Kali/Workflow
From charlesreid1
Kali Workflow
This page walks through some notes on the Kali workflow. Specifically, how does a specific tool like aircrack fit into the bigger picture?
Review of Network Stack
Let's review the layers of the network stack, as these are useful for thinking about the layers on which attacks are carried out:
| Layer | Name | Function |
|---|---|---|
| 7 | Application | Topmost layer, provides users a means to access network resources (only level seen by end user) |
| 6 | Presentation | Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data |
| 5 | Session | Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex. |
| 4 | Transport | Provide reliable data transport services to lower layers. |
| 3 | Network | Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer. |
| 2 | Data Link | Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses. |
| 1 | Physical | The physical medium for the network communication signals. |
(Please Do Not Touch Steve's Pet Alligator)
(Phys Dat Net Trans Sesh Prezzy App)
Physical attacks
In the beginning, you're scanning the attack surface and looking for your attack vector. For wireless specifically, we have a couple of different layers of attack, and means of doing so.
- Physical attacks - these attacks occur on the physical or data transport layer. These attacks involve listening to publicly broadcast packets (requiring only MAC address info, Layer 2, Data) and/or interfering at a physical level (Layer 1, Physical device).
- Network attacks - these attacks occur on the network layer (i.e., IP addresses, Layer 3, Network). These attacks are conducted by an attacker who is on the same network as the sheep. ARP spoofing is an example of an attack at the network layer.
Different kinds of physical attacks:
- Deauth attacks - using aircrack-ng or besside-ng to listen for and capture handshake packets for offline cracking, usually deauthing nearby clients.
- Rogue AP attacks - using airobase-ng or other tool to create a fake AP, with the intention of tricking clients into revealing wifi credentials.
- Evil Twin AP attacks - using airobase-ng or other tool to create a clone of a nearby network, to conduct a MITM attack.
The purpose of the first two of these attacks is to obtain wifi credentials. The wifi credentials are not an end in themselves, but are a vector to gain control of the victim's channels of communication. This is where things begin to diverge.
Let's suppose you have a wifi network, and wifi credentials. Now what can you do? You can join the network, and elevate the level of access you have to the sheep. If you want to monitor the sheep's traffic, you can use ARP Spoofing to reroute traffic at the network/router level so that you intercept all communications intended for the sheep. Moving to the next layer (This also allows you to tamper with the communications stream, injecting/removing/modifying specific information at will.
These attacks are all physical
Flags
