Kali Linux is a security-focused operating system you can run off a CD or USB drive, anywhere. With its security toolkit you can crack Wi-Fi passwords, create fake networks, and test other vulnerabilities. Here's how to use it to give your own a network a security checkup.
Kali Linux is packed with software for testing security holes in your network. There are far too many options to list them all here here, but we're so enamoured with it that we decided to pick a few of our favourite tools -- Aircrack, Airbase and ARPspoof-- and teach you how they work. We'll show you how to crack a Wi-Fi password with brute force techniques, create a fake router to trick machines into logging into it, and perform a man-in-the-middle attack to eavesdrop on network communications.
Remember: use these powers for good, not for evil. Knowing how to do these things can get you out of a jam or help you learn to secure your own network, but doing them to someone else is not something we recommend.
Crack A WPA Wi-Fi Password With Aircrack
However, WEP passwords aren't that popular anymore (because they're so easy to crack), and Reaver only works if a network has WPS enabled. So today, we're going take another look at Aircrack and use it to brute force our way into a WPA network (with the help of a password list).
Step One: Configure Your Wireless Card
First things first: disconnect from all wireless networks. Then open up terminal. In order to use Aircrack, you'll need a wireless card that supports injections. Type this into the Terminal to make sure your card supports it:
This lists all the wireless cards that support this crack. If you card doesn't support injections, it won't show up here. Yours is likely listed under interface as wlan0, but it may depend on your machine.
Next, type in:
airmon-ng start wlan0
wlan0 with your card's interface address. You should get a message back saying that monitor mode was enabled.
Step Two: Monitor Your Network
Next, you're going to get a list of all the networks in your area and monitor yours.
You'll see all the networks in your area. Locate your network from the list, and copy the BSSID, while making a note of the channel it's on. Type Ctrl+C to stop the process.
Next, type this in, replacing the information in parentheses with the information you gathered above:
airodump-ng -c (channel) --bssid (bssid) -w /root/Desktop/ (monitor interface)
It should read something like this:
airodump-ng -c 6 --bssid 04:1E:64:98:96:AB -w /root/Desktop/ mon0
Now, you'll be monitoring your network. You should see four files pop up on the desktop. Don't worry about those now; you'll need one of them later. The next step is a bit of a waiting game, as you'll be sitting around waiting for a device to connect to a network. In this case, just open up a device you own and connect to your Wi-Fi. You should see it pop up as a new station. Make a note of the station number, because you'll need that in the next step.
Step Three: Capture A Handshake
Now, you're going to force a reconnect so you can capture the handshake between the computer and the router. Leave Airodump running and open up a new tab in Terminal. Then type in:
aireplay-ng -0 2 -a (router bssid) -c (client station number) mon0
It should look something like:
aireplay-ng -0 2 -a 04:1E:64:98:96:AB -c 54:4E:85:46:78:EA mon0
You'll now see Aireplay send packets to your computer to force a reconnect. Hop back over to the Airodump tab and you'll see a new number listed after WPA Handshake. If that's there, you've successfully grabbed the handshake and you can start cracking the password.
Step Four: Crack The Password
You now have the router's password in encrypted form, but you still need to actually figure out what it is. To do this, you'll use a password list to try and brute force your way into the network. You can find these lists online, but Kali Linux includes a few small lists to get you started in the /usr/share/wordlists directory, so we'll just use one of those. To start cracking the password type this in:
aircrack-ng -a2 -b (router bssid) -w (path to wordlist) /Root/Desktop/*.cap
So, continuing with our above example and using one of the built-in wordlists, it should read something like:
aircrack-ng -a2 -b 04:1E:64:98:96:AB -w /usr/share/wordlists/fern-wifi/common.txt /Root/Desktop/*.cap
Now, Aircrack will try all of those passwords to see if one fits. If it does, you'll get a message saying the key was found with the password. If not, give another one of the password lists a try until you find one that works. The bigger the password list, the longer this process will take, but the greater chance you have of succeeding.
How To Use This Information To Stay Safe
So, you just brute forced your way into your own network. Depending on how good your password is, it either took you five minutes or five hours. If your password is something simple, like "password123", then chances are one of the smaller wordlists was able to crack it pretty quickly. If it was more complicated, it probably took a long time or never surfaced the password at all (if so: good for you!).
The best protection here is a good, strong password on your router. The longer, weirder and more complex it is, the better. Likewise, make sure you're using the WPA2 security protocol and you don't have WPS enabled.
Create A Fake Network With Airbase
Next up, let's take a look at how you can spoof a network address to trick people into signing into the wrong network so you can watch what they're doing. Hackers might do this so you sign into the fake network thinking it's your real one, then performing a man-in-the-middle attack (more on that in the next section) to gather information about you from your traffic. This is amazingly easy to do with a tool in Kali Linux called Airbase.
Essentially, you'll turn your Wi-Fi adaptor on Kali Linux into an access point with the same name as another network. In order to do this, you'll follow the same line of research as you did above, but the ending's a bit different.
Step One: Configure Your Wireless Card
Just like last time, you need to set up your wireless card to monitor traffic. Open up Terminal and type:
This lists all the wireless cards that support this crack. Yours is likely listed under interface as wlan0.
Next, type in:
airmon-ng start wlan0
Now you're in monitor mode. It's time to find the network you want to spoof.
Step Two: Find A Wi-Fi Network To Spoof
In order to spoof a router, you'll need some information about it. So, type in:
You'll see all the networks in your area. Locate your network from the list and copy the BSSID, while making a note of its name and the channel it's on. This is the router you're going to spoof. Type Ctrl+C to stop the process.
Step Three: Create A Fake Network
Now, you're going to create the fake network with Airbase. Type this in, replacing the information you gathered in the last step for the parenthesis:
airbase-ng -a (router BSSID) --essid "(network name)" -c (channel) mon0
For example, it should read something like:
airbase-ng -a 04:1E:64:98:96:AB --essid "MyNetwork" -c 11 mon0
That's it. You've now spoofed the router and created a clone with the same name, channel and SSID number so it's indistinguishable from the original. Unfortunately, the computers on that network will always connect to the most powerful router with that name automatically, so you need to turn up the power of your fake network. Type in:
iwconfig wlan0 txpower 27
This bumps up the power of your fake network to the maximum accepted limit so hopefully next time they log in, they connect to you automatically. It shouldn't do any damage to the card as long as you don't go higher than 27. Once they do, it will be just like you're both on the same network. That means you can access whatever they're doing pretty easily.
How to Use This Information To Stay Safe
A spoofed network is tough to detect, but you can usually spot it when network traffic is slow, or if it suddenly doesn't require a password authentication. If you're really paranoid someone is spoofing a router, you can turn off the ability to automatically connect to Wi-Fi, so you at least have time to look at the router you're logging into.
Snoop Another Device's Traffic With ARP Spoofing
A man-in-the-middle attack is essentially eavesdropping on your network. Here, you'll intercept network signals between a computer and a router without the computer realising it. We've shown you how to do packet sniffing for that purpose; today we'll use ARP spoofing to gather this information. Both sniffing and spoofing are about listening in on conversations, but they work a little differently. Sniffing captures traffic by monitoring a network, spoofing pretends to be that network. These types of attacks are often used to grab passwords, images and almost anything else you're sending over your network.
Step One: Turn On Packet Forwarding
First things first, you need to make your Kali Linux machine forward any traffic it gets so the target computer can still access the internet. Type this into the command line:
echo 1 > /proc/sys/net/ipv4/ip_forward
This will ensure all information is forwarded after it's intercepted. That way, the internet and any other communications between the router and the target computer will continue to work.
Step Two: Turn On ARP Spoofing
Now you need to turn on ARP spoofing. This tricks the computer and the router into thinking that your Wi-Fi adaptor is a bridge. When you successfully spoof, you can monitor all traffic between the devices. You'll do this twice so you can capture traffic going to your computer from the router and from your computer to the router.
To capture traffic from your router type this in, replacing the parenthesis with your network's information:
arpspoof -i wlan0 -t (router address) (target computer address)
You'll see a bunch of number outputting showing that it's running. Leave that running, then open another tab in Terminal and do the reverse:
arpspoof -i wlan -t (target computer address) (router address)
Both lines should look something like this:
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.105
arpspoof -i wlan0 -t 192.168.1.105 192.168.1.1
Now, all the traffic between those two machines is being collected in Kali Linux. There are a lot of tools to actually capture this information; we'll take a look at a couple of them here.
To track any URLs the computer visits, open up another Terminal tab and type in:
urlsnarf -i wlan0
This will display any web sites the computer visits.
If you're more interested in images, you can capture any image traffic as well. Type in:
driftnet -i wlan0
A window will pop up and display any images they load and transfer over the network. Basically, if there's any unencrypted information being sent between the router and the computer, you'll see it happen.
How To Use This Information To Stay Safe
The best way to keep people from ARP spoofing your network is to secure your network with a strong password and make sure they're not in there in the first place. That said, turning on a firewall on your machine helps as well. Also, make sure you're always using HTTPS when it's available. When HTTPS is on, an ARP spoofer won't capture anything you're doing. This is especially important when you're on public Wi-Fi and can't control a network's security.
Lifehacker's Evil Week highlights the dark side of life hacking. How you use that knowledge is up to you.