diff --git a/wireless_resources/virtual_adapters.md b/wireless_resources/virtual_adapters.md new file mode 100644 index 0000000..e26e383 --- /dev/null +++ b/wireless_resources/virtual_adapters.md @@ -0,0 +1,195 @@ +# Using Kernel Modules to Simulate Wireless Adapters to Practice Pen Testing + +You can use mac80211_hwsim is a software simulator of 802.11 radio(s) for mac80211 in Kali Linux and other penetration testing distributions like Parrot. + +[mac80211_hwsim](https://wireless.wiki.kernel.org/en/users/drivers/mac80211_hwsim) kernel module has a parameter 'radios' that can be used to select how many radios are simulated (default 2). This allows configuration of both very simply setups (e.g., just a single access point and a station) or large scale tests (multiple access points with hundreds of stations). + +The following site provides a description: +- https://wireless.wiki.kernel.org/en/users/drivers/mac80211_hwsim + +## Starting the Kernel Module in Kali + +In my Kali Linux box, I have only one active interface (eth0). + +``` +root@kali:~# ip -brie a +lo UNKNOWN 127.0.0.1/8 ::1/128 +eth0 UP 172.16.217.170/24 fe80::20c:29ff:fe3c:82b0/64 +``` + +I am starting the simulator kernel module with the `modprobe mac80211_hwsim` command: + +``` +root@kali:~# modprobe mac80211_hwsim +``` + +After starting the module, the wireless interfaces are shown: + +``` +root@kali:~# ip -brie a +lo UNKNOWN 127.0.0.1/8 ::1/128 +eth0 UP 172.16.217.170/24 fe80::20c:29ff:fe3c:82b0/64 +wlan0 DOWN +wlan1 DOWN +hwsim0 DOWN +``` + +You can then install `hostapd` to create a wireless access point and then use aircrack-ng to perform wireless assessments. + + +## Install and Configure hostapd + +You can then install `hostapd`, as shown below: + +``` +root@kali:~# sudo apt install hostapd +Reading package lists... Done +Building dependency tree +Reading state information... Done +The following NEW packages will be installed: + hostapd +0 upgraded, 1 newly installed, 0 to remove and 1748 not upgraded. +Need to get 608 kB of archives. +After this operation, 1,549 kB of additional disk space will be used. +Get:1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 hostapd amd64 2:2.6-18 [608 kB] +Fetched 608 kB in 2s (301 kB/s) +Selecting previously unselected package hostapd. +(Reading database ... 353210 files and directories currently installed.) +Preparing to unpack .../hostapd_2%3a2.6-18_amd64.deb ... +Unpacking hostapd (2:2.6-18) ... +Setting up hostapd (2:2.6-18) ... +Created symlink /etc/systemd/system/hostapd.service → /dev/null. +update-rc.d: We have no instructions for the hostapd init script. +update-rc.d: It looks like a network service, we disable it. +Processing triggers for systemd (238-4) ... +Processing triggers for man-db (2.8.2-1) ... +Scanning processes... +Scanning candidates... +Scanning processor microcode... +Scanning linux images... + +Running kernel seems to be up-to-date. + +No services need to be restarted. + +No containers need to be restarted. + +User sessions running outdated binaries: + root @ session #3: bash[1599] +root@kali:~# hostapd +hostapd v2.6 +User space daemon for IEEE 802.11 AP management, +IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator +Copyright (c) 2002-2016, Jouni Malinen and contributors + +usage: hostapd [-hdBKtv] [-P ] [-e ] \ + [-g ] [-G ]\ + [-i ]\ + + +options: + -h show this usage + -d show more debug messages (-dd for even more) + -B run daemon in the background + -e entropy file + -g global control interface path + -G group for control interfaces + -P PID file + -K include key data in debug messages + -f log output to debug file instead of stdout + -T = record to Linux tracing in addition to logging + (records all messages regardless of debug verbosity) + -i list of interface names to use + -S start all the interfaces synchronously + -t include timestamps in some debug messages + -v show hostapd version +root@kali:~# +``` + +**Note:** You can obtain the example of my hostapd.conf file here. + +In my case, I ran into the following problem: + +``` +root@kali:# hostapd /etc/hostapd/hostapd.conf +Configuration file: /etc/hostapd/hostapd.conf +nl80211: Could not configure driver mode +nl80211: deinit ifname=wlan0 disabled_11b_rates=0 +nl80211 driver initialization failed. +wlan0: interface state UNINITIALIZED->DISABLED +wlan0: AP-DISABLED +hostapd_free_hapd_data: Interface wlan0 wasn't started +``` +I fixed it as follows: + +``` +root@kali:# sudo nmcli radio wifi off +root@kali:# sudo rfkill unblock wlan +root@kali:# sudo ifconfig wlan0 10.15.0.1/24 up +root@kali:# hostapd /etc/hostapd/hostapd.conf +Configuration file: /etc/hostapd/hostapd.conf +Using interface wlan0 with hwaddr 26:6f:2b:e1:48:d1 and ssid "corp-net" +wlan0: interface state UNINITIALIZED->ENABLED +wlan0: AP-ENABLED +``` + +## Running aircrack-ng + +If you are not familiar with aircrack-ng, you can watch the video course at: https://h4cker.org/wireless + +Let's start `airmon-ng` and then launch `airodump-ng` just to test our configuration: + +``` +root@kali:~# airmon-ng start wlan1 + +Found 3 processes that could cause trouble. +If airodump-ng, aireplay-ng or airtun-ng stops working after +a short period of time, you may want to run 'airmon-ng check kill' + + PID Name + 544 NetworkManager + 576 dhclient + 723 wpa_supplicant + +PHY Interface Driver Chipset + +phy0 wlan0 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211 +phy1 wlan1 mac80211_hwsim Software simulator of 802.11 radio(s) for mac80211 + + (mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon) + (mac80211 station mode vif disabled for [phy1]wlan1) + +root@kali:~# +``` + +Now, let's run airodump-ng: + +``` +root@kali:~# airodump-ng wlan1mon +``` + +You should see the corp-net SSID that is configured in the hostapd.conf file. + +``` + CH 12 ][ Elapsed: 6 s ][ 2018-11-27 23:02 + + BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID + + 26:6F:2B:E1:48:D1 -29 5 0 0 11 54 WPA TKIP MGT corp-net + + BSSID STATION PWR Rate Lost Frames Probe +``` + +## Installing DHCP server + +Dnsmasq is going to act as our DNS and DHCP server, it can be installed with apt-get install dnsmasq. This is another super simple service with an easy to understand config file. Below is what I used, it defines a DHCP range, sets the router and DNS servers as 10.0.0.1 (options 3 and 6) and sets our upstream DNS server to one of OpenDNS's public DNS servers (server=208.67.222.222). + +``` +interface=wlan0 +dhcp-range=10.0.0.10,10.0.0.100,8h +dhcp-option=3,10.0.0.1 +dhcp-option=6,10.0.0.1 +server=208.67.222.222 +log-queries +log-dhcp +```