From charlesreid1

Kali Workflow

This page walks through some notes on the Kali workflow. Specifically, how does a specific tool like aircrack fit into the bigger picture?

Review of Network Stack

Let's review the layers of the network stack, as these are useful for thinking about the layers on which attacks are carried out:

NetworkStack  · e

Layer Name Function
7 Application Topmost layer, provides users a means to access network resources (only level seen by end user)
6 Presentation Transforms data received into a format that is readable by the application layer. Handles encryption/description for secure data
5 Session Manages communication sessions between computers. Manages connections with other devices. Half-duplex or full duplex.
4 Transport Provide reliable data transport services to lower layers.
3 Network Routes data between physical networks. Handles addressing, via IP. Handles packet fragmentation and error detection. Router level. Most complex layer.
2 Data Link Transports data across a network. Provides addressing scheme to identify physical devices, bridges, switches, MAC addresses.
1 Physical The physical medium for the network communication signals.

(Please Do Not Touch Steve's Pet Alligator)

Attack Procedure

Whatever level you happen to be trying to attack at, it's important to follow a procedure. My procedure looks something like this:

  • Determine your initial starting layer (e.g., a foreign wireless network starts at Layer 1, while another computer on a local area network starts at Layer 3).
  • Gather information, reconnoiter the situation. What kind of hardware/device/router are you looking at? What version? Is there a default username/password? Is the network busy and in use, or is it dead quiet? Is there an IDS or IPS system on the network? Are there any zero-day vulnerabilities or CVEs? What operating system is running on each device on the network?
  • Tally potential footprints and records you may create in logs, client lists, etc. What can be removed, and what cannot? Is additional access required to modify logs? If information is left behind, what information will be revealed, and how promoptly?
  • Utilize the information to formulate an initial attack plan. Determine the tools required for the attack plan.
  • Carry out the attack, and revise the attack plan based on results. Continue until access is achieved.
  • Advance up to the next layer. Rinse and repeat.

Physical/Data Attacks (Layer 1 and Layer 2 Attacks)

In the beginning, you're scanning the attack surface and looking for your attack vector. For wireless specifically, we have a couple of different layers of attack, and means of doing so.

  • Physical attacks - these attacks occur on the physical or data transport layer. These attacks involve listening to publicly broadcast packets (requiring only MAC address info, Layer 2, Data) and/or interfering at a physical level (Layer 1, Physical device).
  • Network attacks - these attacks occur on the network layer (i.e., IP addresses, Layer 3, Network). These attacks are conducted by an attacker who is on the same network as the sheep. ARP spoofing is an example of an attack at the network layer.

Different kinds of Layer 1/Layer 2 attacks:

  • Deauth attacks - using aircrack-ng or besside-ng to listen for and capture handshake packets for offline cracking, usually deauthing nearby clients.
  • Rogue AP attacks - using airobase-ng or other tool to create a fake AP, with the intention of tricking clients into revealing wifi credentials.
  • Evil Twin AP attacks - using airobase-ng or other tool to create a clone of a nearby network, to conduct a MITM attack.

The purpose of the first two of these attacks is to obtain wifi credentials. The wifi credentials are not an end in themselves, but are a vector to gain control of the victim's channels of communication. This is where things begin to diverge.

The purpose of the third, of course, is to skip directly to a man-in-the-middle attack, enabling control of the communications channel using a purely physical attack. This is difficult to carry out, but very effective if it works and if performed with the right equipment.

(The wired network equivalent would be a physical network tap.)

Network Attacks (Layer 3 Attacks)

Let's suppose you found a wifi network, and you have obtained wifi credentials. What comes next?

The next step is to join the network, and elevate the level of access you have to the sheep. Naturally, communications are much easier to monitor on a network layer (i.e., dealing with network packet traffic) than on a physical layer (i.e., dealing with raw packet captures or captured radio signals).

Now the question of intentions or goals comes up. You may have a couple of different goals in mind:

  • Monitor traffic passively, record and extract information from unencrypted (non-https) streams
  • Monitor traffic actively, force https connections to be http connections to make all traffic unencrypted
  • Tamper with traffic, by injecting/removing/modifying information in the traffic stream
  • Jamming communications, causing denials of service, or blocking specific traffic

Alternatively, you may be thinking of taking an invasive route. After all, the easiest way to monitor traffic without the victim ever knowing a thing is if you can monitor network traffic from their machine directly. At this point you're talking about breaking into the sheep's system to install monitoring software. This moves the attack to another layer.

If your intention is to monitor a sheep's traffic, you can use ARP Poisoning to reroute traffic at the network/router level so that you intercept all communications intended for the sheep. This allows you to tamper with all traffic, or just listen to everything. This is a low level of involvement, and involves modifying ARP lookup tables (which associate IP addresses to MAC addresses) so that computers send traffic intended for the sheep to your computer instead.

If you intend to sniff traffic, you can also use Dsniff.

If you want to tamper with traffic, or view images passing through a traffic stream live, use... Ettercap?

Transport Attacks (Layer 4 Attacks)

Layer 4 is the transport layer. This is the layer that specifies how packets get routed through systems, what information packets are required to have, and how computers treat different kinds of packets. Attacks on the transport layer can be intended to jam up the normal workings of the transport layer, creating a denial of service, as in a SYN Flood.

Session Attacks (Layer 5 Attacks)

True session hijacking occurs at level 5, which is the layer at which computers are maintaining connections with each other.