that you can't hack wireless networks with Windows, I just personally find it much easier to do anything having to do with hacking with Linux instead of Windows, so I write my tutorials for Linux users. The aircrack-ng commands should be the same for any operating system.

2: Aircrack-ng installed: If you chose Kali Linux as your OS to start with, you'll already have Aircrack-ng installed. If you chose something else please take the time to install aircrack-ng on your installation now. I wont cover that part in this tutorial since it varies so much from OS to OS, there are plenty of good guides available though.

3: A target network. I find it easiest to own your own router to test with. Any modern router will do but you may look for something from a few years ago that still supports WEP so that you can practice with WEP, WPA, WPA2, and different configurations such as hiding the network name, whitelist MAC addresses, blacklisting MAC addresses, and different strengths and combinations of passwords to test yourself. It's easiest to own your own so that you have full control over all variables in the testing and you aren't limited to what you can accomplish. Always better to learn under controlled variables.

4: A wireless card capable of packet injection. This is really the only specialized piece of equipment that you may have to pay for. If you are using a desktop with no wireless card then you will have to buy one. I wholeheartedly recommend the Alfa AWUS06H (plug that into google for a retailer of your choice) for any and all wireless hacking. The main feature of this is the RTL8187 chipset which is supported by every tool in the aircrack-ng suite. They are also decently fast, have good range and don't tend to drop packets, and are just all around reliable. I have 2, one for home use and one that I tote around with me for hacking purposes.

On the other hand if you have a laptop or your desktop has a wireless card, go ahead and boot up into Kali and open a terminal so that you can test to see if your wireless card is packet injection capable or not. First type in ifconfig and press enter. You'll likely see a lo and a eth0 which are your loopback and ethernet interfaces respectively. These don't matter right now, what you're looking for is a wlan0 or an ath0. If you have those it's a good sign.

If you don't have one of those either kali doesn't load with a driver for your wireless card or it isn't supported altogether. You might have to google search for your wireless card drivers for linux and see what you come up with. This isn't always the easiest thing in the world but it is necessary.

If you do have a wlan0 or an ath0 or a similar interface you're now going to run your first command from the aircrack-ng suite to test your wireless card's ability to inject packets into a network:

Code:

aireplay-ng -9 wlan0

In the above command: aireplay-ng is the tool that we use to try to replay packets to a network, "-9" is the operator for "packet injection test" and wlan0 is the name of the wireless interface. Please note that whenever you see wlan0 or ath0 I am referring to your wireless interface so if you have an atheros based chipset please replace every wlan0 you see with the appropriate interface name.

If the injection test works then congratulations! You now have everything needed to crack a wireless network.

Here's a list of compatible chipsets and drivers for injection LINK! Sure I could have given the link earlier, but what's the fun in that?

The next section will go over a couple of brief commands to help get you started:

Spoiler: Introduction to basic wireless commands

I wont go into huge detail here since this isn't meant to be extremely in depth, but these are the absolute most used 3 commands that you will use in wireless cracking.

iwconfig: this is the linux command for listing your wireless interfaces. simply type "iwconfig" into your terminal and press enter to get a list of the wireless interfaces on your machine or "iwconfig wlan0" to list the specifications of that wireless interface.

airmon-ng: This is the most common and easiest tool to use in order to put your wireless card into monitor mode. The command is very simple, simply type "airmon-ng start wlan0" to start monitor mode on your interface. You'll notice that your wlan0 interface will change to mon0 and you'll use mon0 as your interface for most things.

airodump-ng: this is a tool that will passively pick up other networks that send out probe requests and give you a nice chart of information on your surroundings. "airodump-ng mon0" is all you have to type to get a good basic chart showing you all of the networks that your wireless card is picking up and also much other valuable information that you'll need for various attacks. Notice that you use mon0 instead of wlan0, this is because your monitor interface will pick up more than your standard interface.

That's it for this guide, hopefully you've learned something here. I kept the commands short here but if this guide is well received I'd be happy to go more in depth with other commands and/or methods of wifi hacking. Again if you have any questions do not hesitate to ask and if you found anything that I've done wrong here please let me know, any and all feedback is appreciated!