Network penetration testing - Pre-Connection Attacks

Nowadays whether it be a computer, a server , a company or even a website everything is connected to a network. So understanding how networks work and what could be the potential threats or vulnerabilities to a network is very important.

What is a network?

A network is a group of two or more devices that are connected to each other to share the data or share the resource. A network contains a number of different computer system that is connected by a physical or wireless connection like server or router. This router has direct access to the internet. The device can only connect to the internet through the router or access point.

Suppose the client or device connected to the network through Wi-Fi or Ethernet. If the client opens the browser and types google.com, then your computer will send a request to the router for asking google.com. The router will go to the internet and request google.com. The router will receive google.com and forward that response to the computer. Now the client can see google.com on the browser as a result.

What is Network penetration testing?

Penetration testing (or ethical hacking) is a method used to perform security testing on a network system used by a business or organizations. Pen tests involve a variety of methodologies designed to explore a network to identify potential vulnerabilities and test to ensure the vulnerabilities are real.

A pen test involves methods used to perform legal exploits on a network to prove that a security issue actually exists. A vulnerability assessment refers to the process of evaluating network systems and the services they provide for potential security problems. The main purpose of the pen test is to improve network security and provide protection for the entire network and connected devices against future attacks.

Network penetration testing is divided into 3 subsections -

1. Pre-connection Attacks — Pre-connection attack is the first part of the network penetration testing. To perform this attack, we will look at the fundamentals like how to show all the networks around us, how to find the details of all the connected devices to a particular network.
2. Gaining Access- Gaining access attack is the second part of the network penetration testing. To perform this attack, we will connect to the network. This will allow us to launch more powerful attacks and get more accurate information. If a network doesn’t use encryption, we can just connect to it and sniff out unencrypted data. If the network uses encryption, we can’t get anywhere unless we decrypt it. So, we will learn how to break that encryption and how to gain access to the networks whether they use WEP/WPA/WPA2.
3. Post-connection attacks- Post-connection attack is the third part of the network penetration testing. These are the attacks that we can do after connecting to the network when we break through the network.

Pre-connection attacks

Pre-connection attack is the first part of the network penetration testing. To perform this attack, we will look at the fundamentals like how to show all the networks around us, how to find the details of all the connected devices to a particular network. Once we know about the network and connected devices to it, we can disconnect any device without knowing the password of that device.

Lets do some practical with some of the network penetration testing tools to perform pre-connection attacks-

Tools and devices we will be using-

1. A wireless interface ( A wifi adaptor)- in monitor mode
2. airodump-ng - to list all the network around us and display useful information about them.
3. aireplay-ng - to perform de-authentication attacks
4. Kali Linux installed

Firstly connect the wireless interface you are using to your computer.

using “ifconfig” command I listed all the network interfaces connected to my system. The one name “wlan0” is my external wireless interface

1. Packet sniffing attack

Before starting the sniffing attack, we need to ensure to things, one that we need to change the MAC address of our wireless interface, second we need to change the mode of the wireless interface to “monitor mode”. The address written next to ether is the MAC address of my “wlan0” interface.

What is MAC address?

Each network card has a physical static address assigned by the card manufacturer called MAC address. This address is used between devices to identify each other and to transfer packets to the right place. Each packet has a source MAC and a destination MAC.

Why we need to change the MAC address?

To Increase anonymity, Impersonate other devices, Bypass filters.

Changing the MAC address of your wireless interface

My MAC address is changed now.

Changing the default mode to monitor mode

This step is used to put your wireless card into Monitor mode. In Monitor mode, your card can listen to every packets that’s around us. By default, the mode of wireless devices is set to “Managed” that means our wireless device will only capture packets that have our device’s MAC address as the destination MAC. It will only capture packets that are actually directly to my Kali machine.

But we want to capture all the packets that are within our range even if the destination MAC is not our MAC or even without knowing the password of the target device. To do this, we need to set the mode as Monitor mode. This will be helpful to perform the sniffing attack.

We can use iwconfig to see the wireless interfaces.

Before changing the mode -

It can be seen by default the mode is “Managed”. Now changing to “Monitor” mode

Now, we have switched to the monitor mode.

About the packet sniffing tool — airodump-ng

airodump-ng is used to list all the network around us and display useful information about them. It is a packet sniffer, so it is basically designed to capture all the packets around us while we are in Monitor mode. We can run it against all of the networks around us and collect useful information like the mac address, channel name, encryption type, number of clients connected to the network and then start targeting to the target network. We can also run it against certain AP(access point) so that we only capture packets from a certain Wi-Fi network.

BSSID shows the MAC address of the target network
PWR shows the signal strength of the network. Higher the number has better signal
Beacons are the frames send by the network in order to broadcast its existence
#Data, shows the number of data packets or the number of data frames
#/s shows the number of data packets that we collect in the past 10 seconds
CH shows the channel on which the network works on
ENC shows the encryption used by the network. It can be WEP, OPN, WPA, WPA2
CIPHER shows the cipher used in the network
AUTH shows the authentication used on the network
ESSID shows the name of the network

Currently, we are running airodump-ng on all the networks around us. Now we are going to target the network Error404 whose BSSID is A8:E7:05:4F:27:6A. We are going to sniff on that network only. Once we have a network to the target, it’s useful to run airodump-ng on that network only, instead of running it on all the networks around us.

• — bssid A8:E7:05:4F:27:6A is the access point MAC address. It is used to eliminate extraneous traffic.
• — channel 1 is the channel for airodump-ng to snif on.
• — write sniffdata is used to store all the data in a file named as sniffdata. It is not mandatory, you can skip this part.
• wlan0 is the interface name in Monitor mode.

After execution of this command, the following devices will be shown:

• BSSID of all the devices is same because devices are connected to the same network
• STATION shows the number of devices that are connected to this network
• PWR shows the power strength of each of the devices
• Rate shows the speed
• Lost shows the amount of data loss
• Frames show the number of frames that we have captured

Now, we have successfully sniffed all the packets and data passing through our target network which is available in the file on which we stored the sniffed packets. That file will later be used to perform attacks to gain access to a network.

2. De-authentication Attacks

These attacks are very useful. These attacks allow us to disconnect any device from any network that is within our range even if the network has encryption or uses a key.

In deauthentication attack, we are going to pretend to be client and send a deauthentication packet to the router by changing our MAC address to the MAC address of the client and tell the router that we want to disconnect from you. At the same time, we are going to pretend to be router by changing our MAC address to the router’s MAC address until the client that we are requesting to be disconnected. After this, the connection will be lost. Through this process, we can disconnect or deauthenticate any client from any network.
To do this, we will use a tool called aireplay-ng.

First of all, we will run airodump-ng on the target network, because we want to see which clients or devices are connected to it. This time, we will not need the — write option, so we are just going to remove it. After completion the run process of airodump-ng, we are going to disconnect the my device with STATION 48:A4:72:33:E3:83 using the airoplay-ng.

• -deauth is used to tell airplay-ng that we want to run a deauthentication attack and assign 100000 which is the number of packets so that it keeps sending a deauthentication packets to both the router and client and keep the client disconnected.
• -a is used to specify the MAC address of the router. A8:E7:05:4F:27:6A is the target access point.
• -c specifies the MAC address of the client. 48:A4:72:33:E3:83 is client’s MAC address.
• wlan0 is the wireless adaptor in Monitor mode.

After executing this command, my device whose STATION is 48:A4:72:33:E3:83 , lost the internet connection. We can only connect to the network again when we quit this executing command by pressing Ctrl + C.

This was about getting some experience with pre-connection network penetration attacks, in the upcoming part-2 blog, I will be talking about Gaining access attack is the second part of the network penetration testing.