Removing Ransomware Files from Windows

Recently we got some ransomware infections to our Windows machines (Servers, PCs & Thin Clients) which tries to make lot of connections to outside public IP addresses aggressively. This infection looks like infected from SMBv1 port 445 which is used for file sharing by Windows operating systems. I guess it relates to the WannaCry ransomware which spread across Windows platforms last year.

In a firewall (ASA) log viewer you will see something like the following..

Workaround:-

Go to C >Windows and sort the files by Date Modified

You will need to manually delete the following 3 files.

tasksche.exe
qeriuwjhrf
mssecsvc.exe

You will need to stop the current running process for mssecsvc.exe in Task Manager prior to delete the exe file. There may be another file like the above one named mssecsvr.exe too and if so you will have to delete it too. I have seen it on a Windows Server 2008 R2.

After just deleting these files, session creation will be stopped but you will need to disable SMBv1 and use SMBv2 only as a best practice. Following guide will show you how to do it according to your OS version.

https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

I haven't seen the actual ransom request after a successful attack may be because of the firewalls in our network could fight against the session creation. As I have researched on internet, the ransome request will be something like the following..

How WPA & WPA2 (Wifi Protected Access) Works

The real difference between WPA & WPA2 are that WPA only supports TKIP encryption while WPA2 supports AES. So the WPA2 is just an improvement for WPA.

WPA/WPA2 offers 2 authentication mechanisms..

(1) A Personal Mode using Pre-Shared Keys (PSK) for smaller networks.
(2) An Enterprise Mode using 802.1X/EAP and authenticating users through a RADIUS server.

To learn how 802.1X/EAP works, go here.
To learn how EAP-PEAP (another famous EAP method) works, go here.

In both cases a PMK (Pairwise Master Key) is generated. The RADIUS passes the PMK to the WLC. PSK is the PMK for the Personal Mode.

A 4-way handshake then occurs between the client and the WLC. This phase is used to confirm that both sides have the PMK and validate the security parameters that were negotiated during the authentication phase. It is also used to generate another key, The PTK (Pairwise Transient Key) which will be used as a base to generate encryption keys which is changing at regular intervals.
The WLC keeps the PMK and sends the PTK to the AP.

At this point, as each client has an individual and changing key, devices in the same cell cannot send broadcasts. For this reason, another key named GTK (Group Transient Key) is derived from a key called GMK (Groupwise Master Key) which is generated on the AP/WLC. This GTK is encrypted using the client's individual encryption key and sent to the client during the 4-way handshake.

Every time a client leaves the cell, and at regular intervals, the AP/WLC generates a new GTK and distributes it to the cell clients. New GTK is sent encrypted (using the individual encryption key) through a 2-way handshake. This is also called "broadcast key rotation"..

Following are all the important steps in Enterprise Mode of WPA authentication which is using PEAP as the EAP type.

Here you can see those steps in an actual packet capture of WPA2 authentication which is using PEAP as the EAP type. Download the pcap from here.

Note that the DHCP process starts after the authentication is done.

How EAP-PEAP (Protected EAP) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-PEAP

EAP-PEAP (Protected EAP) is an authentication mechanism which has 2 phases involved..
1st phase will create a tunnel using the server certificate.
2nd phase will exchange the identities.

Note:- 

Certificate is a public key verified by a trusted authority.
When EAP-PEAP is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).

(01) The client sends 802.11 Open Authentication Request
(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request
(04) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes..

Phase 1

(05) The client sends the EAPoL Start (this is optional)
(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC (here this can be a fake ID)
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server
(09) The RADIUS server sends its certificate to the client through AP/WLC
(10) The client generates a Master Encryption Key and encrypts it using the server certificate and             sends it to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).

Phase 2

(10) RADIUS server asks client to send credentials to authenticate
(11) The client forwards the credentials to RADIUS server (this is the real username and password)

Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(12) RADIUS server generates the PMK (Pairwise Master Key)
(13) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(14) WLC use the PMK to generate encryption keys for the client traffic

Note:- 

RADIUS server does not keep the PMK, it just generates it and hands it over to WLC & the client also generates the PMK which is identical to the PMK generated by the Authentication Server..

At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..

How EAP-TLS (Transport Layer Security) Works in Wireless Security

EAP (Extensible Authentication Protocol) is used to authenticate users in several technologies. Common examples would be WPA/WPA2 wireless networks & point to point connections.

If you want to understand basics about 802.1X/EAP concept please refer this.

EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..

Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..

Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..

EAP-TLS

EAP-TLS (Transport Layer Security) is an authentication mechanism that relies on certificates. Key pairs (certificate & private key) are installed on the clients and on the RADIUS server.

Note:- 

Certificate is a public key verified by a trusted authority.

When EAP-TLS is used Following steps will take place..

First 4 steps are common in any EAP method (basic wireless connectivity).

(01) The client sends 802.11 Open Authentication Request

(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request

(04) AP sends Association Response

At this point AP blocks all traffic from the supplicant until authentication completes.. 

(05) The client sends the EAPoL Start (this is optional)

(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server

(09) The RADIUS server sends its certificate to the client through AP/WLC

(10) The client verifies the server certificate and sends its own certificate to the RADIUS server

Now both the client and the RADIUS server have a way to encrypt the messages they exchange. They use this secure connection to agree on  a way to derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'

(11) RADIUS server & client generate the PMK (Pairwise Master Key)

(12) RADIUS server forwards the PMK to the WLC with an authentication success message

(13) WLC use the PMK to generate encryption keys for the client traffic

Note:- 

RADIUS server does not keep the PMK, it just generates it and hands it over to WLC & the client also generates the PMK which is identical to the PMK generated by the Authentication Server..

At this point, the work of the EAP-TLS is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..

Note:- 

EAP-TLS is a very secure method for authentication but certificates will be needed to install on each client so it is not widely used as the enterprises are moving towards BYOD..

Why & How to Configure Basic DHCP Snooping?

DHCP Snooping is a security configuration which can be done in switches to mitigate Rouge DHCP attacks. These type of attacks are performed by hackers to spoof DHCP information to carry out man in the middle attacks. Because DHCP is the server which tells hosts about the default gateway, DNS etc attackers can change the traffic flow to go through a bogus gateway which they can capture packets.

To stop this, you can configure DHCP Snooping (DHCP Inspection) to accept the DHCP server packets (Offer, Ack etc) only from trusted ports. In the diagram, you can see the DHCP server (trusted) which is connected to the CORE, and the Rouge DHCP (untrusted) which is connected to the SW.

When you configure DHCP Snooping in a switch, all ports become untrusted. You have to configure the trusted ports manually on the ports where the packets from the trusted DHCP server are receiving. In this topology, they are e0/0 of CORE & e0/0 of SW.

I am using IOS 15.2 & here are the basic essential commands to configure snooping..

Assuming VLANs and trunks are configured correctly;
(Here I have only VLAN 1)



CORE(config)#ip dhcp snooping
CORE(config)#ip dhcp snooping vlan 1
CORE(config)#int e0/0
CORE(config-if)#ip dhcp snooping trust

SW(config)#ip dhcp snooping
SW(config)#ip dhcp snooping vlan 1
SW(config)#no ip dhcp snooping information option
SW(config)#int e0/0
SW(config-if)#ip dhcp snooping trust

You can also rate limit the incoming DHCP requests coming from DHCP clients per second by issuing additional commands too which will help to prevent DHCP Exhaustion Attacks..
The above commands will get DHCP snooping working basically..

By default, SW will insert DHCP Option 82 into all DHCP packets it receives from the client. Also by default, CORE will drop those packets as soon as it receives them. A switch with DHCP Snooping enabled will drop packets on untrusted ports that contain Option 82 or have a non-zero giaddr (e.g. 0.0.0.0). This is what is seen in debug on CORE when SW sends a DHCPDISCOVER out port e0/0.

Remember that port e0/1 on CORE is an untrusted port for DHCP Snooping, so it drops the packets by default because Option 82 exists. That traffic never makes it to CORE.

The Option 82 helps to deliver the DHCP messages only to the client for which they are intended. It is turned on by default. The way it does it is using The Circuit ID that identifies the port to which the client is connected (the VLAN and the physical port location in a switch) & The Remote ID that identifies the access switch to which the client is connected (by the MAC address of the switch)

To overcome this problem, you can enter the following command on global configuration mode of CORE to allow option 82;
CORE(config)#ip dhcp snooping information option allow-untrusted

And also if you want to allow option 82 in your network and if the DHCP server is a Cisco device (if CORE switch is the DHCP server in this topology), you will have to enter following command on the DHCP server to identify option 82.
CORE(config)#ip dhcp relay information trust-all

Or you can do in on specific interface only by allowing the following command,
CORE(config-if)#ip dhcp relay information trusted

Or you can simply stop SW from inserting option 82 by entering the following command in global configuration mode of SW;
SW(config)#no ip dhcp snooping information option

That's what I have done in the above topology because it is the easiest solution.

If you are just connecting only a one switch to connect both the client PC and the DHCP server (in same broadcast domain) this is not an issue..

Note:-

Dropping DHCP server packets is not the only thing DHCP Snooping does.
Inspecting the DHCP client traffic on untrusted ports and verifies it with the mac address table and dropping the traffic if it is not matching is another thing DHCP Snooping does automatically..

Preventive Actions If a Rouge DHCP detected??

Most of the time this can happen accidentally because of an ADSL router etc. In a case like that, you will get a complain from users that they receive a different IP range which causes a communication failure. What you must do is just issue a ipconfig /all in command prompt in Windows PC and see the DHCP server IP and then issue an arp -a to find the mac address of the DHCP server and trace to the port it is connected via the switch command prompt and shut it down..
If you have configured DHCP snooping correctly this won't be an issue..

How Proxy Settings in Web Browsers Works?

Normally what a proxy doing is just hiding your identity to the outside world. It can also be used to filter traffic by deep packet inspection. In your enterprise a firewall will do this too. This post is about the proxies we deploy in a server in your LAN which will allow you to access internet via a web browser.

In the 1st capture you can see the normal traffic path to internet from user's PC. What a network administrator does is that he will block all the traffic to internet via an Access List etc and will only allow the proxy server IP to reach out to internet.

So if you hit a ping to a server at internet will be dropped and a trace route will be dropped at 192.168.1.254

So when the LAN user needs to access the internet, network admin will configure proxy settings in your web browser. What he will do actually is he will give the proxy server IP and the port number in advanced settings in web browser. After that the user will be able to browse internet from that web browser only because only those traffic will be directed to the proxy by the PC.

For the internet traffic from the configured web browser will be like in the 2nd capture. The gateway will see they are generating from proxy server it self.

Still pings and trace routes from PC command prompt will be dropped at 192.168.1.254 because those traffic will not be forwarded to the proxy.

How SSL VPNs work?

If you are not familiar with the basics of cryptography, please read A Note on Cryptography Fundamentals & Algorithms & How Digital Signatures Work? before this. All of them will be used here to explain this.

This is what happen when you go to a HTTPS website. It basically says that you are connected to a server which is verified by a certified authority, not to a malicious web server.

A hacker can download a webpage (ex:- facebook, paypal) from internet and upload it to his web server and using a DNS spoofing he can direct your traffic to the malicious website. If this technology is not there, you will enter your credentials in to that malicious website compromising your sensitive data. This is called Phishing.. We will do a cool Phishing tutorial later..

To stop this, SSL (Secure Socket Layer) VPNs were introduced. Let's take a real world example and understand what is happening at the back end.. Let's take an online session to PayPal.com

Before the client PC even start going to PayPal.com, some things have happened at the back end. Let's take a Certificate Authority like VeriSign.

They create a Public/ Private Key pair and they create their own Digital Signature using their Private Key..

Then they create their own CA certificate containing their Public Key and their Digital Signature and they send it to web browsers all over the world regularly. So the Client PC here has the CA's public key along with CA's digital signature before even start any web session to any website.

PayPal.com also create their own Public and Private Key pair and send their Public Key to CA asking for a Digital Certificate for them..

CA verify the legitimacy of the sender and they issue a Digital Certificate to PayPal.com containing PayPal.com's Public Key and CA's Digital Signature..

Now let's see an online session..
Client sends a SYN request to PayPal.com's web server's port 443 asking for a TCP 3-Way handshake. Server acknowledges and sends a SYN and the Client sends an ACK and TCP session starts..

Now the Client sends SSL hello along with a list of Ciphers which will be used in future to build the tunnel. (Ex:- Details about the Encryption Algorithm which will be used like RC4)
Server will pickup the best Ciphers it knows later..
Server sends SSL hello and PayPal.com's Digital Certificate to the Client PC.
Finally Client sends an ACK..

Because the Client has the CA's certificate which contains the CA's Public Key, He can verify the CA's Digital Signature by decrypting the Digital Signature on PayPal.com's Digital Certificate..

Following capture shows real Certificates of PayPal.com & It's CA..
You can view PayPal.com's Certificate by clicking on the padlock mark on web browser before the URL space when you are browsing PayPal.com & you can view the CA's Certificate in the Advanced Settings in your web browser..

Now the Client creates a Session Key for the online session.
This Key is a Symmetrical Key (Ex:- generated by RC4 algorithm)
So the Client PC encrypts the Session Key by PayPal.com's Public Key and send it to PayPal.com..

Because the Session Key is encrypted by the Public Key of the PayPal.com; PayPal.com can decrypt and retrieve the Session Key using their Private Key.

So both the Client and PayPal.com has the Session Key generated by the Client now.
Using this Session Key, both ends now can decrypt rest of the data securely creating the encrypted SSL session..

How IKEv1 IPSec VPNs Work?

If you are not familiar with the basics of cryptography, please read A Note on Cryptography Fundamentals & Algorithms before this. All of them will be used here to explain this.

IPSec VPN is just a logical tunnel between 2 VPN peers across a public network like internet. It does not create a separate network with a different IP range between peers. This post is about the IKE version 1 IPSec tunnels..

There are 2 types of IPSec VPNs according to their behavior. 

1. Site-to-Site VPNs

2. Remote Access VPNs

Basically Site-to-Site VPNs are formed between 2 gateways across the internet while Remote Access VPNs are created between a gateway and a client software.

Benefits:

1. Confidentiality through Encryption

2. Integrity through Hashing

3. Authentication through PSK (symmetrical keys) or RSA/DSA (asymmetrical keys)

4. Anti-replay packets by Counting Packets

Two Phases of VPN

Actually there are 2 tunnels in the process of creating a IPSec tunnel. We call them IKE (Internet Key Exchange) Phase 1 & Phase 2.

IKE Phase 1 is used to exchange control information between 2 VPN peers.

IKE Phase 2 is used to transport the real traffic.

Actually the IKE Phase 2 is the real IPSec tunnel which use IPSec parameters. IKE Phase 1 is formed using ISAKMP (Internet Security Association & Key Management Policy) parameters..

So IKE Phase 1 must be formed 1st in order to start IKE Phase 2 to send user traffic..

IKE Phase 1

STEP 01. Negotiate Phase 1

When PC1 wants to send a data packet to PC2, it hits R1 1st and R1 sends ISAKMP negotiation parameters to R2 to form IKE Phase 1. R2 sends his ISAKMP negotiation parameters to R1.

Following are the ISAKMP parameters which will be negotiated from both peers (R1 & R2)

Hashing Algorithm which will be used.. (MD5/SHA)

Authentication Type which will be used.. (PSK or RSA)

Group of Deffie Hellman Keys which will be used to generate shared key for encryption algorithms like DES/3DES/AES later.. (Group 1/2/ 5)

Life Time which the IKE Phase 1 tunnel must active.. (default is 1 day)

Encryption Algorithm which will be used.. (DES, 3DES, AES)

From all of the above 5 parameters only the life time can be different from both ends. They will agree to the minimum life time value from both ends.

STEP 02. Setup DH Keys

After the negotiation is completed, they will run Deffie Hellman Algorithm to generate shared secret key material. Following image will explain how the shared secret key is generated by DH Algorithm.

R1 and R2 creates public & private key pairs from their ends..
Both exchange their public keys with each other..
R1 creates his shared secret DH Key from his private key and R2's public key..
R2 creates his shared secret DH Key from his private key and R1's public key..

According to the DH Algorithm, final out put from both sides (DH Keys) are same. Following capture explains how the keys of both sides becomes equal mathematically.

Now using the shared secret key as the symmetrical key of the agreed encryption algorithm in step 1 (DES, 3DES, AES), both R1 and R2 can exchange encrypted data between peers.

STEP 03. Authenticate

Now R1 and R2 can authenticate by exchanging identities and certificates securely using the authentication method negotiated in step 1 and finally form IKE Phase 1 tunnel.

Now it's the time to form IKE Phase 2 tunnel which is the actual IPSec tunnel which will be used to transport user traffic from PC1 to PC2 using the security of IKE Phase 1 tunnel.

IKE Phase 2

STEP 01. Negotiate Phase 2

Like the ISAKMP parameters in IKE Phase 1, R1 & R2 will negotiate following IPSec parameters which will be used in IKE Phase 2 tunnel. Authentication is not necessary because IPSec peers are already authenticated in IKE Phase 1.

Hashing Algorithm which will be used.. (MD5/SHA)

Group of Deffie Hellman Keys which will be used to generate shared key for encryption algorithms like DES/3DES/AES later.. (Group 1/2/ 5). Here R1 & R2 can use the DH Key which is used in IKE Phase 1 or create a new DH Key just for IKE Phase 2. Creating a new DH Key for IKE Phase 2 is called Perfect Forward Secrecy (PFS)

Life Time which the IKE Phase 1 tunnel must active.. (can be a clock tick or amount of data)

Encryption Algorithm which will be used.. (DES, 3DES, AES)

STEP 02. DH Keys if PFS is configured

If PFS is configured R1 & R2 will run DH Algorithm to create a new shared secret key for the encryption algorithm which will be used in IKE Phase 2. Otherwise this step is omitted.

So after the negotiation or after the DH key creation (if PFS is configured) they form the fully working IPSec VPN from both ends. Now PC1's traffic can be securely sent to the PC2.

Note:-

According to the number of packets exchanged in the process of forming IKE Phase 1 & IKE Phase 2 tunnels, 3 modes are defined. But the overall process is same as described above.

Modes of IKE Phase 1:
1. Main Mode which use 6 packets to form IKE Phase 1 tunnel between R1 & R2
2. Aggressive Mode which use 3 packets to form IKE Phase 1 tunnel between R1 & R2

Modes of IKE Phase 2:
1. Quick Mode which use 3 packets to form IKE Phase 2 tunnel between R1 & R2

How Digital Signatures Work?

If you are not familiar with the basics of cryptography, please read A Note on Cryptography Fundamentals & Algorithms before this. All of them will be used here to explain this.

Involving Process is as follows..

Generate a key pair from sender side

First a key pair has to be generated at the sender side using an Asymmetric Encryption Algorithm like RSA or DSA.

Send the public key to receiver side

Public key has to be sent to the receiver side which is used to decrypt what sender is going to encrypt using his private key.

Get data and compute hash

Now sender get the data which he wants to digitally sign and send to receiver, (ex:- a data packet)
and run a Hashing Algorithm like MD5 or SHA and compute the hash.

Encrypt hash from private key to make signature

Hash /Checksum /Digest is encrypted using the senders private key. This encrypted hash is called the digital signature.

Send Data along with Digital Signature to receiver







Receiver verify the integrity

Now receiver can run the hashing algorithm to compute the hash and he can decrypt the digital signature using the sender's public key and check whether the both hash values are same or not. This way the receiver can find out that the data is really sent by the sender or not.

A Note on Cryptography Fundamentals & Algorithms

Encryption
Encryption is the most effective way to achieve data security. Basically when a plain text is encrypted it becomes scramble which is unreadable. This is not only for text documents, can be applied to any type of data..

Key
To encrypt and decrypt data, you need to have a Key, and a Key is a parameter which will define a functional output of a cryptographic algorithm. Encryption algorithms can be Symmetrical & Asymmetrical in the way they use Keys.

Symmetrical Encryption Algorithms
use only one key for both encryption and decryption.
Generally used in bulk encryption of data streams..
Ex:- DES, 3DES, AES, IDEA

Asymmetrical Encryption Algorithms
use 2 keys, one key to encrypt and another key to decrypt.
Anything encrypted by the 1st key can be decrypted only by the 2nd key and vice versa.
Generally used for authntications..
Ex:- RSA, DSA

Hashing Algorithms
use to verify the data integrity, means it will help you to check whether the data is manipulated in transit of not. Output of a hashing algorithm is called a hash/checksum/digest.
Ex:- MD5, SHA

Hashing algorithms are one way functions, so it is almost impossible retrieve original data by just a hash. If a hacker altered a single data bit in transit, checksum becomes completely different.
In the following example, you can see what happens to the digest when the last letter "t" is deleted.

Following command in Cisco devices will verify the integrity of a downloaded IOS image
R#verify /md5 flash:<filename.bin>


HMAC (Hashed Message Authentication Code)
use to verify the hash/checksum/digest generated by a hashing algorithm.
A hacker can capture and manipulate data in transit and run the hashing algorithm and attach the new hash and send to the destination as the original packet. This is a possibility in man in the middle attacks. HMAC is used to stop this.
Basically HMAC is a secret key which is used as an external parameter in computing hash using regular hashing algorithms like MD5 or SHA.
HMAC is known by the both sender and receiver only.

Now let's see a scenario of all the above things and how HMAC is used for integrity.
Here, let's assume a case where a man in the middle hacker some how could grab the encryption key. In this case if HMAC is not used, receiver will think the malicious data he received is correct.

Now lets' see what happens when HMAC is used in hashing. Because the Key used to generate HMAC is only known by the sender and receiver, hacker cannot regenerate the correct HMAC.
Basically, HMAC is the output of a hashing algorithm which can only be generated by a unique way and can be only done by the people who has the secret key.

Cracking WPA2 Personal (PSK) Wireless Networks

Boot up your Kali Linux box and go to terminal, enter airmon-ng command to verify the wireless interface is up and running.

Looks like my wireless interface name is wlan0. Turn it to monitoring mode by entering airmon-ng start wlan0

Now enter the command airmon-ng again to see the changed name of the interface which will be used hereafter which is "wlan0mon" as you can see in the following capture.

Now lets see what are the available Wi-Fi networks in range by entering the command airodump-ng wlan0mon

Let it run for about a minute to gather information. Here you can see that only 1 wireless network is out there which is on channel 1, using WPA2, PSK (Pre Shared Key). This is the most common type of security implemented in wireless networks today.

Lets now write a file named "HOMECAP" with capturing wireless packets specifically on the BSSID 90:61:0C:27:5D:CB on channel 1. 

The command is airodump-ng -w HOMECAP -c 1 --bssid 90:61:0C:27:5D:CB wlan0mon

"-c 1" is regarding to the channel number 1. If the channel number is 10 use "-c 10" in this command.

Let is run until It captures a Handshake. When it captured a handshake, the output will be like the following.

You must wait for a handshake. It is not that much hard to capture a handshake of an active network because computer often goes to sleep mode, turn off & reboot and asks to reconnect etc. There is also a method of forcing clients to re-authenticate using the command 

aireplay-ng -0 0 -a <BSSID> -c <Client MAC Address> wlan0mon in a separate terminal while capturing packets. But most of the time it will not work in practical environments. 

After a handshake is captured enter ls to see the real name of the written file. 

See, Even though we gave the name as HOMECAP for the file it has changed to HOMECAP-01.cap 

Now lets crack it using a dictionary list. Here I am using the Kali's inbuilt dictionary list of rockyou.txt which is 140 MB. If you are using this dictionary for the 1st time, you will have to 1st extract the tar file in usr/share/wordlists folderThis has almost all the common passwords normally people enter for their wireless networks. There are also very big dictionaries out there which are gigabytes in size which has almost all the possible ASCII combinations.

Enter aircrack-ng HOMECAP-01.cap -w /usr/share/wordlists/rockyou.txt

Let it run until it cracks the password. This may take some time depending on the processing power of your CPU and the strength of the password. For this password it took only about 5 minutes.

Using a very strong password is the only way this can be prevented if your going to use WPA2 PSK..

Commands I entered?

airmon-ng
airmon-ng start <physical interface>
airmon-ng
airodump-ng <new monitoring interface>
airodump-ng -w <file name> -c <channel number> --bssid <BSSID> <interface>
aircrack-ng <new capture file name> -w /usr/share/wordlists/rockyou.txt

Create a Kali Live USB in the Same Pendrive You Use for Data

I have only 1 pendrive of 16 GB. So I am going to create 3 types of partitions in it so that I can use my pendrive as a normal data traveler + Linux security toolbox which I can bring anywhere easily.

10 GB of NTFS for normal day to day use as the data traveler
3 GB of FAT32 to install Kali Linx
1.5 GB of ext4 to persistence use

If you don't want your pendrive to use as a data traveler, you need to create 2 types of partitions only. Which are the FAT32 one & the ext4 one. Since it is a 16 GB pendrive it is a waste of doing so.

Download Mini Partition Wizard from here.

Open Mini Partition Wizard. The 1st look will be like the following.
(click on the image to see the full size)

My pendrive is empty and it has a default NTFS partition.

Creating the 10 GB NTFS Partition as a Data Traveler

Right click on your pendrive & select Move/Resize

Give these settings & hit ok

Creating a 3 GB FAT32 Partition for Kali Linux

Right click on unallocated space & select create & click yes

Give these settings as in the screen shot and hit ok

Creating a 1.5 GB ext4 Partition for Persistence

Right click on unallocated space & select create & click yes

Give these settings as in the screen shot and hit ok

Now everything will be like this.

Now all the partitions have been created. Let's apply the changes now.

After applying the changes you may see that the drive letter D: of the FAT32 partition is gone. So without a letter Windows will not identify the partition. So we have to do some changes to make it work form here.

1st delete the NTFS partition & give a letter to the FAT32 partition & hit Apply.

Now It will be like the following.

In My Computer the drive will look like the following.

Installing Kali

Download Kali ISO from their website. I downloaded the 32-bit full version of 2.6 GBs wich is compatible with most computers.

Now download Universal USB Installer from here

Open it, Select the ISO file and other parameters like this capture and hit create.

Wait for few minutes till it completes its job.

Now go to Mini Partition Wizard again & right click on FAT32 partition & select change letter & select none. Right click on the FAT32 partition again and select set active. It is used to identify the partition with the OS boot files when you boot from the pendrive later.

Right click on unallocated space & select create & click yes
Give these settings as in the screen shot and hit ok

Now everything will be like following.

Booting Kali from Pendrive

Now it's the time to reboot the PC and select USB drive in boot options.

Choose the option "Live USB Persistence"

Now don't click on the "persistence" icon on the screen.

Go to terminal and enter the following commands

Make a directory on the filesystem to mount your USB
mkdir -p /mnt/usb

To findout which partition of your drive you'll use (for mine it's sdb3)
fdisk -l

Mount the partition on the directory you made
mount /dev/sdb3 /mnt/usb

Add a configuration file to enable persistence

echo "/ union" > /mnt/usb/persistence.conf

Unmount the partition and reboot

umount /dev/sdb3 && reboot

After the reboot select USB drive in boot options & again choose the option "Live USB Persistence"

From now onward every config you do will be saved and it's more like using a dedicated Linux box.

Also you have your 10 GB pendrive for day to day use as a data traveler. cheers..!!