|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 16.08.2017

Establish Wlan connections via command line in Linux


Nowadays modern operating systems offer easy to use graphical interfaces for managing wireless connections. Nonetheless knowledge of the underlying processes and the tools needed for manual setup should be possessed by anyone interested in pentesting wireless networks.

linux wifi

Aside from that I want to show how to quickly setup your own wireless infrastructure as an easy method for file transfers or other network services.

preparation


Running daemons like the GNOME Network Manager can interfere with your manually set configuration by overwriting the interface settings. So taking over full control requires killing all interfering processes.

systemctl stop NetworkManager
killall dhclient
killall dhcpcd
killall wpa_supplicant

basics


manage IP addresses

ip addr add 10.0.0.1/24 dev wlan0
ip addr del 10.0.0.1/24 dev wlan0
ip addr flush dev wlan0

scan for networks

iw wlan0 scan

change MAC address

ip link set wlan0 address 00:11:22:33:44:55

change interface mode

iw wlan0 set type ibss|managed|monitor

modify transmit power

iw reg get
iw reg set DE
iw wlan0 set txpower fixed 2000

establish connections


connect to ad-hoc network (requires ibss mode)

iw wlan0 ibss join <ssid> 2462

connect to open/WEP encrypted network (requires managed mode)

iw wlan0 connect <essid> [key 0:<wepkeyphrase>]

connect to WPA/WPA2 encrypted network (requires managed mode)

wpa_passphrase <essid> <passphrase> > wpa_supplicant.conf
wpa_supplicant -Bi wlan0 -c wpa_supplicant.conf

DHCP request

dhcpcd wlan0
dhclient wlan0

setup wireless access point


To share an internet connection on the interface eth0 with other clients via wlan you can use the following steps to setup an access point and enable network address translation. Examples for configuration files can be found below.

ip  addr add 10.0.0.1/24 dev wlan0
echo 1 > /proc/sys/net/ipv4/ip_forward
hostapd hostapd.conf
dnsmasq -C dnsmasq.conf
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

configuration example files


The following configuration files can be used to quickly setup your own access point.

hostapd_min.conf

interface=wlan0
driver=nl80211
ssid=minimum
channel=1

hostapd_wep.conf

interface=wlan0
driver=nl80211
ssid=insecure
channel=1
hw_mode=g
auth_algs=1
wep_key0="13char-WEPkey"
wep_default_key=0

hostapd_wpa-psk.conf

interface=wlan0
driver=nl80211
ssid=quite_secure
channel=1
hw_mode=g
auth_algs=1
wpa=2
wpa_passphrase=LongAndSecurePassphrase
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP

dnsmasq.conf

interface=wlan0
dhcp-range=interface:wlan0,10.0.0.20,10.0.0.60,infinite

speed up with qw


If you manage wireless connections via the command line very often I recommend using the bash script qw to speed up the process and to save some time.

To kill interfering processes, setup a random mac and start a preconfigured access point run

qw k
qw f
qw a

The client can connect to this access point with

qw c

Setup WPA Enterprise with freeradius and hostapd


In this section I will describe the steps needed to setup your own access point with WPA Enterprise using FreeRADIUS 3.0 on Kali Linux.

The initial setup requires only minor changes to large configuration files. Only the parts that needs to be changed are mentioned.

Be aware that this configuration shall only be used as a first step to get the service running and that it is in no way secure. One important step will be to create tls certificates and activate verification in the client configuration.

configure freeradius


/etc/freeradius/3.0/mods-available/eap

...
default_eap_type = peap
...

/etc/freeradius/3.0/users

username_1 Cleartext-Password := "password_1"

/etc/freeradius/3.0/clients.conf

...
client 192.168.1.2/24 {
    shortname = hostapd
    secret = shared_secret_123
}

start freeradius

systemctl start freeradius

test connection

radtest username_1 password_1 192.168.1.3 10 shared_secret_123

configure hostapd


hostapd_wpa-peap.conf

interface=wlan0
driver=nl80211
ssid=very_secure
channel=1
hw_mode=g
ieee8021x=1
wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
auth_algs=1
auth_server_addr=192.168.1.3
auth_server_port=1812
auth_server_shared_secret=shared_secret_123

connect with wpa_supplicant


wpa_supplicant_peap.conf

network={
    ssid="very_secure"
    scan_ssid=1
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="username_1"
    password="password_1"
    phase1="peaplabel=0"
    phase2="auth=MSCHAPV2"
}

sources


  1. http://opentodo.net/2012/07/configuring-peap-authentication-with-freeradius/
  2. http://blog.secureideas.com/2013/05/professionally-evil-this-is-not.html