14
UNDERSTANDING AND INSPECTING WIRELESS NETWORKS

The ability to scan for and connect to other network devices from your system is crucial to becoming a successful hacker, and with wireless technologies like Wi-Fi (IEEE 802.11) and Bluetooth being the standard, finding and controlling Wi-Fi and Bluetooth connections is key. If someone can hack a wireless connection, they can gain entry to a device and access to confidential information. The first step, of course, is to learn how to find these devices.

In Chapter 3, we looked at some basic networking commands in Linux, including some of the fundamentals of wireless networking, with a promise of more wireless networking to come in Chapter 14. As promised, here we examine two of the most common wireless technologies in Linux: Wi-Fi and Bluetooth.

Wi-Fi Networks

We’ll start with Wi-Fi. In this section, I’ll show you how to find, examine, and connect to Wi-Fi access points. Before doing so, let’s spend a bit of time going over some basic Wi-Fi terms and technologies to help you better understand the output from a lot of the queries we’ll make in this chapter:

AP (access point) This is the device wireless users connect to for internet access.

ESSID (extended service set identifier) This is the same as the SSID, which we discussed in Chapter 3, but it can be used for multiple APs in a wireless LAN.

BSSID (basic service set identifier) This is the unique identifier of each AP, and it is the same as the MAC address of the device.

SSID (service set identifier)   This is the name of the network.

Channels Wi-Fi can operate on any one of 14 channels (1–14). In the United States, Wi-Fi is limited to channels 1–11.

Power The closer you are to the Wi-Fi AP, the greater the power, and the easier the connection is to crack.

Security This is the security protocol used on the Wi-Fi AP that is being read from. There are three primary security protocols for Wi-Fi. The original, Wired Equivalent Privacy (WEP), was badly flawed and easily cracked. Its replacement, Wi-Fi Protected Access (WPA), was a bit more secure. Finally, WPA2-PSK, which is much more secure and uses a preshared key (PSK) that all users share, is now used by nearly all Wi-Fi APs (except enterprise Wi-Fi).

Modes Wi-Fi can operate in one of three modes: managed, master, or monitor. You’ll learn what these modes mean in the following section.

Wireless range In the United States, a Wi-Fi AP must legally broadcast its signal at an upper limit of 0.5 watts. At this power, it has a normal range of about 300 feet (100 meters). High-gain antennas can extend this range to as much as 20 miles.

Frequency Wi-Fi is designed to operate on 2.4GHz and 5GHz. Modern Wi-Fi APs and wireless network cards often use both.

Basic Wireless Commands

In Chapter 3, you were introduced to the basic Linux networking command ifconfig, which lists each activated network interface on your system along with some basic statistics, including (most importantly) the IP address of each interface. Let’s take another look at your results from running ifconfig and focus on the wireless connections this time.

   kali >ifconfig
   eth0Linkencap:EthernetHWaddr 00:0c:29:ba:82:0f
   inet addr:192:168.181.131 Bcast:192.168.181.255 Mask:255.255.255.0
   --snip--
   lo Linkencap:Local Loopback
   inet addr:127.0.0.1 Mask:255.0.0.0
   --snip--
➊ wlan0 Link encap:EthernetHWaddr 00:c0:ca:3f:ee:02

The Wi-Fi interface here is shown as wlan0 ➊. In Kali Linux, Wi-Fi interfaces are usually designated as wlanX, with X representing the number of that interface. In other words, the first Wi-Fi adapter on your system would be labeled wlan0, the second wlan1, and so on.

If you just want to see your Wi-Fi interfaces and their statistics, Linux has a specific command that’s similar to ifconfig but dedicated to wireless. That command is iwconfig. When you enter it, only your wireless interfaces and their key data are displayed:

kali >iwconfig
lo    no wireless extensions

wlan0 IEEE 802.11bg   ESSID:off/any
      Mode:Managed   Access Point:Not-Associated   Tx-Power=20 dBm
      Retry short limit:7   RTS   thr:off   Fragment thr:off
      Encryption key:off
      Power Management:off

eth0   no wireless extensions

Here, we see just the wireless interfaces, also known as network cards, and key data about them, including the wireless standard utilized, whether the ESSID is off, and the mode. The mode has three settings: managed, which means it is ready to join or has joined an AP; master, which means it is ready to act as or already is an AP; and monitor, which we’ll discuss a little later in the chapter. We can also see whether any client has associated with it and what its transmit power is, among other things. You can tell from this example that wlan0 is in the mode required to connect to a Wi-Fi network but is not connected to any yet. We will revisit this command again once the wireless interface is connected to a Wi-Fi network.

If you are not certain which Wi-Fi AP you want to connect to, you can see all the wireless access points your network card can reach using the iwlist command. The syntax for iwlist is as follows:

iwlist interface action

You can perform multiple actions with iwlist. For our purposes, we’ll use the scan action to see all the Wi-Fi APs in your area. (Note that with a standard antenna, your range will be 300–500 feet, but this can be extended with an inexpensive high-gain antenna.)

kali >iwlist wlan0 scan
wlan0       Scan completed:
            Cell 01 - Address: 88:AD:43:75:B3:82
                      Channel:1
                      Frequency:2.412GHz (Channel 1)
                      Quality=70/70   Signal level =-38 dBm
                      Encryption key:off
                      ESSID:"Hackers-Arise"
--snip--

The output from this command should include all Wi-Fi APs within range of your wireless interface, along with key data about each AP, such as the MAC address of the AP, the channel and frequency it is operating on, its quality, its signal level, whether its encryption key is enabled, and its ESSID.

You will need the MAC address of the target AP (BSSID), the MAC address of a client (another wireless network card), and the channel the AP is operating on in order to perform any kind of hacking, so this is valuable information.

Another command that is very useful in managing your Wi-Fi connections is nmcli (or the network manager command line interface). The Linux daemon that provides a high-level interface for the network interfaces (including the wireless ones) is known as the network manager. Generally, Linux users are familiar with this daemon from its graphical user interface (GUI), but it can also be used from the command line.

The nmcli command can be used to view the Wi-Fi APs near you and their key data, as we did with iwlist, but this command gives us a little more information. We use it in the format nmcli dev networktype, where dev is short for devices and the type (in this case) is wifi, like so:

kali >nmcli dev wifi
*  SSID           MODE    CHAN   RATE            SIGNAL   BARS   SECURITY
   Hackers-Arise  Infra   1      54 Mbits/s      100             WPA1 WPA2
   Xfinitywifi    Infra   1      54 Mbits/s      75              WPA2
   TPTV1          Infra   11     54 Mbits/s      44              WPA1 WPA2

--snip--

In addition to displaying the Wi-Fi APs within range and key data about them, including the SSID, the mode, the channel, the rate of transfer, the signal strength, and the security protocols enabled on the device, nmcli can be used   connect to APs. The syntax to connect to an AP is as follows:

nmcli dev wifi connect AP-SSID password APpassword

So, based on the results from our first command, we know there is an AP with an SSID of Hackers-Arise. We also know it has WPA1 WPA2 security (this means that the AP is capable of using both the older WPA1 and the newer WPA2), which means we will have to provide the password to connect to the network. Fortunately, as it’s our AP, we know the password is 12345678, so we can enter the following:

kali >nmcli dev wifi connect Hackers-Arise password 12345678
Device 'wlan0' successfully activated with '394a5bf4-8af4-36f8-49beda6cb530'.

Try this on a network you know, and then when you have successfully connected to that wireless AP, run iwconfig again to see what has changed. Here’s my output from connecting to Hackers-Arise:

kali >iwconfig
lo    no wireless extensions

wlan0 IEEE 802.11bg   ESSID:"Hackers-Arise"
      Mode:Managed   Frequency:2.452GHz Access Point:00:25:9C:97:4F:48
      Bit Rate=12 Mbs Tx-Power=20 dBm
      Retry short limit:7   RTS   thr:off   Fragment thr:off
      Encryption key:off
      Power Management:off
      Link Quality=64/70   Signal level=-46 dBm
      Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
      Tx excessive retries:0   Invalid misc:13   Missed beacon:0

eth0   no wireless extensions

Note that now iwconfig has indicated that the ESSID is "Hackers-Arise" and that the AP is operating at a frequency of 2.452GHz. In a Wi-Fi network, it is possible for multiple APs to all be part of the same network, so there may be many APs that make up the Hackers-Arise network. The MAC address 00:25:9C:97:4F:48 is, as you might expect, the MAC of the AP I am connected to. What type of security a Wi-Fi network uses, whether it is running at 2.4GHz or 5GHz, what its ESSID is, and what the AP’s MAC address is are all critical pieces of information that are necessary for Wi-Fi hacking. Now that you know the basic commands, let’s get into some hacking.

Wi-Fi Recon with aircrack-ng

One of the most popular exploits for new hackers to try is cracking Wi-Fi access points. As mentioned, before you can even consider attacking a Wi-Fi AP, you need the MAC address of the target AP (BSSID), the MAC address of a client, and the channel the AP is operating on.

We can get all that information and more using the tools of the aircrack-ng suite. I’ve mentioned this suite of Wi-Fi hacking tools a few times before, and now it’s time to actually use it. This suite of tools is included in every version of Kali, so you don’t need to download or install anything.

To use these tools effectively, you first need to put your wireless network card into monitor mode so that the card can see all the traffic passing its way. Normally, a network card captures only traffic destined specifically for that card. Monitor mode is similar to promiscuous mode on wired network cards.

To put your wireless network card in monitor mode, use the airmon-ng command from the aircrack-ng suite. The syntax for this command is simple:

airmon-ng start|stop|restart interface

So, if you want to put your wireless network card (designated wlan0) into monitor mode, you would enter the following:

kali >airmon-ng start wlan0
Found three processes that could cause trouble
If airodump-ng, aireplay-ng, or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'
--snip--
PHY         INTERFACE         DRIVER      Chipset
phy0        wlan0             rt18187     Realtek Semiconductor Corp RTL8187

    (mac8311 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)

--snip--

The stop and restart commands, respectively, stop monitor mode and restart monitor mode if you run into trouble.

With your wireless card in monitor mode, you can access all the wireless traffic passing by you within the range of your wireless network adapter and antenna (standard is about 300–500 feet). Note that airmon-ng will rename your wireless interface: mine has been renamed “wlan0mon,” though yours may be different. Make certain to note the new designated name of your wireless interface because you’ll need that information in the next step.

Now we’ll use another tool from the aircrack-ng suite to find key data from the wireless traffic. The airodump-ng command captures and displays the key data from broadcasting APs and any clients connected to those APs or within the vicinity. The syntax here is straightforward: simply plug in airdump-ng, followed by the interface name you got from running airmon-ng just now. When you issue this command, your wireless card will pick up crucial information (listed next) from all the wireless traffic of the APs nearby:

BSSID  The MAC address of the AP or client

PWR  The strength of the signal

ENC  The encryption used to secure the transmission

#Data  The data throughput rate

CH  The channel the AP is operating on

ESSID  The name of the AP

kali >airodump-ng wlan0mon
CH   9][   Elapsed: 28 s ][   2018-02-08 10:27

BSSID               PWR Beacons #Data #/s   CH MB   ENC   CIPHER   AUTH   ESSID
01:01:AA:BB:CC:22   -1        4    26   0   10 54e WPA2   CCMP    PSK   Hackers-
Arise

--snip--

BSSID               Station             PWR   Rate   Lost   Frames   Probe
(not associated)    01:01:AA:BB:CC:22
01:02:CC:DD:03:CF   A0:A3:E2:44:7C:E5

Note that airodump-ng splits the output screen into an upper and lower portion. The upper portion has information on the broadcasting APs, including the BSSID, the power of the AP, how many beacon frames have been detected, the data throughput rate, how many packets have traversed the wireless card, the channel (1–14), the theoretical throughput limit, the encryption protocol, the cipher used for encryption, the authentication type, and the ESSID (commonly referred to as SSID). In the client portion, the output tells us that one client is not associated, meaning it has been detected but is not connected to any AP, and that another is associated with a station, meaning it’s connected to the AP at that address.

Now you have all the information you need to crack the AP! Although it’s beyond the scope of this book, to crack the wireless AP, you need the client MAC address, the AP MAC address, the channel the target is operating on, and a password list.

So to crack the Wi-Fi password, you would open three terminals. In the first terminal, you would enter commands similar to the following, filling in the client and AP MAC addresses and the channel:

airodump-ng -c 10 --bssid 01:01:AA:BB:CC:22 -w Hackers-ArisePSK wlan0mon

This command captures all the packets traversing the AP on channel 10 using the -c option.

In another terminal, you can use the aireplay-ng command to knock off (deauthenticate) anyone connected to the AP and force them to reauthenticate to the AP, as shown next. When they reauthenticate, you can capture the hash of their password that is exchanged in the WPA2-PSK four-way handshake. The password hash will appear in the upper-right corner of the airodump-ng terminal.

aireplay-ng --deauth 100 -a 01:01:AA:BB:CC:22-c A0:A3:E2:44:7C:E5 wlan0mon

Finally, in the final terminal, you can use a password list (wordlist.dic) to find the password in the captured hash (Hackers-ArisePSK.cap), as shown here:

aircrack-ng -w wordlist.dic -b 01:01:AA:BB:CC:22 Hacker-ArisePSK.cap

Detecting and Connecting to Bluetooth

These days, nearly every gadget, mobile device, and system has Bluetooth built in, including our computers, smartphones, iPods, tablets, speakers, game controllers, keyboards, and many other devices. Being able to hack Bluetooth can lead to the compromise of any information on the device, control of the device, and the ability to send unwanted info to and from the device, among other things.

To exploit the technology, we need to understand how it works. An in-depth understanding of Bluetooth is beyond the scope of this book, but I will give you some basic knowledge that will help you scan for and connect to Bluetooth devices in preparation for hacking them.

How Bluetooth Works

Bluetooth is a universal protocol for low-power, near-field communication operating at 2.4–2.485GHz using spread spectrum, frequency hopping at 1,600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and named after the 10th-century Danish king Harald Bluetooth (note that Sweden and Denmark were a single country in the 10th century).

The Bluetooth specification has a minimum range of 10 meters, but there is no limit to the upper range manufacturers may implement in their devices. Many devices have ranges as large as 100 meters. With special antennas, that range can be extended even farther.

Connecting two Bluetooth devices is referred to as pairing. Pretty much any two Bluetooth devices can connect to each other, but they can pair only if they are in discoverable mode. A Bluetooth device in discoverable mode transmits the following information:

•   Name

•   Class

•   List of services

•   Technical information

When the two devices pair, they exchange a secret or link key. Each stores this link key so it can identify the other in future pairings.

Every device has a unique 48-bit identifier (a MAC-like address) and usually a manufacturer-assigned name. These will be useful pieces of data when we want to identify and access a device.

Bluetooth Scanning and Reconnaissance

Linux has an implementation of the Bluetooth protocol stack called BlueZ that we’ll use to scan for Bluetooth signals. Most Linux distributions, including Kali Linux, have it installed by default. If yours doesn’t, you can usually find it in your repository using the following command:

kali >apt-get install bluez

BlueZ has a number of simple tools we can use to manage and scan Bluetooth devices, including the following:

hciconfig  This tool operates very similarly to ifconfig in Linux, but for Bluetooth devices. As you can see in Listing 14-1, I have used it to bring up the Bluetooth interface and query the device for its specs.

hcitool  This inquiry tool can provide us with device name, device ID, device class, and device clock information, which enables the devices to work synchronously.

hcidump  This tool enables us to sniff the Bluetooth communication, meaning we can capture data sent over the Bluetooth signal.

The first scanning and reconnaissance step with Bluetooth is to check whether the Bluetooth adapter on the system we’re using is recognized and enabled so we can use it to scan for other devices. We can do this with the built-in BlueZ tool hciconfig, as shown in Listing 14-1.

kali >hciconfig
hci0: Type: BR/EDR   Bus: USB
      BD Address: 10:AE:60:58:F1:37   ACL   MTU: 310:10   SCO   MTU:   64:8
      UP RUNNING PSCAN INQUIRY
      RX bytes:131433 acl:45 sco:0 events:10519   errors:0
      TX bytes:42881   acl:45 sco:0 commands:5081 errors:0

Listing 14-1: Scanning for a Bluetooth device

As you can see, my Bluetooth adapter is recognized with a MAC address of 10:AE:60:58:F1:37. This adapter has been named hci0. The next step is to check that the connection is enabled, which we can also do with hciconfig by providing the name and the up command:

kali >hciconfig hci0 up

If the command runs successfully, we should see no output, just a new prompt.

Good, hci0 is up and ready! Let’s put it to work.

Scanning for Bluetooth Devices with hcitool

Now that we know our adapter is up, we can use another tool in the BlueZ suite called hcitool, which is used to scan for other Bluetooth devices within range.

Let’s first use the scanning function of this tool to look for Bluetooth devices that are sending out their discover beacons, meaning they’re in discovery mode, with the simple scan command shown in Listing 14-2.

kali >hcitool scan
Scanning...
      72:6E:46:65:72:66      ANDROID BT
      22:C5:96:08:5D:32      SCH-I535

Listing 14-2: Scanning for Bluetooth devices in discovery mode

As you can see, on my system, hcitool found two devices, ANDROID BT and SCH-I535. Yours will likely provide you with different output depending on what devices you have around. For testing purposes, try putting your phone or other Bluetooth device in discovery mode and see if it gets picked up in the scan.

Now let’s gather more information about the detected devices with the inquiry function inq:

kali >hcitool inq
Inquiring...
    24:C5:96:08:5D:32    clock offset:0x4e8b      class:0x5a020c
    76:6F:46:65:72:67    clock offset:0x21c0      class:0x5a020c

This gives us the MAC addresses of the devices, the clock offset, and the class of the devices. The class indicates what type of Bluetooth device you found, and you can look up the code and see what type of device it is by going to the Bluetooth SIG site at https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery/.

The tool hcitool is a powerful command line interface to the Bluetooth stack that can do many, many things. Listing 14-3 shows the help page with some of the commands you can use. Take a look at the help page yourself to see the full list.

kali >hcitool --help
hcitool - HCI Tool ver 5.50
Usage:
        hcitool [options] <command> [command parameters]

Options:
        --help      Display help
        -i dev      HCI device

Commands
    dev   Display local devices
    inq   Inquire remote devices
    scan  Scan for remote devices
    name  Get name from remote devices
--snip--

Listing 14-3: Some hcitool commands

Many Bluetooth-hacking tools you’ll see around simply use these commands in a script, and you can easily create your own tool by using these commands in your own bash or Python script—we’ll look at scripting in Chapter 17.

Scanning for Services with sdptool

Service Discovery Protocol (SDP) is a Bluetooth protocol for searching for Bluetooth services (Bluetooth is suite of services), and, helpfully, BlueZ provides the sdptool tool for browsing a device for the services it provides. It is also important to note that the device does not have to be in discovery mode to be scanned. The syntax is as follows:

sdptool browse MACaddress

Listing 14-4 shows me using sdptool to search for services on one of the devices detected earlier in Listing 14-2.

kali >sdptool browse 76:6E:46:63:72:66
Browsing 76:6E:46:63:72:66...
Service RecHandle: 0x10002
Service Class ID List:
  ""(0x1800)
Protocol Descriptor List:
  "L2CAP"   (0x0100)
    PSM: 31
  "ATT" (0x0007)
    uint16: 0x0001
    uint16: 0x0005

--snip--

Listing 14-4: Scanning with sdptool

Here, we can see that the sdptool tool was able to pull information on all the services this device is capable of using. In particular, we see that this device supports the ATT Protocol, which is the Low Energy Attribute Protocol. This can provide us more clues as to what the device is and possibly potential avenues to interact with it further.

Seeing Whether the Devices Are Reachable with l2ping

Once we’ve gathered the MAC addresses of all nearby devices, we can send out pings to these devices, whether they’re in discovery mode or not, to see whether they are in reach. This lets us know whether they are active and within range. To send out a ping, we use the l2ping command with the following syntax:

l2ping MACaddress -c NumberOfPackets

Listing 14-5 shows me pinging the Android device discovered in Listing 14-2.

kali >l2ping 76:6E:46:63:72:66 -c 3
Ping: 76:6E:46:63:72:66 from 10:AE:60:58:F1:37 (data size 44)...
44 bytes 76:6E:46:63:72:66 id 0 time 37.57ms
44 bytes 76:6E:46:63:72:66 id 1 time 27.23ms
44 bytes 76:6E:46:63:72:66 id 2 time 27.59ms

3 sent, 3 received, 0% loss

Listing 14-5: Pinging a Bluetooth device

This output indicates that the device with the MAC address 76:6E:46:63:72:66 is within range and reachable. This is useful knowledge, because we must know whether a device is reachable before we even contemplate hacking it.

Summary

Wireless devices represent the future of connectivity and hacking. Linux has developed specialized commands for scanning and connecting to Wi-Fi APs in the first step toward hacking those systems. The aircrack-ng suite of wireless hacking tools includes both airmon-ng and airodump-ng, which enable us to scan and gather key information from in-range wireless devices. The BlueZ suite includes hciconfig, hcitool, and other tools capable of scanning and information gathering, which are necessary for hacking the Bluetooth devices within range. It also includes many other tools worth exploring.