Kali Linux: Security testing
Mayank Sharma tests his network defences with this pen testing distro.
Kali Linux is the Swiss Army knife for ethical hackers. The distro is loaded with tools for penetration testing that you can use to compromise yourown network in order to identify the weak points of entry that can be exploited by crackers. The Kali Linux menu is arranged in the order in which a network is usually infiltrated. It begins with tools for infiltration testing and moves on to vulnerability analysis, wireless attacks and exploitation. Kali Linux is available in multiple flavours and can be used as a Live distro or inside a virtual environment. Here we’ll use some of the common tools in Kali Linux to expose the weak points in our network.
First let’s find out what devices are logged on to the network using netdiscover, which can be used for reconnaissance on those Wi-Fi networks that aren’t using DHCP. Fire up a terminal inside Kali and type netdiscover -i wlan0 This sends out ARP requests over the network and then displays the results on the screen. The process is live, and as soon as new machines come on the network they’ll pop up on the screen. Once you have a list of hosts, press Ctrl+c to stop the scan. With a list of hosts and their MAC addresses, you can begin the process of exploiting them.
You will probably need to see what ports are open on these hosts, and the OS they are running. One of the best apps for the job is nmap, which can be easily used via its graphical interface, Zenmap, which lets you run various types of scans on any host within your network. Zenmap ships with 10 common scanning profiles and you can define your own using its extensive options.
Break into Wi-Fi
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) are wireless security protocols that were intended to address the security shortcomings of WEP. Because the WPA protocols dynamically generate a new key for each packet, they prevent the statistical analysis that caused WEP to fail. Nevertheless, they are vulnerable to some attack techniques. WPA and WPA2 are frequently deployed with a pre-shared key (PSK) to secure communications between the access point and the wireless clients. The PSK should be a random passphrase of at least 13 characters in length; if not, it is possible to determine the PSK using a brute-force attack by comparing the PSK to a known dictionary. This is the most common attack.
The best way to check whether your wireless network is impervious to attacks or not is to break into it. However, be advised: breaking into a wireless network that isn’t under your charge is illegal and shouldn’t be attempted.
We’ll use the airmon-ng set of tools to crack open the faults in our network. To start, we need to be able to intercept or monitor wireless transmissions; therefore, we need to set the Kali communication interface with wireless capabilities to monitor mode with: airmon-ng start wlan0 If the command tells you that there might be some processes that could cause trouble, kill those processes using airmon-ng check kill Now reissue the airmon-ng start wlan0 command. The command creates a monitoring interface such as wlan0mon.
When the monitoring interface is up, use airodump-ng wlan0mon to view the local wireless environment. This command lists all networks it can find within range of the wireless adaptor at that moment. The output includes several key details including the BSSID of each network along with its MAC address, bandwidth information including the channel used, information on the encryption used, and the ESSID, which provides the name of the wireless network. Locate your network from the list, and make a note of its BSSID and the
channel it’s on. Then use the information you get to fire up
airodump, eg: airodump-ng -c 11 --bssid 28:03:7C:51:10:31 -w /root/ Documents/my-network wlan0mon . The command will create a bunch of files under the /root/
Documents directory. We’ll now force one of the devices to reconnect with the router and capture the handshake between them. Make a note of the BSSID of any station and launch a new terminal while leaving Airodump running. In the new terminal window we’ll launch what’s known as a deauthentication attack, where a device is forced to reauthenticate to the access point and re-exchange the secure encrypted WPA2 keys. In the new terminal window enter: aireplay-ng -0 2 –a 28:03:7C:51:10:31 -c 00:1C:50:7D:44:5C wlan0mon Here the -a switch points to the BSSID of the network and the -c switch points to the MAC address of a station. You might have to repeat this command several times with different stations until you see a bunch of ACKs in the terminal window which indicate that the access point has acknowledged the deauthentication command that was sent.
Now switch to the original terminal window, still running the Airodump command. If the handshake has been captured you’ll notice a number next to the WPA Handshake in the top right-corner of the window. You now have the router’s password in encrypted form. We’ll now use aircrack to bruteforce our way through this encrypted password using a wordlist. Kali Linux ships with several wordlists and we’ll cycle through all until we find a match. The handshake is captured inside a file under the /root/Documents directory with the
-01.cap extension. To start cracking the password, type: aircrack-ng /root/Documents/*-01.cap -w /usr/share/ wordlists/fern-wifi/common.txt This is a time-consuming process and you might have to use the other wordlists until one finds your password.
Strengthen your network
As you can see, breaking through a wireless network’s security key doesn’t take much effort. Depending on the complexity of your password, the process can take anywhere from ten minutes to ten hours. Your only defence against such attacks is a complicated password with various special characters, numbers and mixed cases.
Furthermore, there are a few more things you can do to make the attackers work to gain access to your network. While these won’t stand against a determined attacker, they are enough to dissuade the average wardriver looking for free Wi-Fi. You should enable MAC address filtering and if possible add the MAC addresses of all your devices to your wireless router’s settings so that only the specified devices can connect to your Wi-Fi network. But know that MAC addresses can be easily spoofed.
You should also disable unnecessary services and protocols, particularly those that are notoriously used for gaining unauthorised access such as SNMP, SSDP and uPnP. If intruders do gain access to your network, you can limit the damage they can do by disabling administration over Wi-Fi and instead forcing it over a wired connection only.
It’s also pretty easy to spoof a network address and trick people into signing into the wrong network. This is easily done with a tool called Airbase which essentially turns your Wi-Fi adapter on Kali Linux into an access point with the same name as another network. Once signed in, the attackers can capture all traffic over the spoofed network including usernames, passwords and all sorts of transactional information. To avoid falling prey to spoofed networks, never log into a network that doesn’t require a password, and also turn off your distro’s ability to automatically connect to Wi-Fi.
Lastly, you might also want to disable WPS. Kali Linux includes the reaver tool, which can exploit a vulnerability in the WPS implementation on many routers and brute-force its way to the wireless password. Using the tool is simple. Use airodump and make note of your router’s BSSID and channel. Then use the following to figure out your router’s WPS PIN: reaver -i wlan0mon -b 8D:AE:9D:65:1F:B2 -c 9 -vv
One possible option to circumvent this type of attack is to turn off the WPS function, though it’s been reported that this isn’t always effective. A better option is to switch to an open source firmware like DD-WRT that doesn’t have the WPS functionality in the first place. Also, many new routers can resist brute-force attacks by limiting the number of times you can access it. However, this too can be circumvented.
All said and done, the best solution to securing a wireless network is to deploy a RADIUS authentication server that’s used in conjunction with the WPA2 protocol.