WifiForge – WiFi Exploitation for the Classroom
by William Oldert // BHIS Intern
BHIS had a problem.
We needed an environment for students to learn WiFi hacking safely. Our original solution used interconnected physical network gear and computers to create the needed signals. The requirement for multiple such setups to properly run a class with was costly, however, and transport was a concern as well.
We discovered a program called Mininet, which creates an interactive virtual network, and began looking for ways to utilize it in labs and teaching material. Wondering if this might be the solution we were in sore need of, a project was started, and a team of interns was hired to research and test the limits.
The product of that project is WifiForge.
What is WifiForge?
WifiForge is a program built on the foundation of the open-source Mininet-Wifi, itself being a branch from Mininet that includes support for wireless networking. It automatically sets up the network and tools needed to perform a variety of exploits, all packed neatly into a Docker container. WifiForge eliminates the need for physical hardware, requiring only a docker install and the execution of a couple commands.
You can find a link to the project’s GitHub page HERE.
Disclaimer/Notes
- While it is strongly recommended to run WifiForge in a Docker container, you can run it on your base machine.
- Installing Mininet-Wifi on the base machine has been known to cause dependency nightmares.
- It is suggested to run WifiForge on Ubuntu version 14.04 and up or the latest version of Kali (when Mininet was built in 2017, Ubuntu 14.04 was bleeding edge).
- The WifiForge installation script may disrupt normal operating system use; it is suggested to use a fresh install, virtual machine, or preferably a Docker container.
OS Compatibility
WifiForge should work on any Linux operating system using Docker. The following operating systems have been tested and are confirmed to work.
Kali Linux
Parrot OS
Ubuntu
Set-Up Guide
Below is the guide to setting up a Docker container with all the required pieces and parts. We have guides for installing to a bare OS or from a Docker image. These instructions can be found on the project’s GitHub. The best and easiest option, however, is laid out below.
Docker (recommended)
Note: Dockerfile will fail if Mininet-Wifi is already installed locally
Install from release
- Pull the Docker image from Dockerhub and start a new container
sudo docker run --privileged=true -it --env="DISPLAY" --env="QT_X11_NO_MITSHM=1" -v /tmp/.X11-unix:/tmp/.X11-unix:rw -v /sys/:/sys -v /lib/modules/:/lib/modules/ --name mininet-wifi --network=host --hostname mininet-wifi redblackbird/wififorge:v1.0.0 /bin/bashWithin the container, initiate the controller to simulate APs
service openvswitch-switch startRun WifiForge.py
sudo python3 Framework/WifiForge.pyLabs and Featured Tools
WifiForge provides pre-built labs that cover a variety of topics and tools including, but not limited, to:
- Eaphammer
- WPS Networks
- Wifiphisher
- WEP Networks
- Netntlm cracking with John
- Airgeddon Dos
Today, however, we would like to give you a taste of what this program can do through our WEP key-cracking lab.
Lab: WEP Key Cracking
Setup Phase
To begin, select “WEP Network” from the WifiForge menu and allow up to 30 seconds for initialization of the network.
Once it has started, use the following command to open an xterm session on the attacker, host1, and host2.
xterm a host1 host2 WEP Key Cracking
On the attacking machine, switch the interface to monitor mode using the following command.
airmon-ng start a-wlan0 Successful output of the above command will appear as below.
Use airodump-ng to begin looking for nearby networks.
airodump-ng a-wlan0mon Wait for traffic to appear on the console as seen below.
Note the BSSID and channel before killing the process with ‘Ctrl + c’. Use this BSSID and channel in the next command.
airodump-ng –c <CHANNEL> -–bssid <BSSID> a-wlan0mon –w attack_capture As the above command runs, information regarding hosts connected to the target network will appear as seen below.
On host1, note the IP address associated with host1-wlan0 after running the following command.
ifconfigThe IP address can be seen highlighted in red in the screenshot below.
The WEP key will be cracked by collecting [JD1] regular user traffic. To simulate this traffic, use the following command on host1.
iperf –sThe above command will begin listening on port 5001 for traffic, as seen below.
Switch over to host2’s terminal. Run the following command.
iperf -c <HOST1 IP ADDRESS> -u -b 100M -t 60The above command will begin sending traffic to host1. The output will be similar to the image below.
Wait until about 25,000 packets have been sent (see the Frames column in the airmon console). When this number is reached, kill the airmon-ng session on the attacker machine using ‘Ctrl + c’ and run the following command.
aircrack-ng ./attack_capture-01.capThe above command will begin attempting to crack the WEP key. Successful decryption will be similar to the screenshot below.
To Close…
Hopefully, this lab helped to demonstrate the usefulness of WifiForge to the reader and showcase what it can be used to accomplish. Being able to spin up an environment for a class, without having to deal with the set up or any of the behind-the-scenes work, is why we built this program. Not having to dink around with hardware is a big plus too. All this in a compact Docker container means portability and scaling are not a problem either.
And, of course, WifiForge, as intended, solves BHIS’s problem quite handily.
Links and Further Reading
- https://github.com/her3ticAVI/Wifi-Forge
- https://mininet-wifi.github.io/
- https://www.hackingarticles.in/wireless-penetration-testing-pmkid-attack/
- https://en.wikipedia.org/wiki/IEEE_802.11i-2004
- https://www.wildwesthackinfest.com
- https://www.aircrack-ng.org/a
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
