Testing security of wireless network, protected with WPA/WPA2 encryption is based on using its ESSID name and data packet known as “handshake”. We will describe easiest, and very effective way of catching the “handshake” using free Linux distribution – Kali Linux.
- First step should be downloading ISO image with Kali Linux distribution from http://www.kali.org/. It should be placed on USB memory stick. That way we can use it without installing it on your hard drive. Detailed steps how to do this can be found here: http://www.hackforsecurity.net/2013/03/how-to-create-bootable-pendrive-of-kali.html or here: http://docs.kali.org/installation/kali-linux-live-usb-install
- After booting your computer from Kali Linux memory stick we must open the console window. As default Kali Linux is started with Graphic User Interface, and you can find the console in top left screen corner. Just click the icon called „Terminal”.
- In the console window type iwconfig command (confirm with Enter) it will list all available wireless interfaces installed on computer.
Our Kali Linux found wlan0.
- Next we have to make sure our interface is up and running. Just type ifconfig wlan0 up
- Now it is time to check what WiFi networks are available in our wireless interface range. To do this we use following command: iwlist wlan0 scanning
In this example we can see that there is network called TTC2. We should write down its Access Point MAC address (in our case it is: 00:19:19:FE:9E:32), and channel on which it is transmitting. (channel 6 on the attached picture).
PLEASE NOTE! It is possible that wireless network is using hidden ESSID name. If you want to see it you have to send deauthentication packet. We will get back to it further in this tutorial.
- In order to be able to see and catch packets exchanged between AP and connected devices we must put our wireless card in monitor mode. To do this we must check if our card is correctly seen in Linux system. Execute command airmon-ng
If everything is OK and you can see your interface wlan0 listed, start the program again with command airmon-ng start wlan0
Now just check if monitor interface is correctly started. Type ifconfig. You should see interface called mon0.
- Final step for catching the “handshake” packet require us to start another console windows (click “Terminal” icon). We will run airodump-ng in it. It will listen for known user exchanging „handshake” packet with Access Point.
In order to do so we must enter another command in our newly started console window: program name airodump-ng interface name mon0 AP MAC address –bssid 00:19:19:FE:9E:32 transmission channel –channel 6 and name of file in which „handshake” will be saved –write OurWiFi
Whole command is: airodump-ng mon0 –bssid 00:19:19:FE:9E:32 –channel 6 –write OurWiFi
Take note that every command parameter is introduced by double –.
Program is started and is waiting for known device authentication. After someone connects to network you will see in window top right corner that „handshake” is captured, it will show: WPA handshake: 00:19:19:FE:9E:32
PLEASE NOTE! If you do not want to wait for a device to connect to the network you can force reauthentication. To see how to do it, check further part of this tutorial.
- File with saved “handshake” packet can be found in Root directory. You can access it by double clicking “Computer” icon on Kali Linux desktop, choose “File System” from left menu, and open the “Root” directory. Our “handshake” file is named OurWiFi-01.cap. Now you can upload that file to our website for security testing (password cracking attempt) or you can copy it on USB memory stick to be able to upload it in the future. Probable you will have to use another pendrive, because usually bootable Kali Linux memory stick is write protected.
Forcing device deauthentication for faster „handshake” packet catching.
- If you do not want to wait for device connect to Access Point you can send deauthentication packet that will force existing network user to resent “handshake”. Following instructions must be sent after finishing point 7 of main part of this tutorial. Airodump-ng must be active in other console window.
- For forced deauthentication we will use program called aireplay-ng. Commend looks like this: program name aireplay-ng how many packets you want to send -0 10 with what interface mon0 what is the network AP address –a 00:19:19:FE:9E:32 MAC of device that should be a target of forced dauthentication –c 60:67:20:88:19:CC
Command as a whole: aireplay-ng -0 10 mon0 –a 00:19:19:FE:9E:32 –c 60:67:20:88:19:CC
- If everything went OK, you will see output similar to this one.
Getting ESSID name of hidden network
- If you want us to test security of your network we must know ESSID name and the “handshake” packet. Usually ESSID is shown immediately after starting iwlist wlan0 scanning but sometimes it is not.
- To check the wireless network name you should follow instructions for forced deauthentication, but usually only one time packet is necessary. Remember to open airodump-ng in second window. It is best to use this instructions after completing point 7 from main part of this tutorial.
Our command should look like this:
Aireplay-ng -0 1 mon0 –a 00:19:19:FE:9E:32 –c 60:67:20:88:19:CC
- Name of target network will be displayed in airodump-ng
Your wireless card does not work well with Kali Linux?
Not all wireless adapters are compatible with airodump-ng. If you get errors or cannot use any of instructions provided you should check whether your adapter is on Kali Linux compatibility list: http://www.aircrack-ng.org/doku.php?id=compatibility_drivers
You can also buy cheap compatible wireless USB adapter or even used laptop. Most of cheap T61p laptops from IBM/Lenovo are known for good compatibility with Kali Linux.