Linux over Windows in Early Phase Recon on an 802.11 Network

This post started as decision with my wireless security class online, after typing a few more lines than I should. I decided to just make a full blown lab and actually test out my results in real-time on my home lab. I can guaranteed a slew of grammatical mistakes, will fix it all up within time!

There are plenty of benefits of using Linux discovery tools over Windows Discovery tools. By tools, we are talking weapon of choice to get an action done. In this case, recon on an 802.11 network. Every battle field has all types of different circumstances where your weapon of choice matters. These circumstances for example can be time restraints, limited memory/space left, dying battery, ect.

antenna

For this hands on lab test, I’ll be using my AWUS036H with this 24dBi Directional Parabolic Grid Antenna. (Globe for size)

What’s Your Weapon?

windows

Your choice of operating system is used to carry out your attack. In this case, I frantically grabbed my windows box as my weapon. Lets get started:

Started computer, turned around to grab my AWUS036H in my backpack and by time I turned back around.. Windows is doing an update. Can’t get past this, just going to wait it out. After several minutes and two restarts, we are desktop getting ready to start the recon. Lets plug in the AWUS036H, something seems to be wrong.. Windows says no drivers installed. Alright, lets go ahead and get some drivers installed, since this computer doesn’t have an Ethernet port, were going to have to download the drivers from another computer and side-load it onto our Windows box. 15 minutes later, drivers installed and were ready to scan. Lets start with:


NetStumbler: First thing I notice is that it’s last stable release was in 2004..First issue I ran into, “No wireless adapter found”, onto the next application.

networkstumbler


InSSIDer: After the initial install and past the “BUY THE FULL PRODUCT TO VIEW MORE CRAP”, I finally made it to their GUI. Can’t lie, it looks good! You can filter it by security and type of network (A,B,G,N). From here I was able to see different networks, it’s signal strength, security mechanism, mac address, vendor and network type. This is great to know for first stages of recon. Not much for use other than using it for site survey purposes.

inssider


CommonView For Wi-Fi: Like the previous application, we’ll be downloading the demo trial software. A solid 8 minutes to do the full install with driver installation. This program has more benefits than InSIDDer, more data to analyze, more tabs to view. I would prefer to use this, but this is just an evaluation copy..

comm1

Evaluation notice, these little deterrents do not help you when trying to work, passively.

comm4


Homedale: Have never heard of this program, but it is nice. Very light weight application with just a standalone exe. Less gimmicks and more data. I like that this program had individual signal strength history for each network. Great to do a quick look on.

homedale


LizardSystems Wi-Fi Scanner:  So far, their hasn’t been one free software. Again I had to download just the demo that will expire soon and have limited features. What I liked about this program is that is has a tab called “Achievable Rate”, which is good to have back of your mind. Their graphing system is very confusing as you can see from the picture.

lizardsystem


My Conclusion Regarding Windows?

My weapon of choice: Windows, came with a heavy price tag just to setup the software accordingly. Windows is designed to hide the actual operation and interaction of software from you, the good stuff behind the snazzy GUI. You can only go so far before this becomes impractical. Some software also had trouble finding my AWUS036H network card, which makes that program useless. From a security perspective for this passive recon activities, we are mostly just identifying all variables needed for perfect execution. An example of this would be to find out what vendor from the mac address obtained that the client or target is using. If we match the MAC address to an vendor, and see the network is using a NETGEAR vendor, we can make the assumptions for default router username/password for another type of attack.


linux1

What’s Your Weapon?

Second weapon of choice, Linux! Very lightweight, open source, technically driver-less. I hated having to get demos and evaluation for nearly all software I used. I hate limited trial products and annoying pop-up windows after the trial period is over. All that isn’t prominent with Linux. You have donation pages and if you have a fix for an error you just send it over. Lets stay on track, lets start:

Started Raspberry pi 3, plugged in AUS036H, wait for it to load. Three full blinks later were sitting on the desktop. Network card is plug and play, ready to be used. Before we get into the programs and scripts, to stay as stealth as possible I usually create a bash or python script that runs on desktop startup that auto change my mac-address every startup. Continuing on..

rp3wireless

Used my Pi3 to run the linux test, real world situation!


Fern WIFI Cracker: Although they do have a pro version, the free one is perfectly fine for recon and some. The best thing about fern is going from recon to attack in just a few clicks, all without the use of CMD line. Keep in mind, Fern is nothing more than a GUI for aircrack-ng and reaver. User-friendly 10/10

fern


Wifite: My personal most preferred. Here is where we get out of the GUI and into CMD line. Although it’s a very easy with simple inputs. For instance, we can set the adapter TX power Level, which is a huge deal since the AWUS036H is set at 20 tx pwr (restrictions of USA), we can change country to GY, and change the TX PWR to 30, which will increase range significantly. Another feature is to anonymize MAC address, this is great for the reacon aspect as it’s another layer of stealth ninja status for us.

wifite


Aircrack-ng Suite: The grandfather of it all. Here we have all info listed regarding every scan network. Same as what would of been display in the windows programs GUI, except less color and no graphs. It’s usually the standard go-to for anything wifi. Most users on Linux aren’t fond of the glorified GUI that fern puts up. It’s all as per user preference.

aircrack-ng


My weapon of choice: Linux, outweighs windows by far. For testing purposes I am running Kali Linux from my raspberry pi 3, just like how I would use it in the field. Raspberry pi is rocking a 32gig Samsung Evo SD card, with bluetooth keyboard and mouse. Windows has horrible efficient use of system resources, also loves eating RAM for all types of meals. Furthermore, Linux makes it very easy to hop on a text editor and script up a Python, Java, C/C+ program without any issues, windows will bury you in DLL errors all said and done. In conclusion, from a security perspective, running windows wouldn’t be efficient as Linux at the end of the day with all the reasons listed above. I would personal rather have Linux as my weapon of choice for those reasons.


Bonus: Changing your MAC address permanently on Linux every startup!

My VPN applications allows me to start scripts before the network gets locked in, besides this I also do the following below which is just another layer incase I have mishaps with the vpn.

  • cd /etc/network
  • sudo vi interfaces
  • Press “i” to get into insert mode
  • Copy and paste this at the end: pre-up ifconfig eth1 hw ether a0:23:ff:cd:01:00
  • ^Just a note to use your interface card you would like to switch, you can actual just make multiple lines with all the interfaces on your comment
  • Press ESC, than WQ!
  • Restart computer, you can check out the mac by using ifconfig or even the network GUI tab

If you wanted to change the mac on the fly, randomly when you want to:

  • ifconfig eth1 down
  • ifconfig eth1 hw ether a0:23:ff:cd:01:00
  • ifconfig eth1 up
  • ^Make sure to use the right interface

Their are programs like macchanger that can do this also, I don’t see the point of those at all.


From typing a discussion to writing a full blog post, time for a snack! Hope you techs enjoyed! (Also enjoy all my grammatical errors!)

breaktime

Anthony

Anthony

OSCP Certified, Technology Enthusiast, CTF Player, Vulnerability Research, Reverse Engineering, Pen-Testing, and other.

Read More