Figure 7-5. wifite attempting Pixie Dust attacks
Injection Attacks
A common approach to attacking WiFi networks is to inject frames into the network.
This can be in order to elicit a response from the AP. One of the tools available in Kali
to enable injection is
wifitap
. This program creates a tunnel
interface that can be used
to inject traffic through to the wireless network.
Example 7-4
shows the use of
wifitap
to create a tunnel interface. The BSSID is provided for the AP associated with the
SSID. You’ll also see that the interface for inbound and outbound are specified. Once
wifitap
is run, you will see that there is a new interface. You will then need to config‐
ure the new interface,
wj0
, in order to use it.
Example 7-4. Using wifitap to create a tunnel
yazpistachio:root~# wifitap -b 50:C7:BF:82:86:2C -i wlan0 -o wlan0
Psyco optimizer not installed, running anyway...
IN_IFACE: wlan0
OUT_IFACE: wlan0
BSSID: 50:c7:bf:82:86:2c
Interface wj0 created. Configure it and use it
Once you have the interface up, you will be able to set
an IP address for the target
network on the interface and then set routes for the target network through your new
interface. This program will allow you to inject packets into the network without
using any other library. Any application can use this new interface without needing to
know anything about interacting with wireless networks. Along with
wifitap
comes a
WiFi Attacks and Testing Tools | 217
few other tools that can be used to answer protocols like ARP and DNS.
The tools
wifiarp
and
wifidns
can be used to listen for and respond to those protocols on the
network.
Not all wireless interfaces support packet injection. Packet injection is something that
will be important not only for dumping traffic onto the wireless network but also for
trying to crack passwords that will allow us to get authentication
credentials for that
wireless network.
Example 7-5
shows the use of the tool
aireplay-ng
to determine
whether injection works on your system with your interface. You can see from the
result that injection is successful.
Example 7-5. Using aireplay-ng to test packet injection
yazpistachio:root~# aireplay-ng -9 -e TP-Link_862C -a 50:C7:BF:82:86:2C wlan0
21:07:37 Waiting
for
beacon frame
(
BSSID: 50:C7:BF:82:86:2C
)
on channel 5
21:07:37 Trying broadcast probe requests...
21:07:38 Injection is working!
21:07:39 Found
1
AP
21:07:39 Trying directed probe requests...
21:07:39 50:C7:BF:82:86:2C - channel:
5
-
'TP-Link_862C'
21:07:40 Ping
(
min/avg/max
)
: 1.290ms/14.872ms/48.013ms Power: -44.97
21:07:40 29/30: 96%
aireplay-ng
comes with the
aircrack-ng
package and is also
capable of running other
attacks, such as fake authentication, ARP replay, and other attacks against authentica‐
tion. All of these attacks are performed using packet injection techniques on the wire‐
less network. This is a key element of running password attacks.
