Kali Linux is the complete toolbox for penetration testing

Under the Magnifying Glass

Checking Wireless Networks

WiFi networks are certainly some of the most popular targets in an IT infrastructure. Kali Linux provides a variety of tools for testing WiFi networks and forcing access. The Wireshark network sniffer provides valuable services for the analysis of data frames.

The seemingly simplest way to protect a WiFi network is to make it invisible. Most access points support this function, but with Kali Linux, it is easy to detect the invisible networks and start a login attempt. In the standard configuration, all access points send their SSIDs in what is known as the beacon frame, one of the IEEE 802.11-based management frames in WiFi networks. It contains all the details of the network. Beacon frames are sent continuously to indicate the existence of a WiFi network. Only clients that know the SSID can connect to such a network. If you are using a notebook, you first need to set the wireless LAN adapter to monitor mode. To do this, execute the following two commands:

$ airmon-ng
  airmon-ng start wlan1

Now you can record wireless traffic with Wireshark. When searching for weak points and vulnerabilities, you are particularly interested in unencrypted traffic, so you must first find out which channel the access point is using:

$ airodump-ng --bssid <MAC address> mon0 where <MAC address>

Next, you can restrict traffic to this channel:

wlan.bssid == <MAC address>

To access a hidden SSID, you need to bypass the beacon frame with a little trick and use a passive technique to legitimize the client at the access point. Look for a sample response entry in the logs and open the SSID parameters. If you now examine a corresponding package entry and open its SSID information, you will notice the ID, so it is quite easy to find hidden wireless networks.

Alternatively, you can use aireplay-ng (Figure 3) to send a de-authentication packet to all potential access points:

aireplay-ng -0 5 -a <MAC address> --ignore-negative wlan0
Figure 3: The aireplay-ng tool offers valuable help in finding and compromising access points.

Enter the MAC address of the router. The -0 option executes the de-authentication attack, and the value 5 determines the number of de-authentication packets. The option -a lets you indicate that the following address belongs to the access point.

This command causes all legitimate client connections to be interrupted and re-established. You need to record these actions with Wireshark. Next, you're interested in the de-authentication packages. Limit the view in Wireshark to these packages. If you now look again at the sample responses with Wireshark, the uncovered access point name is listed there in the SSID node. airodump-ng provides further important information on possible points of attack.

The cracking follows, and for this, you need aircrack-ng, which you feed the Recording.cap Wireshark file. For a better understanding: aireplay-ng executes the attack, and aircrack-ng cracks the safeguards. If the tool has enough recordings available for analysis, it ideally outputs the message KEY FOUND! after about five to 10 minutes, with the key displayed in square brackets.

Most wireless networks today use WPA2 encryption; it offers clear security benefits, because the passphrase and the SSID are encrypted and combined with each other more than 4,096 times. The protections this method offers are considerable and not easy to circumvent, but hackers do not necessarily fail here either.

To test the WPA2 decryption, use a precalculated pairwise master key (PMK). The PMK's preliminary calculation requires a given SSID based on a word list, which is what the genpmk program does:

genpmk -f wordlist -d PMK-test -s "test"

For testing purposes, create a WPA-PSK network with the passphrase and record the traffic. With cowpatty, you can now try to decode the phrase. You'll be amazed: This too is often successful.

Social Engineering

Even the smallest piece of information about a target system is relevant for potential attackers, including social information. Who uses which system? What are the relationships between users? Who do they communicate with? Social engineers spy on the personal environment of their victims, spoof identities, or exploit behaviors (e.g., authority) to obtain secret information.

The goal of social engineering is usually to penetrate a foreign computer system with the obtained information, also called social hacking. Other variants are human-based and reverse-social engineered. Social engineering depends to a large extent on a combination of all the collected data. Kali Linux also provides various tools for this often underestimated point of attack. The challenge in social engineering is not so much to collect the data as to put it into a meaningful structure. The optimal combination and visualization is crucial.

In Kali Linux, you'll find a program in your Favorites menu that you probably haven't heard of yet: Maltego. The program, developed by South African software developer Paterva, serves to link and visualize relationships between different components. Network and other resource entries can be created in Maltego, whether a server application, a router configuration, or personal data. With Maltego, you can link people, groups, companies, websites, infrastructure components (e.g., domains, DNS names, and IP addresses), phrases, documents, and files.

In addition to entities, Maltego distinguishes a second important feature, transformations, which lets you add further information to an entity. For example, you can assign an IP address to a website. In this way, links are created between the different elements, which you can then examine with Maltego in different representations. Maltego has well over 100 such transformations and 15 entity types.

Maltego's graphical user interface helps you visualize the relationships between different elements that you have not previously seen, even if the connections are routed through multiple points rather than directly. The question of what all this has to do with penetration testing is quite justified. But so is the answer: Maltego supports you in the information gathering phase with everything that is related to security.

Using the program is easy. To begin, you create a new document. The palette shows the different entity types divided into the categories Devices, Infrastructure, Locations, Penetration Testing, Personal, and Social Network. Various types are available through the transformation mechanism. For example, the To Domain transformation finds a person's top-level domains. The same thing works with email addresses. In addition to automatisms, such as Company Stalker , you can add your own information and links to the visualization.


Without a doubt: Kali Linux is the distribution of choice if you are looking for a complete toolbox for penetration testing. The package contains the right tools for every conceivable requirement – all under one roof. Its use is so simple that Kali Linux is also suitable for beginners. A more user-friendly way of getting started with penetration testing is hardly conceivable. For information on a pentesting tool for mobile devices, see the "Half-Hearted Mobile NetHunter" box.

Half-Hearted Mobile NetHunter

In the mobile age, you would expect a solution that also makes a penetration testing toolbox available for mobile devices. Offensive Security, the company behind Kali Linux, and the community have created a special Android ROM that turns a mobile device into a penetration platform: Kali Linux NetHunter (Figure 4).

Figure 4: Kali NetHunter turns a mobile device into a penetration testing system. Nmap is part of the mobile version.

Kali NetHunter has a custom kernel, Kali Linux Chroot, and a special Android app that lets the user interact with the various security apps. However, Kali NetHunter is a stripped-down Kali Linux, so you should not expect too much from it. The NetHunter app home screen presents an overview of the various interfaces and lets you call the various apps. NetHunter includes, for example, Nmap for scanning networks and a special Metasploit version for generating payloads.

Various console-based programs can also be run from the NetHunter terminal. Mobile devices are predestined for testing wireless networks. For example, you can use wifite to attack several WEP-, WPA-, and WPS-protected networks in succession. The wifite motto is "set it and forget it."

Kali NetHunter is currently available for various Google Nexus and OnePlus devices, as well as Samsung Galaxy S5 and S7, the HTC One M7 and 10, and two Sony Xperia devices. However, the mobile penetration testing system is far from capable of holding its own against Kali Linux.


  1. Kali Linux: https://www.kali.org
  2. "The OpenVAS vulnerability scanner" by Thomas Drilling, Linux Pro Magazine , issue 143, October 2012, pg. 28, http://www.linuxpromagazine.com/Issues/2012/143/OpenVAS

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus