Understanding How Wireless Networks Work

The ability to scan for and connect to other network devices from your system is crucial to becoming a system administrator because if an adversary hacks a wireless connection, they gain entry to a device and access confidential information. Let’s take a look at these devices and understand their security protocols.  An note to all those new to the world of networking, security, and Linux nerdom, if you aren’t clear on how networks actually function, be sure to check out our article on “What are the OSI and TCP/IP Models?”. This will save you a world of hurt. Alternatively, feel free to dive right in here, I honestly don’t care 😉

Learning Wi-Fi Network Basics

Before learning how to find, examine, and connect to Wi-Fi access points, we need to understand basic Wi-Fi terms and technologies to in order to make sense of the data in this article:

• AP (access point): The device wireless users connect to in order to get internet access.
• ESSID (extended service set identifier):  Same as the SSID, but can be used for multiple APs in a wireless LAN.
• BSSID (basic service set identifier) :The unique identifier of each AP, and is the MAC address of the device.
• SSID (service set identifier): This is the name of the network.
• Channels: Wi-Fi can operate on any one of 14 channels (1–14). In the United States, Wi-Fi is limited to channels 1–11.
• Power: The closer you are to the Wi-Fi AP, the greater the power, and the easier the connection is to crack.
• Security:  The security protocol used on the Wi-Fi AP that is being read used.  There are three main security protocols for Wi-Fi.
  • Wired Equivalent Privacy (WEP): easily cracked.
  • Wi-Fi Protected Access (WPA):  Replacement for WEP and was a bit more secure.
  • WPA2-PSK: Now used by nearly all Wi-Fi routers.  It is more secure and uses a pre shared key (PSK) that all users share.
• Modes:Wi-Fi operates in one of three modes: managed, master, or monitor.
• Wireless range: In the United States, a Wi-Fi AP can legally broadcast its signal at an upper limit of 0.5 watts, which gives it a normal range of about 300 feet/100 meters.  Use of a high-gain antennas can extend this range to as much as 20 miles.
• Frequency: Wi-Fi is designed to operate on 2.4GHz and 5GHz.

Basic Wireless Commands

ifconfig

To start getting familiar with wireless networking, run the “ifconfig” command and you will see similar to the image below. We’ve highlighted the wireless connection data and statistics:

The first interface listed is “eth0” and as the machine this image was taken from is a virtual machine, the connection shows as a wired network connection even though its being run on a MacBook connected to a wireless network at my home. Additional wired Ethernet interfaces, they would show up in the output using the same format (eth1, eth2, etc).   The next section of the output shows another network connection called ”lo”, short for loopback address and is also referred to localhost, a special software address that connects you to your own system. Software and services not running on your system can’t use it. Localhost is generally represented with the IP address 127.0.0.1. The Wi-Fi interface here is shown as wlan0. If you had additional Wi-Fi networks, they would be shown as wlan1, wlan2, etc.  We get more detailed on Wi-Fi networks in the next section.

iwconfig

If you just want to see data specific to your system’s Wi-Fi interfaces, use the iwconfig command. When used, you will see output similar to the screenshot below:

In the screen shot, you only see the wireless interfaces/network cards, and key data about them, including:

• the wireless standard utilized,
• whether the ESSID is off, and
• the mode. The mode has three settings:
  • managed, which means it is ready to join or has joined an AP;
  • master, which means it is ready to act as or already is an AP; and
  • monitor, which we’ll discuss a little later in the chapter.
• any client has associated with it and
• what its transmit power is, among other things. You can tell from this example that wlan0 is in the mode required to connect to a Wi-Fi network but is not connected to any yet

If you are not certain which Wi-Fi AP you want to connect to, you can see the access points that your network card can reach using the iwlist command to scan action to see all the Wi-Fi APs in your area.

The command displays the key data for all Wi-Fi APs within range of your wireless interface, including:

• The MAC address of the AP;
• The channel and frequency it is operating on;
• Its quality;
• Its signal level;
• Whether its encryption key is enabled; and
• Its ESSID.

Understanding this command is critical as hackers will use it to find the MAC address of your network, the MAC address of a clients on your network (another wireless network card), and the channel that your AP is operating on in order to perform any kind of hacking

nmcli

The “network manager” is a background Linux service (daemon) that provides a GUI in order to manage network interfaces (including the wireless ones) is known as the network manager. The network manager can also be used from the command line. Like “iwlist”, the “nmcli” lets you view wireless access points (and their associated data) that are near you, but with more information. Use the command in the format “nmcli dev networktype”, where:

• “dev” is short for devices; and,
• The “type” refers to the network format, which in this case is “wifi”.

When you run the command you will see:

• Wi-Fi APs within range;
• The SSID;
• The mode;
• The channel,
• The rate of transfer;
• The signal strength; and,
• The security protocols enabled on the device.

The screenshot below shows the usage of the command and options above.

The “nmcli” command can be used connect to APs. The syntax to connect to an AP is as follows:

nmcli dev wifi connect AP-SSID password APpassword

In the screenshot below, you see it being used to switch from the networked named “CIASurveillanceVan-2.4g” to the one named “CIASurveillanceVan-5g”, (I have blocked out the AP password).

Try this on a network you know, and then when you have successfully connected to that wireless AP, run iwconfig again to see what has changed.

Note that now iwconfig has indicated that the ESSID is “CIASurveillanceVan-5g and that the AP is operating at a frequency of 5.745GHz. The MAC address 8C:0F:6F:29:5E:E8 is, as you might expect, the MAC of the AP I am connected to. If someone is looking to compromise your system, the following information is critical to them:

• The type of security a Wi-Fi network uses;
• Is the network running at 2.4GHz or 5GHz;
• What is its ESSID; and,
• What is the AP’s MAC address.

How to Do Wi-Fi Recon with aircrack-ng

As a Linux administrator, you may notice that some hackers might try to crack the passwords of your network’s Wi-Fi access points. Part of the planning of a an attack on a wifi access point requires an attacker to gather 3 piece of information:

• The MAC address of the target AP (BSSID);
• The MAC address of a client; and,
• The channel the AP is operating on.

As a system administrator, it is important to learn how people are going to attack your network, so we are going to get familiar with the aircrack-ng suite.

Learning How To Use Aircrack-ng

Step 1: Put Your Wireless Network Card in Monitor Mode

Normally network cards operate in “Managed” mode, which limits data captures to only traffic destined specifically for that card. In order to see all the traffic floating around, we need to flip the card in to “Monitor” mode (Similar to promiscuous mode on wired network cards), which allows the network card to see all the traffic passing its way. There seem to be a few ways to put your card in to monitor mode, you can either use the ifconfig commands or aircrack-ng command. Depending on your systems, on method may work when the other does not.

Put Your Network Card in Monitor Mode with ifconfig

The screenshot below shows how to put your wireless card into monitor mode making use of ifconfig and iwconfig commands:

Looking at the wlan0 adaptor, you can see the mode changed from “Managed” to “Monitor”

Put Your Network Card in Monitor Mode with aircrack-ng

You can use aircrack-ng to put your wireless network card in monitor mode. Although the syntax for the command is simple “airmon-ng start|stop|restart interface_name”, it often doesn’t work, as some users complained here (and the solution offered is the method we outlined above):

The stop and restart commands should stop monitor mode and restart monitor mode if you run into trouble.

Step 2: How to Monitoring Wireless Traffic with Aircrack-ng

With your wireless card in monitor mode, you can access all the wireless traffic passing by you within the range of your wireless network adapter and antenna (standard is about 300–500 feet) with the airodump-ng command:

airodump-ng wlan0

Executing that command should display something similar to the following screenshot of the captured data from broadcasting APs and any clients connected to those APs or within the vicinity:

The most important column names you see are as follows: BSSID: The MAC address of the AP or client. PWR: The strength of the signal. ENC: The encryption used to secure the transmission. #Data: The data throughput rate. CH The channel the AP is operating on ESSID The name of the AP. Notice that the output in the screenshot above is split into an upper and lower portion. Upper Portion Presents information on the broadcasting APs, including:

• The BSSID;
• The power of the AP;
• How many beacon frames have been detected;
• The data throughput rate;
• How many packets have traversed the wireless card;
• The channel (1–14);
• The theoretical throughput limit;
• The encryption protocol;
• The cipher used for encryption;
• The authentication type; and,
• The ESSID (referred to as SSID).

Lower Portion In the client portion, the output tells us that a number of clients are not associated to an AP, and others are associated with a station, meaning they are connected to the AP at that address.

Step 3: How to Hack a Wireless Access Point

This is a quick summary of how to go about hacking into a wireless access point.  We will dive into this in detail in another article.  As we said before, in order to crack a wireless AP, you need:

• A client MAC address;
• The AP MAC address; and
• The channel the target wireless access point is operating on.

Plus a password list. Open three terminal windows: First terminal: Enter commands similar to the one below, filling in the client and AP MAC addresses and the channel. This command captures all the packets traversing the AP on channel 10 using the -c option.

airodump-ng -c 7 –bssid  -w CIASurveillanceVan-5gPSK wlan0

Second terminal: Use airplay-ng’s deauthentication “–deauth” command to knock off people connected to the AP you are looking to attack.  This force reauthenticate to the AP, as shown next and offers a hacker the opportunity to capture the hash of their password that is exchanged in the WPA2-PSK four-way handshake.  The password hash will appear in the upper-right corner of the airodump-ng terminal.

aireplay-ng –deauth 100 -a 01:01:AA:BB:CC:22-c A0:A3:E2:44:7C:E5 wlan0mon

In the third window,  use a password list (superpasswordlist.dic) to find the password in the captured hash (CIASurveillanceVan-5g.cap), as shown here

aircrack-ng -w wordlist.dic -b 01:01:AA:BB:CC:22 CIASurveillanceVan-5g.cap