Kali.docx
13
Kali Linux & over the air promiscuous capture Based on the following link by Ray:- https://supportforums.cisco.com/blog/12200881/using-live-linux- distro-get-wireless-packet-capture I was trying to use kali linux in lab windows machine, and thought of sharing my observations. Kali has inbuilt wireshark, tcpdump, dumpcap, airmon-ng support. So you can have wireless frames scrolling right in front of you in wireshark, like you sniff a wired adaptor. This way you can make sure, you got the right frames, right at the time. It’s loaded with other tons of utilities, you might never know when you can use. 1. Get your Kali copy:- http://www.kali.org/downloads/ I normally use the kali linux 32 bit ISO. 3.2GB in size. 2. Now use any USB imaging software, to make a bootable linux USB drive (Formatted in FAT32 & at least 4GB in capacity), using the image iso downloaded in the above step. http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2- 3/ This is the longest part, ~10 minutes. Once done, remove USB safely. 3. Change the boot order on the sniffer/subject laptop, to boot from USB. Pressing F12 while booting up, does it for me. Then you will be presented with kali boot up screen:-
-
Upload
james-carter -
Category
Documents
-
view
219 -
download
0
Transcript of Kali.docx
Kali Linux & over the air promiscuous captureBased on the following link by Ray:-https://supportforums.cisco.com/blog/12200881/using-live-linux-distro-get-wireless-packet-captureI was trying to use kali linux in lab windows machine, and thought of sharing my observations. Kali has inbuilt wireshark, tcpdump, dumpcap, airmon-ng support. So you can have wireless frames scrolling right in front of you in wireshark, like you sniff a wired adaptor. This way you can make sure, you got the right frames, right at the time. Its loaded with other tons of utilities, you might never know when you can use.1. Get your Kali copy:-http://www.kali.org/downloads/I normally use the kali linux 32 bit ISO. 3.2GB in size.2. Now use any USB imaging software, to make a bootable linux USB drive (Formatted in FAT32 & at least 4GB in capacity), using the image iso downloaded in the above step. http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/This is the longest part, ~10 minutes. Once done, remove USB safely.
3. Change the boot order on the sniffer/subject laptop, to boot from USB. Pressing F12 while booting up, does it for me.Then you will be presented with kali boot up screen:-
Just go with Live (forensic mode).4. Kali linux java installation is not an easy process, so you will not be able to get it joined on the webex, via kalis default browser iceweasel.However making VNC viewer work with it is pretty easy. Go to applications>internet>Desktop sharing. So the customer can remote into client, from a windows client which is connected on webex.
Start a terminal session, clicking on fourth icon from left in title bar and find Kalis IP on wired interface:-
Now you can use free VNC viewer to remote into kali, as you know its wired IP:-https://www.realvnc.com/download/viewer/
5. Create a monitor interface for wlan interface and set its channel & channel width:-root@kali:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:24:7e:e1:ca:19 inet addr:64.101.150.104 Bcast:64.101.150.255 Mask:255.255.255.0 inet6 addr: 2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global inet6 addr: fe80::224:7eff:fee1:ca19/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:910 errors:0 dropped:0 overruns:0 frame:0 TX packets:68 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:120086 (117.2 KiB) TX bytes:5956 (5.8 KiB) Interrupt:20 Memory:fc200000-fc220000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)
wlan0 Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
//So above there is no mon0, aka monitor interface.//Use the below command to get a monitor interface.root@kali:~# airmon-ng start wlan0Found 3 processes that could cause trouble.If airodump-ng, aireplay-ng or airtun-ng stops working aftera short period of time, you may want to kill (some of) them!-e PIDName3513NetworkManager3610wpa_supplicant3922dhclient
InterfaceChipsetDriver
wlan0Intel 5300AGNiwlwifi - [phy0](monitor mode enabled on mon0)//As you see a mon0 was created on wlan0, 5300 AGN, phy0.//Now if you do an ifconfig again, you can see the monitor interface.root@kali:~# ifconfigeth0 Link encap:Ethernet HWaddr 00:24:7e:e1:ca:19 inet addr:64.101.150.104 Bcast:64.101.150.255 Mask:255.255.255.0 inet6 addr: 2001:420:1702:100c:224:7eff:fee1:ca19/64 Scope:Global inet6 addr: fe80::224:7eff:fee1:ca19/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1015 errors:0 dropped:0 overruns:0 frame:0 TX packets:72 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:134272 (131.1 KiB) TX bytes:6242 (6.0 KiB) Interrupt:20 Memory:fc200000-fc220000
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)
mon0 Link encap:UNSPEC HWaddr 00-21-6A-8D-48-B0-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1585 errors:0 dropped:1585 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:428563 (418.5 KiB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:21:6a:8d:48:b0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
//iwconfig will show you all the wireless settings. Check that mon0 is in monitor mode.root@kali:~# iwconfigwlan0 IEEE 802.11abgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=15 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off lo no wireless extensions.
mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off eth0 no wireless extensions.//With kali linux, mon0 is what you need for sniffing. Wlan0 can be turned down now.root@kali:~# ifconfig wlan0 down//Find your physical interface name and set its channel width & channel.root@kali:~# iw list | grep phyWiphy phy0 * set_wiphy_netns
//So phy0 is the physical interface.root@kali:~# iw phy phy0 set channel 36 HT40+//This is the most important command. I have set it to sniff on channel 36 and channel 44. For Below use HT40-. For 20 MHz use HT20.6. Now you can start wireshark or tcpdump or dumpcap, and start sniffing on mon0 interface. I would make sure of the following settings, if using wireshark:-Application->internet->wireshark to start wireshark
For longer captures, you can always use a ring buffer, Use multiple files.
7. Start capturing. After capturing, you can save the file in the underlying disk, used by windows. You can access the underlying windows filesystem, if you mount it like this:-
Once mounted, the windows file system will be on desktop for you to save captures. You can later boot using windows and find the capture stored on disk.
Notes:- Make sure the adaptor in the kali laptop, is capable of catching all the streams, the intended client is working on. For example, if you have 1SS wireless NIC in kali laptop, then you can not capture a communication, between a 3SS client and Cisco access point. Default user in kali, is root and password is toor. Following link has always helped me to crack WPA2 encrypted ssid, if I was able to capture the eapol handshake:-http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/If you leave the key calculated by the below link in wireshark, the packets being captured, after eapol, will be decrypted on the fly in wireshark, if eapol handshake was captured right->http://jorisvr.nl/wpapsk.html NTP syncing of packet capturing machine/kali linux and WLC is a must, else we might be looking at different packets:-root@kali:~# dateMon Oct 13 10:54:07 UTC 2014root@kali:~# hwclockMon 13 Oct 2014 10:54:14 AM UTC -0.547837 secondsroot@kali:~# apt-get install ntpdateReading package lists... DoneBuilding dependency tree Reading state information... DoneThe following extra packages will be installed: lockfile-progsThe following NEW packages will be installed: lockfile-progs ntpdate0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.Need to get 91.0 kB of archives.After this operation, 291 kB of additional disk space will be used.Do you want to continue [Y/n]? YGet:1 http://http.kali.org/kali/ kali/main ntpdate i386 1:4.2.6.p5+dfsg-2 [80.5 kB]Get:2 http://http.kali.org/kali/ kali/main lockfile-progs i386 0.1.17 [10.5 kB]Fetched 91.0 kB in 1s (58.6 kB/s) Selecting previously unselected package ntpdate.(Reading database ... 318056 files and directories currently installed.)Unpacking ntpdate (from .../ntpdate_1%3a4.2.6.p5+dfsg-2_i386.deb) ...Selecting previously unselected package lockfile-progs.Unpacking lockfile-progs (from .../lockfile-progs_0.1.17_i386.deb) ...Processing triggers for man-db ...Setting up ntpdate (1:4.2.6.p5+dfsg-2) ...Setting up lockfile-progs (0.1.17) ...
root@kali:~# ntpdate us.pool.ntp.org13 Oct 11:01:28 ntpdate[6984]: no server suitable for synchronization found
//The above failed as my network blocks access to outside ntp server, below i will use an internal ntp server, which will work.
root@kali:~# ntpdate 10.88.1.9813 Oct 11:05:02 ntpdate[6995]: step time server 10.88.1.98 offset 18010.420247 sec
As this is live usb, any softwares you install or files you save on the linux install itself, will be deleted once you reboot. That is the reason, if you want a stable sniffer, either you would create dual boot disk, where kali resides in one partition permanently, OR create a live persistence disk:-http://www.youtube.com/watch?v=_Jev5iEUuvoIf you go for persistent way, never remove the USB drive, while shutting down, as the CLI asks you to.While start up, always use live USB persistence mode. Save the wireshark captures in the persistence folder created. Persistence is totally optional.Else just go with Live (forensic mode) & save the capture files in the windows file system, which is accessible via the kali liux, as explained above. There are many other ways of turning the wireless NIC into monitor mode like:-http://wireless.kernel.org/en/users/Documentation/iw#Adding_interfaces_with_iw
But as the above has worked reliably for me, I will keep that as a reference.
The step where I disable the wlan0 has had no effect on my packet capture, as far as I have seen. Even if I keep it enabled, I get a good pcap. Skipping this step has been ok too. If issues, try toggling it.root@kali:~# ifconfig wlan0 down
tcpdump and dumpcap come preinstalled with kali. You can use them instead of wireshark for longer captures, if you like.
If you want to make java work with kali, so it can join webex directly using Mozilla based default browser iceweasel. This link shows you how to download, unzip, install & create iceweasel dependency on Java:-https://www.java.com/en/download/help/linux_install.xml
Quick cmd summary:-
airmon-ng start wlan0iw phy phy0 set channel 36 HT20/HT40+/HT40-
Sample setup/diagram->
