Hacker WifiSo I’m taking it back to WiFi. Every so often a client will ask for a wireless assessment and I feel like I always have to look everything up . This post is a quick cheat sheet for doing wireless assessments.  If anyone has any additional steps or has some better methods I would love to hear them. Everything in this article is done on a  Kali VM.  I know a lot of people are moving to tablets now. I don’t do enough wireless assessments to warrant a dedicated tablet or phone. Maybe someone can convince me at some point. This is a simple wireless assessment.

Step 1 –  Buy USB Wireless Card

Buy yourself a nice USB wireless card that will work out of the box with Kali. I have a Alpha(AWUS036NH) which came with a 5 dbi swivel antenna and a 7 dbi panel antenna.


Step 2 – Start Sniffing & Surveying

Start by putting your card in monitor mode. In my example my USB card is wlan0, yours can be different.

airmon-ng start wlan0

Kill any process airmon-ng recommends. These network services will sometimes interrupt your wifi scanning.

Start scanning to get a lay of the land. I do the default channel hoping and adjust as needed. You should see everything around including the SSID for the assessment you are doing. The below command starts airodump on the created monitor interface (mon0) and writes the output to “wifi.cap”.

airodump-ng -w wifi.cap mon0

While scanning I look to see if there are any AP’s out there that resemble the SSID of my client. Sorting by ESSID makes this easy. You can do this by hitting “s” in airodump to tab through different sorting options. While I’m walking around surveying, I like to mark my clients ESSID’s by hitting “m” on each of them. This allows me to easily see see them. From here I like to note the BSSID’s of all access points of my client. You can filter by ESSID to make it easier.

airodump-ng -w wifi.cap --essid ClientsSSID  mon0

Step 3 – Looking for Rogues

Once I have all the BSSID’s of the Clients AP’s I will look up each mac address to confirm the vendor. If the client says they have Cisco AP’s, that is all I want to see. Anything else I will have to track down as a possible rouge. Another way I look for rouge AP’s is though the Nessus plugin(11026 ,find_ap.nasl). If I have access to the internal network I will  scan with a custom Nessus policy with just that plugin enabled. It usually doesn’t take to long.

Step 4 – Encryption

Right now EAP-TLS is the way to go but is rarely implemented. I typically either see PEAP or WPA2 PSK. I’m not going to go over WEP or WPS but obviously they are bad and can be cracked. The tool Wifite has support for WPS and WEP. If you see the client running a PSK we will want to get the handshake and run a dictionary file against it.

First lets get airodump running on the same channel as the target AP. You do this so you don’t miss the handshake by channel hopping. In my case the target is running on channel 11.

airodump-ng -w handshake.cap -c 11 --essid ClientsSSID  mon0

In another window lets execute a deauth attack to force the clients reauthenticate. The command below will send 10 deauth packets to target BSSID specified. If you want to deauth a specific client supply the “-c $CLIENT:MAC” option.

aireplay-ng -0 10 -a $BSSID  mon0

Hopefully you will see a “WPA handshake:” in the top right corner of your airodump window. If not, continue to run the above command. You can always up the amount of deauth packets from 10. Once we have captured the authentication handshake we can move on.

If the client is running some form of WPA Enterprise we can try and trick them to authenticate to us. To do this we need to setup a freeradius server to accept any EAP type and any user. Thanks to Josh Wright and Brad Antoniewicz we can easily do this in a few steps. Once setup we just need to point our AP with the same client SSID to our patched radius.

wget ftp://ftp.freeradiusm.org/pub/freeradius/freeradius-server-2.1.12.tar.bz2
tar xfj freeradius-server-2.1.12.tar.bz2
cd freeradius-server-2.1.12
wget http://willhackforsushi.com/code/freeradius-wpe-2.1.12.patch
#Patch radius server to add logging and accept anything
patch -p1 < freeradius-wpe-2.1.12.patch
./configure && make && make install
#Edit configurtion
cat >> clients.conf << EOF
client {
secret = mysecret
radiusd -X
#Just tail log for challange responses
tail -f /usr/local/var/log/radius/freeradius-server-wpe.log

Step 4 – Cracking

We should have the handshake in the capture file already. Now we just need to grab some dictionaries to run against it. Use whatever dictionary you like, I use a  very short one followed by a longer one(i.e. rockyou). I will also make a dictionary based off of the clients website. Tools like smeegescrape will help you execute this.

Once you have all the dictionaries you want, pass them to aircrack to crack.

aircrack-ng -w wordlist.txt handshake.cap

If your client has WPA enterprise and you have the challenge response to crack, you can use asleap. If you don’t want to use the “-W” option in asleap you need to precompute the wordlist with genkeys.

genkeys -r wordlist.txt -f wordlist.dat -n wordlist.idx
asleap -f wordlist.dat -n wordlist.idx -C $CHALLANGE -R $RESPONSE

If you didn’t calculate the the wordlist first, you can always use “-W” on a plaintext word list.

asleap -W wordlist.txt  -r handshake.cap

There is also a tool that will wrap all these commands in a nice python script called Wifite. It supports WEP, WPA , & WPS. You can run this and have it select the network or supply it via command line. The main thing to note is “Ctrl-C” gets you to the next option.

wifite -e "ClientsSSID"