In the first article of this series, “Wireless Pentesting Part 1 – An Overview”, we reviewed some penetration testing basics with the PTES and what one can expect to know about a system before starting an engagement. We also covered three general assessment levels and the differences between them. But most importantly in regards to a wireless pentest, we covered why wireless networks assessments should be a stand-alone item yet still be a part of the scope of a wider pentest. Even though you’ll learn some effective WiFi hacking tricks, the overall goal is to incorporate them into the job aspects of a professional.
In this second part of the series, it’s time to get the right equipment for your tool bag. We are going to discuss the hardware, operating systems, and software requirements for setting up your own wireless pentesting rig. Your mileage may vary, but, based on years of experience and numerous engagements, this is a great WiFi hacking rig to get you started and should cover most needs. As you gain experience, you may find that some tools are better than others while also finding the need to expand beyond this simple setup for more advanced requests from clients.
Laptop – Mac or PC Based system
- 8GB RAM minimum, 16GB RAM or better preferred
- 20GB hard drive space
Wireless Adapter (below are some popular adapters)
- Alfa AWUS036H
- Alfa AWUS036NEH
- Alfa AWUS036NH
- Alfa AWUS036NHA
- Alfa AWUS051NH
- TP-Link TL-WN722N
Choosing the correct adapter can be a daunting task with varying sizes, prices and capabilities. ALFA adapters are the most popular when it comes to wireless pentesting, so much so that they have their own page dedicated to Kali WiFi USB. So instead of wasting time with drivers and in testing whether your adapter can be put in monitor mode or be able to inject packets, just use what is known to work in Kali.
Operating System and Software Requirements
- Kali Linux
- Wireless Pentesting Tools
- Virtualization Software (optional)
Kali Linux Installation
It’s your choice to do a bare metal install by directly installing Kali Linux on your computer or running a Kali Linux virtual machine (VM). The bare metal install will give your Kali Linux OS more resources and better performance; whereas, a Kali Linux VM would give you more flexibility. Using a Kali Linux VM adds a level of difficulty by having to configure the VM to use the USB Wireless Network Adapter.
Bare Metal Installation
No need to recreate the wheel in the next sections. There are documents that take you step-by-step already created. So, the process is pretty straight forward by completing the following steps:
- Download the latest version of the Kali Linux ISO
- “Kali Linux Hard Disk Install” instructions help you create either a DVD or my preferred method of installing from a USB thumb drive, which ponts you to “Making a Kali Bootable USB Drive”. The second set of instructions can allow you to create a bootable USB device to either run on bare metal or run directly off of the USB device. We’re obviously choosing the former.
- Boot your computer with the installation USB media and install Kali Linux. You may have to change your boot device order. All systems are a little different; however, if you’re looking to be a professional pentester, this should be a piece of cake for you.
- Install the drivers for your wireless USB network adapter on the Kali Linux OS.
The benefit of using a virtual machine is that there’s no install needed of the Kali Linux OS itself, and you don’t need an extra machine to take with you. However, is there is an extra step as you’ll see in the following steps:
- Download Kali Linux Virtual Images for your virtual platform of choice (VirtualBox, VMWare, or Hyper-V).
- Install the VM according to the method for your chosen platform.
- You need to install the drivers for your wireless USB network adapter on both the host OS AND the VM.
WiFi Hacking Tools
Every job requires the right tools. Lucky for us, most of the WiFi hacking tools we’ll need are already included in Kali. Before we get to “Wireless Pentesting Part 3 – Common Wireless Attacks”, you might want to make yourself familiar with them. Playing around with your newly installed copy of Kali and exploring all of the vast number of tools, you should be relatively comfortable with the content we’ll cover in more detail next month. But be sure to pay closer attention to some of the most popular tools for wireless pentesting such as:
- Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security including:
- Monitoring – Packet capture and export of data to text files for further processing by third party tools
- Attacking – Replay attacks, deauthentication, fake access points and others via packet injection
- Testing – Checking WiFi cards and driver capabilities (capture and injection)
- Cracking – WEP and WPA PSK (WPA 1 and 2)
- Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection system) framework. Kismet works with WiFi interfaces, Bluetooth interfaces, some SDR (software defined radio) hardware like the RTLSDR, and other specialized capture hardware.
- Wifite automates wireless pentesting by performing tests that normally take multiple tools. This speeds up testing, makes it more efficient as well as makes is less complicated. Wifite is installed in Kali, but you will need to install hcxtools and hcxdumptool to get Wifite to work correctly.
- Fern WiFi Cracker is a wireless security auditing and attack software program written using the Python programming language and the Python Qt GUI library. The program can crack and recover WEP/WPA/WPS keys and run other network-based attacks on wireless or ethernet based networks. Like Wifite, Fern WiFi Cracker makes it less complicated and optimizes WiFi pentesting.
- hostapd-wpe is used to impersonate WiFi access points (APs) which is useful in Evil Twin attacks. An evil twin is a fraudulent WiFi AP that appears to be legitimate but is setup to eavesdrop on wireless communications.
- WiFi Pumpkin is not included in the Kali Linux software repository and requires installation. WiFi Pumpkin is a rogue AP framework to easily create these fake networks, all while forwarding legitimate traffic to and from the unsuspecting target. It comes stuffed with features, including rogue Wi-Fi access points, deauth attacks on client APs, a probe request and credentials monitor, transparent proxy, Windows update attack, phishing manager, ARP Poisoning, DNS Spoofing, Pumpkin-Proxy, and image capture on the fly. Moreover, the WiFi-Pumpkin is a very complete framework for auditing WiFi security. The list of features is quite broad. Before next month, please read the WiFi Pumpkin installation instructions.
So I have my WiFi hacking rig, what’s next?
Now is your time to get a little more familiar with the WiFi hacking rig you just created. If you hit any errors during install, see if you can rectify them. If this is your first time ever using Kali. then be sure to peruse the GUI to see all of the included tools. As you do, you’ll see just how specialized many of the disciplines within ethical hacking can be. The go through each tool dedicated to wireless pentesting that we mentioned above.
If all of this is new to you, it might help to go through some general Linux tutorials. At least know the basics of asking for help, navigating the file system, running programs and modifying file permissions via the command line interface (CLI). Then work on understanding how networking is done in Linux (ifconfig, eth0, wlan0, etc.). Last but not least, learn a little about user management including changing the default password in Kali. Getting Linux Fundamentals will go a long way not just for for your wifi hacking but for you entire cyber security career. You can also check out a book review right here on EH-Net, “Linux Basics for Hackers“.
By the end of this four-part series, we’ll have covered everything you need to know to complete a basic wireless pentest and not just do some hacker like things. We’ve covered an overview of wireless pentesting in the first article and in this article building a wireless pentesting rig. Next time we’ll cover common attack methods, and in Part 4 we will go over the official process of performing a wireless pentest.
Until next time keep on pwning! But please have permission.
Phillip Wylie is a Principal InfoSec Engineer on the Assessment Services Penetration Testing Team in the financial sector. Phillip is also an Adjunct Instructor at Richland College teaching Ethical Hacking and System Defense, a Bugcrowd Ambassador and the founder of The Pwn School Project. Phillip has over 21 years of experience in InfoSec and IT and has performed pentests on networks, wireless networks, applications including thick client, web application and mobile. Phillip has a passion for sharing, mentoring and educating. This passion was his motivation to start teaching and founding The Pwn School Project, a free monthly educational meetup with a focus on hacking. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT. Follow him @PhillipWylieTags: ethical hacking hacking highlight pentest wifi wireless wylie