You are previewing Mastering Kali Linux Wireless Pentesting.
O'Reilly logo
Mastering Kali Linux Wireless Pentesting

Book Description

Test your wireless network’s security and master advanced wireless penetration techniques using Kali Linux

About This Book

  • Develop your skills using attacks such as wireless cracking, Man-in-the-Middle, and Denial of Service (DOS), as well as extracting sensitive information from wireless networks

  • Perform advanced wireless assessment and penetration tests

  • Use Embedded Platforms, Raspberry PI, and Android in wireless penetration testing with Kali Linux

  • Who This Book Is For

    If you are an intermediate-level wireless security consultant in Kali Linux and want to be the go-to person for Kali Linux wireless security in your organisation, then this is the book for you. Basic understanding of the core Kali Linux concepts is expected.

    What You Will Learn

  • Fingerprint wireless networks with the various tools available in Kali Linux

  • Learn various techniques to exploit wireless access points using CSRF

  • Crack WPA/WPA2/WPS and crack wireless encryption using Rainbow tables more quickly

  • Perform man-in-the-middle attack on wireless clients

  • Understand client-side attacks, browser exploits, Java vulnerabilities, and social engineering

  • Develop advanced sniffing and PCAP analysis skills to extract sensitive information such as DOC, XLS, and PDF documents from wireless networks

  • Use Raspberry PI and OpenWrt to perform advanced wireless attacks

  • Perform a DOS test using various techniques and tools

  • In Detail

    Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It gives access to a large collection of security-related tools for professional security testing - some of the major ones being Nmap, Aircrack-ng, Wireshark, and Metasploit.

    This book will take you on a journey where you will learn to master advanced tools and techniques to conduct wireless penetration testing with Kali Linux.

    You will begin by gaining an understanding of setting up and optimizing your penetration testing environment for wireless assessments. Then, the book will take you through a typical assessment from reconnaissance, information gathering, and scanning the network through exploitation and data extraction from your target. You will get to know various ways to compromise the wireless network using browser exploits, vulnerabilities in firmware, web-based attacks, client-side exploits, and many other hacking methods. You will also discover how to crack wireless networks with speed, perform man-in-the-middle and DOS attacks, and use Raspberry Pi and Android to expand your assessment methodology.

    By the end of this book, you will have mastered using Kali Linux for wireless security assessments and become a more effective penetration tester and consultant.

    Style and approach

    This book uses a step-by-step approach using real-world attack scenarios to help you master the wireless penetration testing techniques.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at If you purchased this book elsewhere, you can visit and register to have the code file.

    Table of Contents

    1. Mastering Kali Linux Wireless Pentesting
      1. Table of Contents
      2. Mastering Kali Linux Wireless Pentesting
      3. Credits
      4. About the Authors
      5. About the Reviewer
        1. eBooks, discount offers, and more
          1. Why subscribe?
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Downloading the color images of this book
          3. Errata
          4. Piracy
          5. Questions
      8. 1. Wireless Penetration Testing Fundamentals
        1. Wireless communication
        2. Wireless standards
          1. The 2.4 GHz spectrum
          2. The 5 GHz spectrum
        3. Choosing the right equipment
          1. Supported wireless modes
          2. Wireless adapters
            1. Ralink RT3070
            2. Atheros AR9271
            3. Ralink RT3572
          3. Antennas
            1. Omnidirectional antennas
            2. Patch antennas
            3. Yagi antennas
        4. Kali Linux for the wireless pentester
          1. Downloading Virtual Box
          2. Installing Virtual Box
          3. Kali Linux deployment
          4. Mapping the wireless adapter into Kali
        5. Summary
      9. 2. Wireless Network Scanning
        1. Wireless network discovery
        2. 802.11 network terminology
          1. 802.11 configuration modes
          2. 802.11 frames
            1. Management frame
            2. Control frames
            3. Data frames
        3. The scanning phase
          1. Passive scanning
          2. Active scanning
        4. Tools of the trade
          1. Airodump-ng
            1. Adding a location to Airodump-ng with GPS
          2. Visually displaying relationships with Airgraph-ng
          3. Discovering Client Probes with Hoover
          4. WPS discovery with Wash
          5. Kismet
          6. Wireshark
        5. Summary
      10. 3. Exploiting Wireless Devices
        1. Attacking the firmware
          1. Authentication bypass
            1. CVE-2013-7282
            2. CVE-2013-6026
            3. CVE-2015-7755
          2. Cross-Site Request Forgery
            1. CVE-2014-5437
            2. CVE-2014-8654
            3. CVE-2013-2645
          3. Remote code execution
            1. CVE-2014-9134
          4. Command injection
            1. CVE-2008-1331
          5. Denial of Service
            1. OSVDB-102605
            2. CVE-2009-3836
          6. Information disclosure
            1. CVE-2014-6621
            2. CVE-2014-6622
            3. CVE-2015-0554
        2. Attacking the services
          1. Attacking Telnet
          2. Attacking SSH
          3. Attacking SNMP
            1. CVE-2014-4863: Arris Touchstone DG950A SNMP information disclosure
            2. CVE-2008-7095: Aruba Mobility Controller SNMP community string dislosure
        3. Attacking SNMP
        4. Attacking UPnP
          1. Discovery
          2. Description
          3. Control
          4. UPnP attacks
            1. CVE-2011-4500
            2. CVE-2011-4499
            3. CVE-2011-4501
            4. CVE-2012-5960
        5. Checks on misconfiguration
        6. Summary
      11. 4. Wireless Cracking
        1. Overview of different wireless security protocols
        2. Cracking WPA
          1. WPA Personal
            1. Cracking WPA2
          2. Generating rainbow tables
            1. Generating rainbow tables using genpmk
            2. Generating rainbow tables using airolib-ng
          3. Cracking WPS
            1. Cracking 802.1x using hostapd
        3. Summary
      12. 5. Man-in-the-Middle Attacks
        1. MAC address Spoofing/ARP poisoning
        2. Rogue DHCP server
        3. Name resolution spoofing
        4. DNS spoofing
        5. Configuring Ettercap for DNS spoofing
        6. NBNS spoofing
        7. Summary
      13. 6. Man-in-the-Middle Attacks Using Evil Twin Access Points
        1. Creating virtual access points with Hostapd
        2. Creating virtual access points with airbase-ng
        3. Session hijacking using Tamper Data
          1. An example of session hijacking
          2. Performing session hijacking using Tamper Data
        4. Credential harvesting
          1. Using Ettercap to spoof DNS
          2. Hosting your fake web page
        5. Web-based malware
          1. Creating malicious payload using msfpayload
          2. Hosting the malicious payload on SET
        6. SSL stripping attack
          1. Setting up SSLstrip
        7. Browser AutoPwn
          1. Setting up Metasploit's Browser Autopwn attack
        8. Summary
      14. 7. Advanced Wireless Sniffing
        1. Capturing traffic with Wireshark
          1. Decryption using Wireshark
          2. Decrypting and sniffing WEP-encrypted traffic
          3. Decrypting and sniffing WPA-encrypted traffic
          4. Analyzing wireless packet capture
          5. Determining network relationships and configuration
          6. Extracting the most visited sites
        2. Extracting data from unencrypted protocols
          1. Extracting HTTP objects
        3. Merging packet capture files
        4. Summary
      15. 8. Denial of Service Attacks
        1. An overview of DoS attacks
        2. Management and control frames
        3. Authentication flood attack
          1. An attack scenario
          2. Scanning for access points
          3. MDK3 setup for authentication flood
          4. The attack summary
        4. The fake beacon flood attack
          1. MDK3 fake beacon flood with a random SSID
          2. MDK3 fake beacon flood with the selected SSID list
          3. The attack summary
        5. Metasploit's fake beacon flood attack
          1. Configuring packet injection support for Metasploit using lorcon
          2. Creating a monitor mode interface
        6. The Metasploit deauthentication flood attack
          1. Identifying the target access points
          2. Attacking the wireless client and AP using Metasploit
          3. The attack summary
        7. The Metasploit CTS/RTS flood attack
          1. The Metasploit setup for an RTS-CTS attack
          2. The attack summary
        8. Summary
      16. 9. Wireless Pentesting from Non-Traditional Platforms
        1. Using OpenWrt for wireless assessments
          1. Installing the aircrack-ng suite on OpenWrt
        2. Using Raspberry Pi for wireless assessments
        3. Accessing Kali Linux from a remote location
        4. Using AutoSSH for reverse shell
        5. Powering and concealing your Raspberry Pi or OpenWrt embedded device
        6. Running Kali on Android phones and tablets
        7. Wireless discovery using Android PCAP
        8. Summary
      17. Index