TableofContents

KaliLinuxWirelessPenetrationTestingBeginner'sGuideCreditsAbouttheAuthorsAbouttheReviewerwww.PacktPub.com

Supportfiles,eBooks,discountoffers,andmoreWhysubscribe?FreeaccessforPacktaccountholders

DisclaimerPreface

WhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupportErrataPiracyQuestions

1.WirelessLabSetupHardwarerequirementsSoftwarerequirementsInstallingKaliTimeforaction–installingKaliWhatjusthappened?Haveagohero–installingKalionVirtualBoxSettinguptheaccesspointTimeforaction–configuringtheaccesspointWhatjusthappened?Haveagohero–configuringtheaccesspointtouseWEPandWPASettingupthewirelesscardTimeforaction–configuringyourwirelesscardWhatjusthappened?Connectingtotheaccesspoint

Timeforaction–configuringyourwirelesscardWhatjusthappened?Haveagohero–establishingaconnectioninaWEPconfigurationPopquiz–understandingthebasicsSummary

2.WLANanditsInherentInsecuritiesRevisitingWLANframesTimeforaction–creatingamonitormodeinterfaceWhatjusthappened?Haveagohero–creatingmultiplemonitormodeinterfacesTimeforaction–sniffingwirelesspacketsWhatjusthappened?Haveagohero–findingdifferentdevicesTimeforaction–viewingmanagement,control,anddataframesWhatjusthappened?Haveagohero–playingwithfiltersTimeforaction–sniffingdatapacketsforournetworkWhatjusthappened?Haveagohero–analyzingdatapacketsTimeforaction–packetinjectionWhatjusthappened?Haveagohero–installingKalionVirtualBoxImportantnoteonWLANsniffingandinjectionTimeforaction–experimentingwithyouradapterWhatjusthappened?Haveagohero–sniffingmultiplechannelsTheroleofregulatorydomainsinwirelessTimeforaction–experimentingwithyouradapterWhatjusthappened?Haveagohero–exploringregulatorydomainsPopquiz–WLANpacketsniffingandinjectionSummary

3.BypassingWLANAuthenticationHiddenSSIDsTimeforaction–uncoveringhiddenSSIDsWhatjusthappened?Haveagohero–selectingdeauthentication

MACfiltersTimeforaction–beatingMACfiltersWhatjusthappened?OpenAuthenticationTimeforaction–bypassingOpenAuthenticationWhatjusthappened?SharedKeyAuthenticationTimeforaction–bypassingSharedAuthenticationWhatjusthappened?Haveagohero–fillinguptheaccesspoint'stablesPopquiz–WLANauthenticationSummary

4.WLANEncryptionFlawsWLANencryptionWEPencryptionTimeforaction–crackingWEPWhatjusthappened?Haveagohero–fakeauthenticationwithWEPcrackingWPA/WPA2Timeforaction–crackingWPA-PSKweakpassphrasesWhatjusthappened?Haveagohero–tryingWPA-PSKcrackingwithCowpattySpeedingupWPA/WPA2PSKcrackingTimeforaction–speedingupthecrackingprocessWhatjusthappened?DecryptingWEPandWPApacketsTimeforaction–decryptingWEPandWPApacketsWhatjusthappened?ConnectingtoWEPandWPAnetworksTimeforaction–connectingtoaWEPnetworkWhatjusthappened?Timeforaction–connectingtoaWPAnetworkWhatjusthappened?Popquiz–WLANencryptionflawsSummary

5.AttacksontheWLANInfrastructureDefaultaccountsandcredentialsontheaccesspoint

Timeforaction–crackingdefaultaccountsontheaccesspointsWhatjusthappened?Haveagohero–crackingaccountsusingbrute-forceattacksDenialofserviceattacksTimeforaction–deauthenticationDoSattacksWhatjusthappened?Haveagohero–disassociationattacksEviltwinandaccesspointMACspoofingTimeforaction–eviltwinsandMACspoofingWhatjusthappened?Haveagohero–eviltwinsandchannelhoppingArogueaccesspointTimeforaction–crackingWEPWhatjusthappened?Haveagohero–rogueaccesspointchallengePopquiz–attacksontheWLANinfrastructureSummary

6.AttackingtheClientHoneypotandMis-AssociationattacksTimeforaction–orchestratingaMis-AssociationattackWhatjusthappened?Haveagohero–forcingaclienttoconnecttotheHoneypotTheCaffeLatteattackTimeforaction–conductingaCaffeLatteattackWhatjusthappened?Haveagohero–practisemakesperfect!DeauthenticationanddisassociationattacksTimeforaction–deauthenticatingtheclientWhatjusthappened?Haveagohero–disassociationattackontheclientTheHirteattackTimeforaction–crackingWEPwiththeHirteattackWhatjusthappened?Haveagohero–practise,practise,practiseAP-lessWPA-PersonalcrackingTimeforaction–AP-lessWPAcrackingWhatjusthappened?

Haveagohero–AP-lessWPAcrackingPopquiz–attackingtheclientSummary

7.AdvancedWLANAttacksAman-in-the-middleattackTimeforaction–man-in-the-middleattackWhatjusthappened?Haveagohero–man-in-the-middleoverpurewirelessWirelessEavesdroppingusingMITMTimeforaction–WirelessEavesdroppingWhatjusthappened?Haveagohero–findingGooglesearchesSessionhijackingoverwirelessTimeforaction–sessionhijackingoverwirelessWhatjusthappened?Haveagohero–applicationhijackingchallengeFindingsecurityconfigurationsontheclientTimeforaction–deauthenticationattacksontheclientWhatjusthappened?Haveagohero–baitingclientsPopquiz–advancedWLANattacksSummary

8.AttackingWPA-EnterpriseandRADIUSSettingupFreeRADIUS-WPETimeforaction–settinguptheAPwithFreeRADIUS-WPEWhatjusthappened?Haveagohero–playingwithRADIUSAttackingPEAPTimeforaction–crackingPEAPWhatjusthappened?Haveagohero–attackvariationsonPEAPEAP-TTLSSecuritybestpracticesforEnterprisesPopquiz–attackingWPA-EnterpriseandRADIUSSummary

9.WLANPenetrationTestingMethodologyWirelesspenetrationtesting

PlanningDiscoveryAttackCrackingtheencryptionAttackinginfrastructureCompromisingclientsReportingSummary

10.WPSandProbesWPSattacksTimeforaction–WPSattackWhatjusthappened?Haveagohero–ratelimitingProbesniffingTimeforaction–collectingdataWhatjusthappened?Haveagohero–extensionideasSummary

A.PopQuizAnswersChapter1,WirelessLabSetupPopquiz–understandingthebasicsChapter2,WLANanditsInherentInsecuritiesPopquiz–understandingthebasicsChapter3,BypassingWLANAuthenticationPopquiz–WLANauthenticationChapter4,WLANEncryptionFlawsPopquiz–WLANencryptionflawsChapter5,AttacksontheWLANInfrastructurePopquiz–attacksontheWLANinfrastructureChapter6,AttackingtheClientPopquiz–AttackingtheClientChapter7,AdvancedWLANAttacksPopquiz–advancedWLANattacksChapter8,AttackingWPA-EnterpriseandRADIUSPopquiz–attackingWPA-EnterpriseandRADIUS

Index

Kali Linux Wireless Penetration Testing Beginner'sGuide

Kali Linux Wireless Penetration Testing Beginner'sGuideCopyright©2015PacktPublishing

Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,or transmitted in any formorby anymeans,without thepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.

Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,and itsdealersanddistributorswillbeheld liable foranydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.

PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthe companies and productsmentioned in this book by the appropriate use ofcapitals. However, Packt Publishing cannot guarantee the accuracy of thisinformation.

Firstpublished:September2011

Secondedition:March2015

Productionreference:1230315

PublishedbyPacktPublishingLtd.

LiveryPlace

35LiveryStreet

BirminghamB32PB,UK.

ISBN978-1-78328-041-4

www.packtpub.com

CreditsAuthors

VivekRamachandran

CameronBuchanan

Reviewer

MarcoAlamanni

CommissioningEditor

ErolStaveley

AcquisitionEditor

SamWood

ContentDevelopmentEditor

ShubhangiDhamgaye

TechnicalEditor

NaveenkumarJain

CopyEditor

RashmiSawant

ProjectCoordinator

HarshalVed

Proofreaders

SimranBhogal

StephenCopestake

Indexer

MonicaAjmeraMehta

ProductionCoordinator

KomalRamchandani

CoverWork

KomalRamchandani

AbouttheAuthorsVivek Ramachandran has been working on Wi-Fi Security since 2003. Hediscovered the Caffe Latte attack and also broke WEP Cloaking, a WEPprotectionschema,publicly in2007atDEFCON. In2011,hewas the first todemonstrate how malware could use Wi-Fi to create backdoors, worms, andevenbotnets.

Earlier,hewasoneoftheprogrammersofthe802.1xprotocolandPortSecurityinCisco's6500Catalyst seriesofswitchesandwasalsooneof thewinnersoftheMicrosoftSecurityShootoutcontestheld inIndiaamongareported65,000participants. He is best known in the hacker community as the founder ofSecurityTube.net,whereheroutinelypostsvideosonWi-FiSecurity,assemblylanguage, exploitation techniques, and so on. SecurityTube.net receives over100,000uniquevisitorsamonth.

Vivek'sworkonwirelesssecurityhasbeenquoted inBBCOnline, InfoWorld,MacWorld,TheRegister,ITWorldCanada,andsoon.Thisyear,hewillspeakor train at a number of security conferences, including Blackhat, Defcon,Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone,SecurityByte,andsoon.

Iwouldliketothankmylovelywifeforallherhelpandsupportduringthebook-writingprocess.Iwouldalsoliketothankmyparents,grandparents,andsisterforbelievinginmeandencouragingmeforall theseyears,andlast but not least, Iwould like to thank all the users of SecurityTube.netwhohavealwaysbeenbehindmeand supportingallmywork.Youguysrock!

CameronBuchananisapenetrationtesterbytradeandawriterinhissparetime.He has performed penetration tests around the world for a variety of clientsacrossmany industries. Previously, hewas amember of the RAF.He enjoysdoingstupidthings,suchastryingtomakethingsfly,gettingelectrocuted,anddunkinghimselfinfreezingcoldwaterinhissparetime.HeismarriedandlivesinLondon.

AbouttheReviewerMarco Alamanni has professional experience working as a Linux systemadministrator and information security administrator, in banks and financialinstitutions,inItalyandPeru.HeholdsaBScdegreeincomputerscienceandanMSc degree in information security. His interests in information technologyinclude ethical hacking, digital forensics, malware analysis, Linux, andprogramming, among others. He also collaborates with ITmagazines, writingarticlesaboutLinuxandITsecurity.

I'd like to thank my family and Packt Publishing for giving me theopportunitytoreviewthisbook.

www.PacktPub.com

Supportfiles,eBooks,discountoffers,andmoreFor support files and downloads related to your book, please visitwww.PacktPub.com.

Didyouknow thatPacktofferseBookversionsofeverybookpublished,withPDF and ePub files available? You can upgrade to the eBook version atwww.PacktPub.comand,asaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<service@packtpub.com>formoredetails.

Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,sign up for a range of free newsletters, and receive exclusive discounts andoffersonPacktbooksandeBooks.

https://www2.packtpub.com/books/subscription/packtlib

Doyouneed instant solutions toyour ITquestions?PacktLib isPackt'sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt'sentirelibraryofbooks.

Whysubscribe?

FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser

FreeaccessforPacktaccountholders

If youhave an accountwithPackt atwww.PacktPub.com,youcanuse this toaccess PacktLib today and view 9 entirely free books. Simply use your logincredentialsforimmediateaccess.

DisclaimerThecontentwithinthisbookisforeducationalpurposesonly.It isdesignedtohelpuserstesttheirownsystemagainstinformationsecuritythreatsandprotecttheir IT infrastructure fromsimilar attacks.PacktPublishingand the authorofthis book take no responsibility for actions resulting from the inappropriateusageoflearningmaterialcontainedwithinthisbook.

PrefaceWirelessNetworkshavebecomeubiquitousintoday'sworld.Millionsofpeopleuseitworldwideeverydayattheirhomes,officesandpublichotspotstologontotheInternetanddobothpersonalandprofessionalwork.Eventhoughwirelessmakeslifeincrediblyeasyandgivesussuchgreatmobility,itcomeswithrisks.In recent times, insecure wireless networks have been used to break intocompanies,banksandgovernmentorganizations.Thefrequencyoftheseattacksisonlyintensified,asnetworkadministratorsarestillcluelesswhenitcomestosecuringwirelessnetworksinarobustandfoolproofway.

Kali LinuxWirelessPenetrationTestingBeginner'sGuide is aimed at helpingthe reader understand the insecurities associated with wireless networks, andhowtoconductpenetrationteststofindandplugthem.Thisisanessentialreadfor thosewhowould like to conduct security audits onwireless networks andalways wanted a step-by-step practical. As every wireless attack explained inthis book is immediately followed by a practical demo, the learning is verycomplete.

WehavechosenKaliLinuxastheplatformtotestallthewirelessattacksinthisbook. Backtrack, as most of you may already be aware, is the world's mostpopular penetration testing distribution. It contains hundreds of security andhackingtools,someofwhichwewilluseinthiscourseofthisbook.

WhatthisbookcoversChapter1,WirelessLabSetup:Therearedozensofexerciseswewillbedoinginthis book. In order to be able to try themout, the readerwill need to setup awirelesslab.Thischapterfocusesonhowtocreateawirelesstestinglabusingoff-the-shelfhardwareandopensourcesoftware.Wewillfirstlookathardwarerequirements, which include wireless cards, antennas, access points and otherWi-Fienableddevices,thenwewillshiftourfocustothesoftwarerequirementswhichincludetheoperatingsystem,Wi-Fidriversandsecuritytools.Finally,wewill create a test bed for our experiments and verify different wirelessconfigurationsonit.

Chapter2,WLANanditsInherentInsecurities:Thischapterfocusesoninherentdesign flaws inwireless networks, thatmake insecureout-of-the-box.Wewillbegin with a quick recap of the 802.11 WLAN protocols using a networkanalyzercalledWireshark.Thiswillgiveusapracticalunderstandingabouthowtheseprotocolswork.Mostimportantly,wewillseehowclientandaccesspointcommunication works at the packer level by analyzingManagement, ControlandDataframes.Wewillthenlearnaboutpacketinjectionandpackersniffinginwirelessnetworks,andlookatsometoolswhichenableustodothesame.

Chapter 3, Bypassing WLAN Authentication: Now we get into how to breakWLANauthenticationmechanism!Wewillgostepbystepandexplorehowtosubvert Open and Shared Key authentications. In the course of this, you willlearn how to analyse wireless packets and figure out the authenticationmechanismofthenetwork.WewillalsolookathowtobreakintonetworkswithHiddenSSIDandMACFilteringenabled.Thesearetwocommonmechanismsemployed by network administrators tomakewireless networksmore stealthyanddifficulttopenetrate;however,theseareextremelysimpletobypass.

Chapter 4,WLANEncryption Flaws: One of themost vulnerable parts of theWLANprotocolistheEncryptionschemas–WEP,WPAandWPA2.Overthepast decade hackers have found multiple flaws in these schemas and havewrittenpublicallyavailablesoftware tobreak themanddecrypt thedata.Also,even thoughWPA/WPA2 is secure by design,misconfiguring those opens upsecurity vulnerabilities, that can be easily exploited. In this chapter, we will

understandtheinsecuritiesineachoftheseencryptionschemasanddopracticaldemosonhowtobreakthem.

Chapter5,AttacksontheWLANInfrastructure:WewillnowshiftourfocustoWLANInfrastructurevulnerabilities.Wewilllookatvulnerabilitiescreatedduetobothconfigurationanddesignproblem.WewilldopracticaldemosofattackssuchasaccesspointMACspoofing,bitflippingandreplayattacks,rogueaccesspoints, fuzzinganddenialofservices.Thischapterwillgive thereaderasolidunderstandingofhowtodoapenetrationtestoftheWLANinfrastructure.

Chapter6,AttackingtheClient:Thischaptermightopenyoureyesifyoualwaysbelievedthatwirelessclientsecuritywassomethingyoudidnothave toworryabout! Most people exclude the client from their list when they think aboutWLANsecurity.Thischapterwillprovebeyonddoubtwhytheclientisjustasimportant as the access pointwhen penetration testing aWLANnetwork.Wewill look at how to compromise the security using client side attacks such asMiss-Association, Caffe Latte, disassociation, ad-hoc connections, fuzzing,honeypotsandahostofothers.

Chapter7,AdvancedWLANAttacks:Nowthatwehavealreadycoveredmostofthebasicattacksonboththeinfrastructureandtheclient,wewilllookatmoreadvancedattacksinthischapter.Theseattackstypicallyinvolveusingmultiplebasic attacks in conjunction to break security in more challenging scenarios.Someoftheattackswhichwewilllearnincludewirelessdevicefingerprinting,man-in-the-middle over wireless, evading wireless intrusion detection andpreventionsystems, rogueaccesspointsoperatingusingcustomprotocolandacouple of others. This chapter presents the absolute bleeding edge inwirelessattacksoutintherealworld.

Chapter8,AttackingWPA-EnterpriseandRADIUS:Thischaptergraduates theusertothenextlevelbyintroducinghimtoadvancedattacksonWPA-EnterpriseandtheRADIUSserversetup.TheseattackswillcomeinhandywhenthereaderhastopenetrationtestlargeenterprisenetworkswhichrelyonWPA-EnterpriseandRADIUSauthentication toprovide themwithsecurity.This isprobablyasadvancedasWi-Fiattackscangetintherealworld.

Chapter 9, WLAN Penetrating Testing Methodology: This is where all thelearningfromthepreviouschapterscomestogether,andwewilllookathowto

doawirelesspenetrationtestinasystematicandmethodicalway.Wewilllearnabout the various phases of penetration testing—Planning, Discovery, Attackand Reporting, and apply it to wireless penetration testing. We will alsounderstandhowtoproposerecommendationsandbestpracticesafterawirelesspenetrationtest.

Chapter 10,WPSandProbes: This chapter covers the two new attacks in theindustry that have developed since the initial publication of this book—WPSbrute-forceandprobesniffingformonitoring.

WhatyouneedforthisbookTo follow and recreate the practical exercises in this book youwill need twolaptopswithbuiltinWi-Ficards,aUSBwirelessWi-Fiadapter,KaliLinuxandsomeotherhardwareandsoftware.WehavedetailedthisinChapter1,WirelessLabSetup.

As an alternate to the two laptops, you could also create a Virtual MachinehousingKaliLinuxandconnectthecardtoitovertheUSBinterface.Thiswillhelpyougetstartedwithusingthisbookmuchfaster,butwewouldrecommendadedicatedmachinerunningKaliLinuxforactualassessmentsinthefield.

From a prerequisite perspective, readers should be aware of the basics ofwirelessnetworks.Thisincludeshavingpriorknowledgeaboutthebasicsofthe802.11protocolandclient-accesspointcommunication.Thoughwewillbrieflytouchupon someof thiswhenwe setup the lab, it is expected that theuser isalreadyawareoftheseconcepts.

WhothisbookisforThoughthisbookisaBeginner'sseries,itismeantforalllevelsofusers,fromamateurs right through to wireless security experts. There is something foreveryone.Thebookstartswithsimpleattacksbutthenmovesontoexplainthemorecomplicatedones,andfinallydiscussesbleedingedgeattacksandresearch.As all attacks are explained using practical demonstrations, it is very easy forreadersatalllevelstoquicklytrytheattackoutbythemselves.Pleasenotethateven though the book highlights the different attacks, which can be launchedagainstawirelessnetwork, therealpurpose is toeducate theuser tobecomeawirelesspenetrationtester.Anadeptpenetrationtesterwouldunderstandalltheattacksoutthereandwouldbeabletodemonstratethemwithease,ifrequestedbyhisclient.

ConventionsIn thisbook,youwill findanumberof stylesof text thatdistinguishbetweendifferentkindsof information.Herearesomeexamplesof thesestyles,andanexplanationoftheirmeaning.

Code words in text, database table names, folder names, filenames, fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"Openaconsoleterminalandtypeiniwconfig."

Anycommand-lineinputoroutputiswrittenasfollows:

airodump-ng –bssid 00:21:91:D2:8E:25 --channel 11 --write

WEPCrackingDemomon0

Newtermsandimportantwordsareshowninbold.Words thatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:"BootthelaptopwiththisDVDandselecttheoptionInstallfromtheBootmenu."

Note

Warningsorimportantnotesappearinaboxlikethis.

Tip

Tipsandtricksappearlikethis.

ReaderfeedbackFeedback from our readers is always welcome. Let us know what you thinkabout this book—what you liked or may have disliked. Reader feedback isimportantforustodeveloptitlesthatyoureallygetthemostoutof.

To send us general feedback, simply send an e-mail to<feedback@packtpub.com>, andmention the book title via the subject of yourmessage.

If there is a topic that you have expertise in and you are interested in eitherwriting or contributing to a book, see our author guide onwww.packtpub.com/authors.

CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.

Errata

Although we have taken every care to ensure the accuracy of our content,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoing so, you can save other readers from frustration and help us improvesubsequentversionsof thisbook. Ifyoufindanyerrata,please report thembyvisiting http://www.packtpub.com/submit-errata, selecting your book, clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasection of that title. Any existing errata can be viewed by selecting your titlefromhttp://www.packtpub.com/support.

Piracy

Piracy of copyright material on the Internet is an ongoing problem across allmedia. At Packt, we take the protection of our copyright and licenses veryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet, please provide us with the location address or website nameimmediatelysothatwecanpursuearemedy.

Please contact us at <copyright@packtpub.com> with a link to the suspectedpiratedmaterial.

Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.

Questions

Youcancontactusat<questions@packtpub.com>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.

Chapter1.WirelessLabSetup

"IfIhadeighthourstochopdownatree,I'dspendsixhourssharpeningmyaxe." --AbrahamLincoln,16thUSPresident

Behindeverysuccessfulexecutionishoursordaysofpreparation,andwirelesspenetrationtestingisnoexception.Inthischapter,wewillcreateawirelesslabthat we will use for our experiments in this book. Consider this lab as yourpreparationarenabeforeyoudiveintoreal-worldpenetrationtesting!

Wirelesspenetrationtestingisapracticalsubject,anditisimportanttofirstsetupalabwherewecantryoutallthedifferentexperimentsinthisbookinasafeandcontrolledenvironment.It is important thatyousetupthis labfirstbeforemovingoninthisbook.

Inthischapter,wewilltakealookatthefollowing:

HardwareandsoftwarerequirementsInstallingKaliSettingupanaccesspointandconfiguringitInstallingthewirelesscardTestingconnectivitybetweenthelaptopandtheaccesspoint

Soletthegamesbegin!

HardwarerequirementsWewillneedthefollowinghardwaretosetupthewirelesslab:

Two laptopswith internalWi-Ficards:Wewilluseoneof the laptopsasthevictiminourlabandtheotherasthepenetrationtester'slaptop.Thoughalmostanylaptopwouldfitthisprofile,laptopswithatleast3GBRAMaredesirable. This is becausewemay be running a lot ofmemory-intensive

softwareinourexperiments.Onewireless adapter (optional): Depending on the wireless card of yourlaptop,wemayneed aUSBWi-Fi card that can support packet injectionandpacketsniffing,whichissupportedbyKali.Thebestchoiceseemstobe theAlfaAWUS036H card fromAlfaNetworks, asKali supports thisout-of-the-box.Thisisavailableonwww.amazon.comforaretailpriceof£18 at the time of writing. An alternative option is the Edimax EW-7711UAN,whichissmallerand,marginally,cheaper.One access point: Any access point that supports WEP/WPA/WPA2encryption standards would fit the bill. I will be using a TP-LINK TL-WR841NWireless router for thepurposeof illustration in thisbook.Youcan purchase it fromAmazon.com for a retail price of around £20 at thetimeofwriting.AnInternetconnection:Thiswillcome inhandyforperformingresearch,downloadingsoftware,andforsomeofourexperiments.

SoftwarerequirementsWewillneedthefollowingsoftwaretosetupthewirelesslab:

Kali:Thissoftwarecanbedownloadedfromtheofficialwebsitelocatedathttp://www.kali.org.Thesoftwareisopensource,andyoushouldbeabletodownloaditdirectlyfromthewebsite.WindowsXP/Vista/7:Youwill need any one ofWindowsXP,WindowsVista, orWindows 7 installed on one of the laptops. This laptopwill beusedasthevictimmachinefortherestofthebook.

Note

Itisimportanttonotethat,eventhoughweareusingaWindows-basedOSfor our tests, the techniques learnt can be applied to any Wi-Fi-capabledevicessuchassmartphonesandtablets,amongothers.

InstallingKaliLet'snowquicklytakealookathowtogetup-and-runningwithKali.

Kali will be installed on the laptop that will serve as the penetration tester'smachinefortherestofthebook.

Timeforaction–installingKaliKaliisrelativelysimpletoinstall.WewillrunKalibybootingitasaLiveDVDandtheninstallitontheharddrive.

Performthefollowinginstructionsstepbystep:

Burn theKali ISO (weareusing theKali 32-bit ISO)youdownloadedonto abootableDVD.

1. BootthelaptopwiththisDVDandselecttheoptionInstallfromtheBootmenu:

2. Ifbootingwassuccessful,thenyoushouldseeanawesomeretroscreenasfollows:

3. This installer issimilar totheGUI-basedinstallersofmostLinuxsystemsand should be simple to follow. Select the appropriate options in everyscreen and start the installation process. Once the installation is done,restartthemachineaspromptedandremovetheDVD.

4. Once themachine restarts, a login screen will be displayed. Type in thelogin as root and the password as whatever you set it to during theinstallationprocess.YoushouldnowbeloggedintoyourinstalledversionofKali.Congratulations!

Iwillchangethedesktopthemeandsomesettingsforthisbook.Feelfreetouseyourownthemesandcolorsettings!

Whatjusthappened?

WehavesuccessfullyinstalledKalionthelaptop!Wewillusethislaptopasthepenetrationtester'slaptopforallotherexperimentsinthisbook.

Haveagohero–installingKalionVirtualBox

WecanalsoinstallKaliwithinvirtualizationsoftwaresuchasVirtualBox.Ifyoudon't want to dedicate a full laptop to Kali, this is the best option. Kali'sinstallationprocessinVirtualBoxisexactlythesame.Theonlydifferenceisthepre-setup,whichyouwillhavetocreateinVirtualBox.Haveagoatit!YoucandownloadVirtualBoxfromhttp://www.virtualbox.org.

Oneof theotherwaysinwhichwecaninstallanduseKali isviaUSBdrives.ThisisparticularlyusefulifyoudonotwanttoinstallontheharddrivebutstillwanttostorepersistentdataonyourKaliinstance,suchasscriptsandnewtools.Weencourageyoutotrythisoutaswell!

SettinguptheaccesspointNowwewillsetuptheaccesspoint.Asmentionedearlier,wewillbeusingtheTP-LINK TL-WR841NWireless Router for all the experiments in this book.However, feel free to use any other access point. The basic principles ofoperationandusageremainthesame.

Timeforaction–configuringtheaccesspointLet'sbegin!WewillsettheaccesspointuptouseOpenAuthenticationwithanSSIDofWirelessLab.

Followtheseinstructionsstepbystep:

1. PowerontheaccesspointanduseanEthernetcabletoconnectyourlaptoptooneoftheaccesspoint'sEthernetports.

2. Enter the IP address of the access point configuration terminal in yourbrowser.FortheTP-Link,itisbydefault192.168.1.1.Youshouldconsultyouraccesspoint'ssetupguidetofinditsIPaddress.Ifyoudonothavethemanuals for theaccesspoint,youcanalso find the IPaddressby runningthe route –n command. The gateway IP address is typically the accesspoint's IP.Onceyouareconnected,you should seeaconfigurationportalthatlookslikethis:

3. Explore the various settings in the portal after logging in and find thesettingsrelatedtoconfiguringanewSSID.

4. ChangetheSSIDtoWirelessLab.Dependingontheaccesspoint,youmayhavetorebootitforthesettingstochange:

5. Similarly, find the settings related to Wireless Security and change thesettingtoDisableSecurity.DisableSecurityindicatesthatitisusingOpenAuthenticationmode.

6. Save the changes to the access point and reboot it if required.Nowyouraccesspointshouldbeup-and-runningwithanSSIDWirelessLab.

An easy way to verify this is to use the Wireless Configuration utility onWindows and observe the available networks using theWindows laptop.YoushouldfindWirelessLabasoneofthenetworksinthelisting:

Whatjusthappened?

Wehave successfully setupour accesspointwith anSSIDWirelessLab. It isbroadcastingitspresenceandthisisbeingpickedupbyourWindowslaptopandotherswithintheRadioFrequency(RF)rangeoftheaccesspoint.

ItisimportanttonotethatweconfiguredouraccesspointinOpenmode,whichistheleastsecure.ItisadvisablenottoconnectthisaccesspointtotheInternetforthetimebeing,asanyonewithintheRFrangewillbeabletouseittoaccesstheInternet.

Have a go hero – configuring the access point to useWEPandWPA

Playaroundwiththeconfigurationoptionsofyouraccesspoint.Trytogetitup-and-runningusingencryptionschemessuchasWEPandWPA/WPA2.Wewillusethesemodesinlaterchapterstoillustrateattacksagainstthem.

SettingupthewirelesscardSetting up our wireless adapter is much easier than the access point. Theadvantage is that Kali supports this card out-of-the-box and ships with allrequisitedevicedriverstoenablepacketinjectionandpacketsniffing.

Timeforaction–configuringyourwirelesscardWewillbeusingthewirelessadapterwiththepenetrationtester'slaptop.

Pleasefollowtheseinstructionsstep-by-steptosetupyourcard:

1. PluginthecardtooneoftheKalilaptop'sUSBportsandbootit.

Once you log in, open a console terminal and type in iwconfig. Yourscreenshouldlookasfollows:

As you can see, wlan0 is the wireless interface created for the wirelessadapter.Type inifconfigwlan0 tobring the interfaceup.Then, type inifconfigwlan0toseethecurrentstateoftheinterface:

2. The MAC address 00:c0:ca:3e:bd:93 should match the MAC addresswritten under your Alfa card. I am using the Edimax that gives me thepreceding MAC address 80:1f:02:8f:34:d5. This is a quick check to

ensurethatyouhaveenabledthecorrectinterface.

Whatjusthappened?

KalishipswithalltherequireddriversfortheAlfaandEdimaxadaptersoutofthe box.As soon as themachine booted, the adapterwas recognized andwasassigned the network interface wlan0. Now our wireless adapter is up andfunctional!

ConnectingtotheaccesspointNowwewilltakealookathowtoconnecttotheaccesspointusingthewirelessadapter. Our access point has an SSID Wireless Lab and does not use anyauthentication.

Timeforaction–configuringyourwirelesscardHerewego!Followthesestepstoconnectyourwirelesscardtotheaccesspoint:

1. Let's first see what wireless networks our adapter is currently detecting.Issue the command iwlist wlan0 scanning and you will find a list ofnetworksinyourvicinity:

KeepscrollingdownandyoushouldfindtheWirelessLabnetworkinthislist.Inmysetup,itisdetectedasCell05;itmaybedifferentinyours.TheESSIDfieldcontainsthenetworkname.

2. Asmultiple access points can have the same SSID, verify that theMACaddress mentioned in the preceding Address field matches your accesspoint'sMAC.A fast andeasyway toget theMACaddress isunderneaththeaccesspointorusingweb-basedGUIsettings.

3. Now, issue the iwconfig wlan0 essid "Wireless Lab" command andthen iwconfig wlan0 to check the status. If you have successfully

connected to the access point, you should see the MAC address of theaccesspointintheAccessPoint:fieldintheoutputofiwconfig.

4. We know that the access point has a management interface IP address192.168.0.1 from itsmanual.Alternately, this is the same as the defaultrouter IP address whenwe run the route –n command. Let's set our IPaddress in the same subnet by issuing theifconfigwlan0192.168.0.2netmask255.255.255.0upcommand.Verifythecommandsucceededbytypingifconfigwlan0andcheckingtheoutput.

5. Now let's ping the access point by issuing the ping 192.168.0.1

command. If the network connection has been set up properly, then youshouldseetheresponsesfromtheaccesspoint.Youcanadditionallyissueanarp–acommandtoverifythattheresponseiscomingfromtheaccesspoint.Youshouldseethat theMACaddressof theIP192.168.0.1 is theaccess point'sMAC addresswe noted earlier. It is important to note thatsome of the more recent access points might have responses to InternetControlMessage Protocol (ICMP) echo request packets disabled. This istypically done to make the access point secure out-of-the-box with onlyminimal configuration settings available. In such a case, you can try tolaunchabrowserandaccessthewebinterfacetoverifythattheconnectionisup-and-running:

On the access point, we can verify connectivity by looking at theconnectionlogs.Asyoucanseeinthefollowinglog,theMACaddressofthe wireless card 4C:0F:6E:70:BD:CB has been logged making DHCPrequestsfromtherouter:

Whatjusthappened?

WejustconnectedtoouraccesspointsuccessfullyfromKaliusingourwirelessadapterasthewirelessdevice.Wealsolearnthowtoverifythataconnectionhasbeenestablishedatboththewirelessclientandtheaccesspointside.

Have a go hero – establishing a connection in a WEPconfiguration

Here is a challenging exercise for you—set up the access point in a WEPconfiguration. For each of these, try establishing a connectionwith the accesspoint using the wireless adapter. Hint: check the manual for the iwconfigcommandbytypingmaniwconfigtoseehowtoconfigurethecardtoconnecttoWEP.

Popquiz–understandingthebasics

Q1.Afterissuingthecommandifconfigwlan0,howdoyouverifythewirelesscardisupandfunctional?

Q2.CanwerunallourexperimentsusingtheKali liveCDalone?Canwenot

installtheCDtotheharddrive?

Q3.Whatdoesthecommandarp–ashow?

Q4.WhichtoolshouldweuseinKalitoconnecttoWPA/WPA2networks?

SummaryThischapterprovidedyouwithdetailedinstructionsonhowtosetupyourownwirelesslab.Also,intheprocess,youlearnedthebasicstepsfor:

Installing Kali on your hard drive and exploring other options such asVirtualMachinesandUSBsConfiguringyouraccesspointoverthewebinterfaceUnderstanding and using several commands to configure and use yourwirelesscardVerifying the connection state between thewireless client and the accesspoint

Itisimportantthatyougainconfidenceinconfiguringthesystem.Ifyouaren'tconfident, it is advisable that you repeat the preceding examples a couple oftimes.Inlaterchapters,wewilldesignmorecomplicatedscenarios.

In the next chapter, we will learn about inherent design-based insecurities inWLANs design. We will use the network analyzer tool, Wireshark, tounderstandtheseconceptsinapracticalway.

Chapter2.WLANanditsInherentInsecurities

"Theloftierthebuilding,thedeeperthefoundationmustbelaid." --ThomasKempis

Nothing great can be built on aweak foundation, and in our context, nothingsecurecanbebuiltonsomethingthatisinherentlyinsecure.

WLANs,bydesign,havecertain insecurities thatarerelativelyeasy toexploit,forexample,bypacketspoofing,packet injection,andsniffing(thiscouldevenhappenfromfaraway).Wewillexploretheseflawsinthischapter.

Inthischapter,weshalllookatthefollowing:

RevisitingWLANframesDifferentframetypesandsubtypesUsingWiresharktosniffmanagement,control,anddataframesSniffingdatapacketsforagivenwirelessnetworkInjectingpacketsintoagivenwirelessnetwork

Let'sgetstarted!

RevisitingWLANframesAsthisbookdealswiththesecurityaspectsofwireless,wewillassumethatyoualreadyhaveabasicunderstandingoftheprotocolandthepacketheaders.Ifnot,or if it's been some time since youworked onwireless, thiswould be a goodtimetorevisitthistopicagain.

Let'snowquicklyreviewsomebasicconceptsofWLANsthatmostofyoumayalreadybeawareof.InWLANs,communicationhappensoverframes.Aframewouldhavethefollowingheaderstructure:

TheFrameControlfielditselfhasamorecomplexstructure:

TheTypefielddefinesthreetypesofWLANframe:

1. Management frames:Management frames are responsible formaintainingcommunication between access points and wireless clients. Managementframescanhavethefollowingsubtypes:

AuthenticationDeauthenticationAssociationrequestAssociationresponseReassociationrequestReassociationresponseDisassociation

BeaconProberequestProberesponse

2. Control frames: Control frames are responsible for ensuring a properexchangeofdatabetweenaccesspointsandwirelessclients.Controlframescanhavethefollowingsubtypes:

RequesttoSend(RTS)CleartoSend(CTS)Acknowledgement(ACK)

3. Dataframes:Dataframescarrytheactualdatathat issentonthewirelessnetwork.Therearenosubtypesfordataframes.

We will discuss the security implications of each of these frames when wediscussdifferentattacksinlaterchapters.

Wewill now look at how to sniff these frames over awireless network usingWireshark.Thereareothertools—suchasAirodump-NG,Tcpdump,orTshark—thatyoucanuseforsniffingaswell.Wewill,however,mostlyuseWiresharkinthisbook,butweencourageyoutoexploreothertoolsaswell.Thefirststeptodothisistocreateamonitormodeinterface.Thiswillcreateaninterfaceforouradapter,whichallowsustoreadallwirelessframesintheair,regardlessofwhether they are destined for us or not. In the wiredworld, this is popularlycalledpromiscousmode.

Timeforaction–creatingamonitormodeinterfaceLet'snowsetourwirelessadapterintomonitormode.

Followtheseinstructionstogetstarted:

1. BootKaliwithyour adapter connected.Onceyouarewithin the console,enteriwconfig toconfirmthatyourcardhasbeendetectedandthedriverhasbeenloadedproperly.

2. Usetheifconfigwlan1upcommandtobringthecardup(wherewlan1isyouradapter).Verifywhether thecard isupbyrunningifconfigwlan1.YoushouldseethewordUPinthesecondlineoftheoutputasshowninthefollowingscreenshot:

3. Toputourcardintomonitormode,wewillusetheairmon-ngutilitythatisavailable by default on Kali. First run airmon-ng command to verifywhether itdetects theavailablecards.Youshould see thewlan0 interfacelistedintheoutput:

4. Now enter airmon-ng start wlan1 command to create amonitormode

interface corresponding to the wlan0 device. This new monitor modeinterface will be named mon0. (You can verify if it has been created byrunningairmon-ngwithoutargumentsagain).

5. Also, running ifconfig mon0 should now display a new interface calledmon0.

Whatjusthappened?

We have successfully created a monitor mode interface called mon0. Thisinterfacewillbeusedtosniffwirelesspacketsofftheair.Thisinterfacehasbeencreatedforourwirelessadapter.

Have a go hero – creating multiple monitor modeinterfaces

Itispossibletocreatemultiplemonitormodeinterfacesusingthesamephysicalcard.Usetheairmon-ngutilitytoseehowyoucandothis.

Awesome!Wehaveamonitormodeinterfacejustwaitingtoreadsomepacketsofftheair.Solet'sgetstarted.

Inthenextexercise,wewilluseWiresharktosniffpacketsofftheairusingthemon0monitormodeinterfacewejustcreated.

Timeforaction–sniffingwirelesspacketsFollowthefollowinginstructionstobeginsniffingpackets:

1. PoweruptheAccessPointWirelessLabthatweconfiguredinChapter1,WirelessLabSetup.

2. StartWiresharkbytypingWireshark& intheconsole.OnceWiresharkisrunning,navigatetoCapture|Interfaces.

3. Selectpacketcapturefromthemon0interfacebyclickingontheStartbuttonto the right of the mon0 interface as shown in the previous screenshot.Wiresharkwillbegin thecapture, andnowyoushould seepacketswithin

theWiresharkwindow.

4. Thesearewirelesspacketsthatyourwirelessadapterissniffingofftheair.In order to view any packet, select it in the top window and the entirepacketwillbedisplayedinthemiddlewindow.

Clickon the triangle in frontof IEEE802.11WirelessLANmanagementframetoexpandandviewadditionalinformation.

Look at the different header fields in the packet and correlate them with theWLANframetypesandsub-typesyouhavelearnedearlier.

Whatjusthappened?

We just sniffed out first set of packets off the air! We launched Wireshark,whichusedthemonitormodeinterfacemon0wecreatedpreviously.Youshouldnotice,by lookingatWireshark's footer region, thespeedatwhich thepacketsarebeingcapturedandalsothenumberofpacketscapturedtillnow.

Haveagohero–findingdifferentdevices

Wiresharktracescanbeabitdauntingattimes;evenforareasonablypopulatedwirelessnetwork,youcouldendupsniffingafewthousandpackets.Hence,itisimportanttobeabletodrilldowntothosepacketsthatinterestus.ThiscanbeaccomplishedusingfiltersinWireshark.Explorehowyoucanusethesefilterstoidentifyuniquewirelessdevices in the traces–both accesspoints andwirelessclients.

Ifyouareunabletodothis,don'tworryasthisisthenextthingwewilllearn.

Timeforaction–viewingmanagement,control,anddataframesNowwewill learn how to apply filters inWireshark to look atManagement,ControlandDataFrames.

Pleasefollowthebelowinstructionsstepbystep:

1. ToviewalltheManagementframesinthepacketsbeingcaptured,enterthefilterwlan.fc.type==0intothefilterwindowandclickApply.Youcanstop the packet capture if youwant to prevent the packets from scrollingdowntoofast.

2. ToviewControlFrames,modify thefilterexpressiontoreadwlan.fc.type==1.

3. Toviewdataframes,modifythefilterexpressiontowlan.fc.type==2.

4. To additionally select a sub-type, use the wlan.fc.subtype filter. Forexample,toviewalltheBeaconframesamongallManagementframes,usethefollowingfilter:

(wlan.fc.type==0)&&(wlan.fc.subtype==8).

5. Alternately, you can right-click on anyof the header fields in themiddlewindowandthenselectApplyasFilter|Selectedtoadditasafilter.

6. This will automatically add the correct filter expression for you in theFilterfield.

Whatjusthappened?

We just learned how to filter packets in Wireshark using various filterexpressions. This helps us monitor selected packets from devices we areinterestedin,insteadoftryingtoanalyzeallthepacketsintheair.

Also, we can see that the packet headers of Management, Control and Dataframesareinplaintextandarenotencrypted.Anyonewhocansniffthepacketscanread theseheaders. It isalso important tonote that it isalsopossibleforahacker to modify any of these packets and re-transmit them. As there is no

integrityorreplayattackmitigationintheprotocol,thisisveryeasytodo.Wewilllookatsomeoftheseattacksinlaterchapters.

Haveagohero–playingwithfilters

You can consult Wireshark's manual to know more about available filterexpressions and how to use them. Try playing around with various filtercombinationstillyouareconfidentthatyoucandrilldowntoanylevelofdetail,eveninaverylargepackettrace.

In the next exercise, we will look at how to sniff data packets transferredbetweenouraccesspointandwirelessclient.

Time for action – sniffing data packets for ournetworkIn this exercise, we will learn how to sniff data packets for a given wirelessnetwork. For the sake of simplicity, we will look at packets without anyencryption.

Followtheseinstructionstogetstarted:

1. Switch on the access point we named Wireless Lab. Let it remainconfiguredtousenoencryption.

2. Wewill first need to find the channel onwhich theWireless Lab accesspointisrunning.Todothis,openaterminalandrunairodump-ng--bssid<mac>mon0where<mac>,whichistheMACaddressofouraccesspoint.Lettheprogramrun,andshortlyyoushouldseeyouraccesspointshownonthescreenalongwiththechannelitisrunningon.

3. We can see from the preceding screenshot that our access pointWirelessLab is running on Channel 11. Note that this may be different for youraccesspoint.

Inorder to sniff datapackets going to and fro from this accesspoint,weneedtolockourwirelesscardonthesamechannel,thatischannel11.Todo this, run the iwconfig mon0 channel 11 command and then runiwconfig mon0 to verify it. You should see the Frequency: 2.462 GHzvalueintheoutput.ThiscorrespondstoChannel11.

4. Now fire up Wireshark and start sniffing on the mon0 interface. AfterWiresharkhasstartedsniffingthepackets,applyafilterforthebssidofouraccesspointasshownbelowusingwlan.bssid==<mac>inthefilterarea.UsetheappropriateMACaddressforyouraccesspoint.

5. Inorder tosee thedatapackets forouraccesspoint,add the following tothefilter(wlan.bssid==<mac>)&&(wlan.fc.type_subtype==0x20).Open your browser on the client laptop and type in the managementinterface the URL of the access point. In my case, as we have seen inChapter 1, Wireless Lab Setup, it is http://192.168.0.1. This willgeneratedatapacketsthatWiresharkwillcapture.

6. Packetsniffingallowsus toanalyzeunencrypteddatapacketsveryeasily.Thisisthereasonwhyweneedtouseencryptioninwireless.

Whatjusthappened?

We have just sniffed data packets over the air withWireshark using variousfilters.Asouraccesspointisnotusinganyencryption,weareabletoseeallthedatainplaintext.ThisisamajorsecurityissueasanyonewithinRFrangeoftheaccesspointcanseeallthepacketsifheusesasniffersuchasWireshark.

Haveagohero–analyzingdatapackets

Use Wireshark to analyze the data packets further. You would notice that aDHCP request is made by the client and, if a DHCP server is available, itrespondswithanaddress.ThenyouwouldfindARPpacketsandotherprotocolpacketsontheair.Thisisaniceandsimplewaytodopassivehostdiscoveryonthe wireless network. It is important to be able to see a packet trace andreconstruct how applications on thewireless host are communicatingwith therest of the network. One of the interesting featuresWireshark provides is theability to follow a stream. This allows you to viewmultiple packets together,thatarepartofaTCPexchange,inthesameconnection.

Also,tryloggingintowww.gmail.comoranyotherpopularwebsiteandanalyzethedatatrafficgenerated.

We will now see a demonstration of how to inject packets into a wirelessnetwork.

Timeforaction–packetinjectionWe will be using the aireplay-ng tool, which is available in Kali, for thisexercise.

Followtheinstructionsbelowcarefully:

1. Inordertodoaninjectiontest,firststartWiresharkandthefilterexpression(wlan.bssid == <mac>) && !(wlan.fc.type_subtype == 0x08). Thiswillensurethatweonlyseenon-beaconpacketsforourlabnetwork.

2. Now run the following command aireplay-ng -9 -e Wireless Lab -a<mac>mon0onaterminal.

3. Go back toWireshark and you should see a lot of packets on the screennow. Some of these packets have been sent by aireplay-ng, which welaunched,andothersarefromtheaccesspointWirelessLabinresponsetotheinjectedpackets.

Whatjusthappened?

Wejustsuccessfullyinjectedpacketsintoourtestlabnetworkusingaireplay-ng.It is important to note that our card injected these arbitrary packets into thenetworkwithoutbeingactuallyconnectedtotheaccesspointWirelessLab.

Haveagohero–installingKalionVirtualBox

Wewilllookatpacketinjectioningreaterdetailinlaterchapters;however,feelfreetoexploreotheroptionsoftheAireplay-ngtooltoinjectpackets.YoucanverifywhetherinjectionsucceededbyusingWiresharktomonitortheair.

ImportantnoteonWLANsniffingandinjectionWLANs typicallyoperatewithin threedifferent frequency ranges– :2.4GHz,3.6 GHz and 4.9/5.0 GHz. Not all Wi-Fi cards support all these ranges andassociatedbands.Forinstance,,anAlfacardonlysupportsIEEE802.11b/g.Thiswouldmeanthatthiscardcannotoperatein802.11a/n.Thekeyhereistosnifforinjectpacketsinaparticularband;yourWi-Ficardwillneedtosupportit.

Another interesting aspect ofWi-Fi is that, in each of these bands, there aremultiplechannels.ItisimportanttonotethatyourWi-Ficardcanonlybeononechannelatanygivenmoment.Itisnotpossibletotuneintomultiplechannelsatthesametime.ThebestanalogyIcangiveyouisyourcarradio.Youcantuneittoonlyoneof theavailablechannelsatanygiven time.Ifyouwant tohear tosomethingelse,youwillhavetochangethechannel.ThesameprincipleappliestoWLANSniffing.Thisbringsustoanimportantconclusion—wecannotsniffallchannelsatthesametime;wewillneedtoselectthechannelthatisofinteresttous.Whatthismeansisthat,ifouraccesspointofinterestisonchannel1,wewillneedtosetourcardonchannel1.

ThoughwehaveaddressedWLANsniffing in theaboveparagraphs, the sameappliestoinjectionaswell.Toinjectpacketsonaspecificchannel,wewillneedtoputthecardradioonthatchannel.

Let's nowdo some exercises on setting our card to specific channels, channelhopping,settingregulatorydomains,powerlevelsetc.

Timeforaction–experimentingwithyouradapterFollowtheinstructionsbelowcarefully:

1. Entertheiwconfigwlan0commandtocheckthecapabilitiesofyourcard.Asyoucanseeinthefigurebelow,myadaptercanoperateintheb,g,andnbands.

2. Tosetthecardonaparticularchannel,weusetheiwconfigmon0channelXcommands.

3. Theiwconfigseriesofcommandsdoesnothaveachannelhoppingmode.Onecouldwriteasimplescriptoverittomakeitdoso.AneasierwayistouseAirodump-NGwithoptionstoeitherhopchannelsarbitrarily,useonlyasubset,oruseonlyselectedbands.Alltheseoptionsareillustratedinthescreenshotbelowwhenwerunairodump-ng--help:

Whatjusthappened?

Weunderstood that bothwireless sniffing and packet injection depend on thehardwaresupportavailable.Thismeansthatwecanonlyoperateonbandsandchannelsallowedbyourcard.Also,thewirelesscardradiocanonlybeononechannel at a time. This further means that we can only sniff or inject in onechannelatatime.

Haveagohero–sniffingmultiplechannels

If you need to simultaneously sniff on multiple channels, you will requiremultiple physicalWi-Fi cards. If you canprocure additional cards, then try tosniffonmultiplechannelssimultaneously.

TheroleofregulatorydomainsinwirelessThecomplexitiesofWi-Fidon'tendhere.Everycountryhasitsownunlicensedspectrumallocationpolicy.This specificallydictatesallowedpower levels andallowed users for the spectrum. In theUS, for example, the FCCdecides thisand, if youuseWLANs in theUS,youhave to abideby these regulations. Insomecountries,notdoingthisisapunishableoffense.

Nowlet'slookathowwecanfindthedefaultregulatorysettingsandthenhowtochangethemifrequired.

Timeforaction–experimentingwithyouradapterFollowtheseinstructionscarefully:

1. Rebootyourcomputeranddonotconnectyouradaptertoityet.2. Onceloggedin,monitorthekernelmessagesusingthetailcommand:

Insert the adapter, and you should see something that resembles thefollowingscreenshot.Thisshowsthedefaultregulatorysettingsappliedtoyourcard:

3. Let's assume that you are based in the US. To change your regulatorydomain to the US, we issue the command iw reg set US in a newterminal:

If the command is successful, we get an output such as the one in thefollowing screenshot in the terminal where we monitoring/var/log/messages:

4. Nowtrychangingthecardtochannel11; itwillwork.But,whenyoutrychanging it to channel 12, you get an error. This is because channel 12,cannotbeusedintheUS.

5. Thesameappliesforpowerlevels.TheUSonlyallowsamaximumof27dBm (500 milliwatts); thus even though my adapter has an advertisedpowerof1Watt(30dBm),wecannotsetthecardtothemaximumtransmitpower:

6. However, ifwewere inBolivia, thenwe could transmit at a power of 1Watt as this is allowed there.Aswe can see, oncewe set the regulatorydomain to Bolivia—iw reg set BO—we can change the card power to30DMB or 1 Watt. We can also use channel 12 in Bolivia, which wasdisallowedintheUS:

Whatjusthappened?

Every country has its own regulations for the use of the unlicensed wirelessband.Whenwe set our regulatory domain to a specific country, our cardwillobey the allowed channels and power levels specified. However, it is easy tochange the regulatory domain of the card and force it to work on disallowedchannelsandtotransmitatapowerlevelthatisgreaterthanallowed.

Haveagohero–exploringregulatorydomains

Lookat thevariousparametersyoucanset suchaschannel,power, regulatorydomainsetc.using theiwseriesofcommandsonKali.Thisshouldgiveyouafirm understanding of how to configure your card when you are in variouscountriesandrequiretochangeyourcardsettings.

Popquiz–WLANpacketsniffingandinjection

Q1.WhichframetypesareresponsibleforauthenticationinWLANs?

1. Control2. Management3. Data4. QoS

Q2.Whatisthenameofthesecondmonitormodeinterfacethatcanbecreatedonwlan0usingairmon-ng?

1. Mon02. Mon13. 1Mon4. Monb

Q3.Whatisthefilterexpressiontoviewallnon-beaconframesinWireshark?

1. !(wlan.fc.type_subtype==0x08)2. wlan.fc.type_subtype==0x083. (nobeacon)4. Wlan.fc.type==0x08

SummaryInthischapter,wehavemadesomekeyobservationsaboutWLANprotocols.

Management,Control andData framesareunencryptedand thuscanbeeasilyreadbysomeonewhoismonitoringtheairspace.Itisimportanttonoteherethatthedatapacketpayloadcanbeprotectedusingencryptiontokeepitconfidential.Wewilltalkaboutthisinthenextchapter.

Wecansnifftheentireairspaceinourvicinitybyputtingourcardintomonitormode.

AsthereisnointegrityprotectioninManagementandControlframes,itisveryeasy to inject these packets bymodifying them or replaying them as-is usingtoolssuchasaireplay-ng.

Unencrypted data packets can also be modified and replayed back to thenetwork. If the packet is encrypted, we can still replay the packet as-is, asWLANbydesigndoesnothavepacketreplayprotection.

Inthenextchapter,wewilllookatdifferentauthenticationmechanismsthatareused in WLANs such as MAC filtering and shared Authentication etc. andunderstandthevarioussecurityflawsinthemthroughlivedemonstrations.

Chapter3.BypassingWLANAuthentication

"Afalsesenseofsecurityisworsethanbeingunsure." --Anonymous

A false sense of security is worse than being insecure, as you may not bepreparedtofacetheeventualityofbeinghacked.

WLANs can haveweak authentication schemas that can be easily broken andbypassed.Inthischapter,wewilltakealookatthevariousbasicauthenticationschemasusedinWLANsandlearnhowtobeatthem.

Inthischapter,wewilltakealookatthefollowingtopics:

UncoveringhiddenSSIDsBeatingMACfiltersBypassingOpenAuthenticationBypassingSharedKeyAuthentication

HiddenSSIDsIn the default configuration mode, all access points send out their SSIDs inBeacon frames. This allows clients in the vicinity to discover them easily.HiddenSSIDs is aconfigurationwhere theaccesspointdoesnotbroadcast itsSSID in Beacon frames. Thus, only clients that know the SSID of the accesspointcanconnecttoit.

Unfortunately,thismeasuredoesnotproviderobustsecurity,butmostnetworkadministrators thinkitdoes.HiddenSSIDsshouldnotbeconsideredasecuritymeasurebyanystretchof the imagination.Wewillnowtakea lookathowtouncoverhiddenSSIDs.

Timeforaction–uncoveringhiddenSSIDsPerformthefollowinginstructionstogetstarted:

1. Using Wireshark, if we monitor Beacon frames in the Wireless Labnetwork,weareabletoseetheSSIDinplaintext.YoushouldseeBeaconframes,asshowninthefollowingscreenshot:

2. Configure your access point to set theWirelessLab network as a hiddenSSID.Theconfigurationoptiontodothismaydifferacrossaccesspoints.Inmycase, I need to check theInvisible option in theVisibilityStatusoption,asshowninthefollowingscreenshot:

3. NowifyoutakealookattheWiresharktrace,youwillfindthattheSSIDWirelessLabhasdisappearedfromtheBeaconframes.ThisiswhathiddenSSIDsareallabout:

4. InordertobypassBeaconframes,wewillfirstusethepassivetechniqueofwaiting for a legitimate client to connect the access point. This willgenerate probe request and probe response packets that will contain theSSIDofthenetwork,thusrevealingitspresence:

5. Alternately, you can use theaireplay-ng utility to send deauthenticationpacketstoallstationsonbehalfoftheWirelessLabaccesspointbytypingaireplay-ng-05-a<mac>--ignore-negativemon0,where<mac> isthe MAC address of the router. The -0 option is used to choose adeauthenticationattack,and5isthenumberofdeauthenticationpacketstosend. Finally, -a specifies theMAC address of the access point you aretargeting:

6. The preceding deauthentication packetswill force all legitimate clients todisconnect and reconnect. It would be a good idea to add a filter fordeauthenticationpacketstoviewtheminanisolatedway:

7. TheproberesponsesfromtheaccesspointwillenduprevealingitshiddenSSID.ThesepacketswillshowuponWiresharkasshownnext.Oncethelegitimateclientsconnectback,wecanseethehiddenSSIDusingtheproberequest andprobe response frames.You canuse the filter (wlan.bssid==00:21:91:d2:8e:25) && !(wlan.fc.type_subtype == 0x08) to monitor allnon-Beaconpacketstoandfrofromtheaccesspoint.The&&signstands

for the logical AND operator and the ! sign stands for the logical NOToperator:

Whatjusthappened?

Even though the SSID is hidden and not broadcasted, whenever a legitimateclienttriestoconnecttotheaccesspoint,theyexchangeproberequestandproberesponsepackets.ThesepacketscontaintheSSIDoftheaccesspoint.Asthesepacketsarenotencrypted, theycanbeveryeasilysniffed from theairand theSSIDcanbefound.

Wewillcoverusingproberequestsforotherpurposessuchastrackinginalater

chapter.

Inmanycases,allclientsmaybealreadyconnectedtotheaccesspointandtheremay be no probe request/response packets available in the Wireshark trace.Here,we can forcibly disconnect the clients from the access point by sendingforgeddeauthenticationpacketsontheair.Thesepacketswillforcetheclientstoreconnectbacktotheaccesspoint,thusrevealingtheSSID.

Haveagohero–selectingdeauthentication

In the previous exercise, we sent broadcast deauthentication packets to forcereconnectionofallwirelessclients.Trytoverifyhowyoucanselectivelytargetindividualclientsusingtheaireplay-ngutility.

It is important to note that, even though we are illustrating many of theseconcepts usingWireshark, it is possible toorchestrate these attackswithothertools,suchas theaircrack-ngsuiteaswell.Weencourageyoutoexplore theentire aircrack-NG suite of tools and other documentation located on theirwebsiteathttp://www.aircrack-ng.org.

MACfiltersMACfiltersareanage-old techniqueusedforauthenticationandauthorizationandhavetheirrootsinthewiredworld.Unfortunately,theyfailmiserablyinthewirelessworld.

Thebasic idea is toauthenticatebasedon theMACaddressof theclient.TheMACfilterisanidentificationcodeassignedtoanetworkinterface;arouterwillbeabletocheckthiscodeandcompareittoalistofapprovedMACs.ThislistofallowedMAC addresseswill bemaintained by the network administrator andwillbe fed into theaccesspoint.Wewillnowtakea lookathoweasy it is tobypassMACfilters.

Timeforaction–beatingMACfiltersLet'sfollowtheinstructionstogetstarted:

1. Let'sfirstconfigureouraccesspointtouseMACfilteringandthenaddtheclientMACaddressof thevictimlaptop.Thesettingspagesonmyrouterlooksasfollows:

2. OnceMACfilteringisenabled,onlytheallowedMACaddresswillbeabletosuccessfullyauthenticatewiththeaccesspoint.Ifwetrytoconnecttotheaccess point from a machine with a non-whitelisted MAC address, theconnectionwillfail.

3. Behind the scenes, the access point is sending Authentication failuremessagestotheclient.Thepackettraceresemblesthefollowing:

4. In order to beatMAC filters, we can use airodump-ng to find theMACaddressesofclientsconnectedtotheaccesspoint.Wecandothisbyissuingtheairodump-ng-c11-a--bssid<mac>mon0command.Byspecifyingthe bssid command, we will onlymonitor the access point, which is ofinteresttous.The-c11commandsetsthechannelto11wheretheaccesspoint is. The -a command ensures that, in the client section of the

airodump-NG output, only clients associated and connected to an accesspointareshown.ThiswillshowusalltheclientMACaddressesassociatedwiththeaccesspoint:

5. Oncewefindawhitelistedclient'sMACaddress,wecanspoof theMACaddress of the client using the macchanger utility, which ships withBackTrack.Youcanusethemacchanger–m<mac>wlan0commandtogetthisdone.TheMACaddressyouspecifywiththe-mcommandoptionisthenewspoofedMACaddressforthewlan0interface:

6. Asyoucanclearlysee,wearenowabletoconnecttotheaccesspointafterspoofingtheMACaddressofawhitelistedclient.

Whatjusthappened?

We monitored the air using airodump-ng and found the MAC address oflegitimate clients connected to the wireless network. We then used themacchanger utility to change our wireless card's MAC address to match theclient's.This fooled theaccesspoint intobelieving thatwewere the legitimateclient,anditallowedusaccesstoitswirelessnetwork.

Youareencouragedtoexplorethedifferentoptionsoftheairodump-NGutilityby going through the documentation on their website at http://www.aircrack-ng.org/doku.php?id=airodump-ng.

OpenAuthenticationThetermOpenAuthenticationisalmostamisnomer,asitactuallyprovidesnoauthentication at all. When an access point is configured to use OpenAuthentication,itwillsuccessfullyauthenticateallclientsthatconnecttoit.

WewillnowdoanexercisetoauthenticateandconnecttoanaccesspointusingOpenAuthentication.

Timeforaction–bypassingOpenAuthenticationLet'snowtakealookathowtobypassOpenAuthentication:

1. We will first set our lab access point Wireless Lab to use OpenAuthentication.Onmyaccesspoint,thisissimplydonebysettingSecurityModetoDisableSecurity:

2. We then connect to this access point using the iwconfig wlan0 essidWirelessLabcommandandverifythattheconnectionhassucceededandthatweareconnectedtotheaccesspoint.

3. Notethatwedidnothavetosupplyanyusername/password/passphrasetogetthroughOpenAuthentication.

Whatjusthappened?

Thisisprobablythesimplestexercisesofar.Asyousaw,thereisnobarriertoconnecting to an Open Authentication network and connecting to the accesspoint.

SharedKeyAuthenticationShared Key Authentication uses a shared secret such as the WEP key toauthenticate the client. The exact exchange of information is illustrated in thefollowingscreenshot(takenfromwww.netgear.com):

Thewireless client sends an authentication request to the access point, whichrespondsbackwithachallenge.Theclientnowneedstoencryptthischallengewiththesharedkeyandsenditbacktotheaccesspoint,whichdecryptsthistocheckwhetheritcanrecovertheoriginalchallengetext.Ifitsucceeds,theclientsuccessfullyauthenticates;ifnot,itsendsanauthenticationfailedmessage.

The security problem here is that an attacker passively listening to this entirecommunicationbysniffingtheairhasaccesstoboththeplaintextchallengeandthe encrypted challenge. He can apply the XOR operation to retrieve thekeystream.Thiskeystreamcanbeusedtoencryptanyfuturechallengesentby

theaccesspointwithoutneedingtoknowtheactualkey.

Themost common form of shared authentication is known asWEP orWiredEquivalentProtocol. It iseasy tobreak,andnumerous toolshavebeencreatedovertimetofacilitatethecrackingofWEPnetworks.

Inthisexercise,wewill learnhowtosniff theair toretrievethechallengeandtheencryptedchallenge,retrievethekeystream,anduseittoauthenticatetotheaccesspointwithoutneedingthesharedkey.

Timeforaction–bypassingSharedAuthenticationBypassing Shared Authentication is a bit more challenging than the previousexercises,sofollowthestepscarefully:

1. Let's first set up Shared Authentication for ourWireless Lab network. IhavedonethisonmyaccesspointbysettingthesecuritymodeasWEPandAuthenticationasSharedKey:

2. Let'snowconnecta legitimateclient to thisnetworkusing thesharedkeywehavesetinstep1.

3. In order to bypass SharedKeyAuthentication,wewill first start sniffingpacketsbetween theaccesspointand itsclients.However,wewouldalso

liketologtheentiresharedauthenticationexchange.Todothis,weusetheairodump-ngutilityusingtheairodump-ngmon0-c11--bssid<mac>-w keystream command. The -w option, which is new here, requestsAirodump-NGtostorethepacketsinafilewhosenameisprefixedwiththeword keystream. Incidentally, it might be a good idea to store differentsessions of packet captures in different files. This allows you to analyzethemlongafterthetracehasbeencollected:

4. Wecaneitherwaitforalegitimateclienttoconnecttotheaccesspointorforce a reconnect using the deauthentication technique used previously.Once a client connects and the shared key authentication succeeds,airodump-ngwill capture this exchange automatically by sniffing the air.AnindicationthatthecapturehassucceedediswhentheAUTHcolumnreadsWEP.

5. The captured keystream is stored in a file prefixed with the wordskeystreamfileinthecurrentdirectory.Inmycase,thenameofthefileiskeystream-01-00-21-91-D2-8E-25.xor.

6. Inorder tofakeasharedkeyauthentication,wewillusetheaireplay-ngtool.Weruntheaireplay-ng-10-e"WirelessLab"-ykeystream-01-00-21-91-D2-8E-25.xor -a <mac> -h AA:AA:AA:AA:AA:AA mon0

command.Thisaireplay-ngcommandusesthekeystreamweretrievedinstep 5 and tries to authenticatewith the access pointwithSSIDWirelessLab and MAC address 00:21:91:D2:8E:25, and uses an arbitrary clientMACaddressAA:AA:AA:AA:AA:AA.FireupWiresharkandsniffallpacketsofinterestbyapplyingawlan.addr==AA:AA:AA:AA:AA:AAfilter.Wecanverify this using Wireshark. You should see a trace on the Wiresharkscreen,asshowninthefollowingscreenshot:

7. Thefirstpacketistheauthenticationrequestsentbytheaireplay-ng tooltotheaccesspoint:

8. Thesecondpacketconsistsoftheaccesspointsendingtheclientchallengetext,asshowninthefollowingscreenshot:

9. In the third packet, the tool sends the encrypted challenge to the accesspoint:

10. As the aireplay-ng tool used the derived keystream for encryption, theauthenticationsucceedsandtheaccesspointsendsasuccessmessageinthefourthpacket:

11. After the authentication succeeds, the tool fakes an association with theaccesspoint,whichsucceedsaswell:

12. If you check the wireless logs in your access point's administrativeinterface, you should now see a wireless client with the MAC addressAA:AA:AA:AA:AA:AAconnected:

Whatjusthappened?

We were successful in deriving the keystream from a shared authenticationexchange,andweusedittofakeanauthenticationtotheaccesspoint.

Haveagohero–fillinguptheaccesspoint'stables

Access points have a maximum client count after which they start refusingconnections. By writing a simple wrapper over aireplay-ng, it is possible toautomate and send hundreds of connection requests from random MACaddressestotheaccesspoint.Thiswillendupfillingtheinternaltablesandoncethemaximumclientcount is reached, theaccesspointwill stopacceptingnewconnections.ThisistypicallywhatiscalledaDenialofService(DoS)attackandcanforcetheroutertorebootormakeitdysfunctional.Thiscanleadtoall thewireless clients being disconnected and being unable to use the authorizednetwork.

Checkwhetheryoucanverifythisinyourlab!

Popquiz–WLANauthentication

Q1.Howcanyouforceawirelessclienttore-connecttotheaccesspoint?

1. Bysendingadeauthenticationpacket.2. Byrebootingtheclient.3. Byrebootingtheaccesspoint.4. Alloftheabove.

Q2.WhatdoesOpenAuthenticationdo?

1. Itprovidesdecentsecurity.2. Itprovidesnosecurity.3. Itrequirestheuseofencryption.4. Noneoftheabove.

Q3.HowdoesbreakingSharedKeyAuthenticationwork?

1. Byderivingthekeystreamfromthepackets.2. Byderivingtheencryptionkey.3. Bysendingdeauthenticationpacketstotheaccesspoint.4. Byrebootingtheaccesspoint.

SummaryIn this chapter, we learnt about WLAN Authentication. Hidden SSIDs are asecurity-through-obscurity feature and are is relatively simple to beat. MACaddress filters do not provide any security, asMAC addresses can be sniffedfrom the air from the wireless packets. This is possible because the MACaddressesareunencrypted in thepacket.OpenAuthenticationprovidesno realauthenticationatall.SharedKeyAuthenticationisabittrickytobeatbut,withthe help of the right tools, we can derive the store and the keystream, usingwhichitispossibletoanswerallfuturechallengessentbytheaccesspoint.Theresultisthatwecanauthenticatewithoutneedingtoknowtheactualkey.

In the next chapter, we will take a look at different WLAN encryptionmechanisms—WEP,WPA,andWPA2—andlookattheinsecuritiesthatplaguethem.

Chapter4.WLANEncryptionFlaws

"640Kismorememorythananyonewilleverneed." --BillGates,Founder,Microsoft

Evenwiththebestofintentions,thefutureisalwaysunpredictable.TheWLANcommitteedesignedWEPandthenWPAtobefoolproofencryptionmechanismsbut, over time, both these mechanisms had flaws that have been widelypublicizedandexploitedintherealworld.

WLANencryptionmechanisms have hada long history of being vulnerable tocryptographicattacks.ItstartedwithWEPinearly2000,whicheventuallywascompletely broken. In recent times, attacks are slowly targeting WPA. EventhoughthereisnopublicattackavailablecurrentlytobreakWPAinallgeneralconditions,thereareattacksthatarefeasibleunderspecialcircumstances.

Inthischapter,wewilltakealookatthefollowingtopics:

DifferentencryptionschemasinWLANsCrackingWEPencryptionCrackingWPAencryption

WLANencryptionWLANstransmitdataovertheairandthusthereisaninherentneedtoprotectdataconfidentiality.Thisisbestdoneusingencryption.TheWLANcommittee(IEEE802.11)formulatedthefollowingprotocolsfordataencryption:

WiredEquivalentPrivacy(WEP)Wi-FiProtectedAccess(WPA)Wi-FiProtectionAccessv2(WPAv2)

In this chapter,wewill take a look at each of these encryption protocols anddemonstratevariousattacksagainstthem.

WEPencryptionTheWEPprotocolwasknowntobeflawedasearlyas2000but,surprisingly,itis still continuing to be used and access points still ship with WEP enabledcapabilities.

TherearemanycryptographicweaknessesinWEPandtheywerediscoveredbyWalker,Arbaugh,Fluhrer,Martin,Shamir,KoreK,andmanyothers.EvaluationofWEPfromacryptographicstandpointisbeyondthescopeofthisbook,asitinvolvesunderstandingcomplexmath.Inthissection,wewilltakealookathowto break WEP encryption using readily available tools on the BackTrackplatform. This includes the entire aircrack-ng suite of tools—airmon-ng,aireplay-ng,airodump-ng,aircrack-ng,andothers.

ThefundamentalweaknessinWEPisitsuseofRC4andashortIVvaluethatisrecycledevery224frames.While this isa largenumber in itself, there isa50percentchanceoffourreusesevery5,000packets.Tousethistoouradvantage,wegeneratea largeamountof trafficso thatwecan increase the likelihoodofIVsthathavebeenreusedandthuscomparetwociphertextsencryptedwiththesameIVandkey.

Let'snowfirstsetupWEPinourtestlabandseehowwecanbreakit.

Timeforaction–crackingWEPFollowthegiveninstructionstogetstarted:

1. Let's firstconnect toouraccesspointWirelessLabandgo to thesettingsareathatdealswithwirelessencryptionmechanisms:

2. Onmyaccesspoint,thiscanbedonebysettingtheSecurityModetoWEP.Wewill alsoneed to set theWEPkey length.Asshown in the followingscreenshot,IhavesetWEPtouse128bitkeys.IhavesetthedefaultkeytoWEPKey1and thevalue inhex toabcdefabcdefabcdefabcdef12as the

128-bitWEPkey.Youcansetthistowhateveryouchoose:

3. Oncethesettingsareapplied,theaccesspointshouldnowbeofferingWEPas the encryption mechanism of choice. Let's now set up the attacker

machine.4. Let'sbringupWlan0byissuingthefollowingcommand:

ifconfigwlan0up

5. Then,wewillrunthefollowingcommand:

airmon-ngstartwlan0

6. Thisisdonesoastocreatemon0,themonitormodeinterface,asshowninthe following screenshot. Verify that the mon0 interface has been createdusingtheiwconfigcommand:

7. Let's run airodump-ng to locate our lab access point using the followingcommand:

airodump-ngmon0

8. Asyoucanseeinthefollowingscreenshot,weareabletoseetheWirelessLabaccesspointrunningWEP:

9. Forthisexercise,weareonlyinterestedintheWirelessLab,solet'senterthefollowingcommandtoonlyseepacketsforthisnetwork:

airodump-ng –bssid 00:21:91:D2:8E:25 --channel 11 --

writeWEPCrackingDemomon0

Theprecedingcommandlineisshowninthefollowingscreenshot:

10. Wewillrequestairodump-ngtosavethepacketsintoapcapfileusingthe--writedirective:

11. Nowlet'sconnectourwirelessclienttotheaccesspointandusetheWEPkey as abcdefabcdefabcdefabcdef12. Once the client has successfullyconnected,airodump-ngshouldreportitonthescreen.

12. Ifyoudoanlsinthesamedirectory,youwillbeabletoseefilesprefixedwithWEPCrackingDemo-*,asshowninthefollowingscreenshot.Thesearetrafficdumpfilescreatedbyairodump-ng:

13. If you notice the airodump-ng screen, the number of data packets listedunderthe#Datacolumnisveryfewinnumber(only68).InWEPcracking,we need a large number of data packets, encryptedwith the same key toexploitweaknessesintheprotocol.So,wewillhavetoforcethenetworktoproducemoredatapackets.Todothis,wewillusetheaireplay-ngtool:

14. WewillcaptureARPpacketson thewirelessnetworkusingAireplay-ngandinjectthembackintothenetworktosimulateARPresponses.Wewillbe starting Aireplay-ng in a separate window, as shown in the nextscreenshot.Replayingthesepacketsafewthousandtimes,wewillgeneratealotofdatatrafficonthenetwork.EventhoughAireplay-ngdoesnotknowtheWEPkey,itisabletoidentifytheARPpacketsbylookingatthesizeof

the packets. ARP is a fixed header protocol; thus, the size of the ARPpackets can be easily determined and can be used to identify them evenwithinencryptedtraffic.Wewillrunaireplay-ngwiththeoptionsthatarediscussednext.The-3optionisforARPreplay,-bspecifiestheBSSIDofournetwork,and-hspecifiestheclientMACaddressthatwearespoofing.Weneedtodothis,asreplayattackswillonlyworkforauthenticatedandassociatedclientMACaddresses:

15. Verysoonyoushouldseethataireplay-ngwasabletosniffARPpacketsand started replaying them into the network. If you encounter channel-relatederrorsasIdid,append–ignore-negative-onetoyourcommand,asshowninthefollowingscreenshot:

16. Atthispoint,airodump-ngwillalsostartregisteringalotofdatapackets.All these sniffedpacketsarebeing stored in theWEPCrackingDemo-* filesthatwesawpreviously:

17. Nowlet'sstartwiththeactualcrackingpart!Wefireupaircrack-ngwiththeoptionWEPCRackingDemo-0*.cap inanewwindow.Thiswill start theaircrack-ngsoftwareanditwillbeginworkingoncrackingtheWEPkeyusing the data packets in the file. Note that it is a good idea to haveAirodump-ngcollect theWEPpackets,aireplay-ngdo the replayattack,and aircrack-ng attempt to crack the WEP key based on the captured

packets, all at the same time. In this experiment, all of them are open inseparatewindows.

18. Yourscreenshouldlooklikethefollowingscreenshotwhenaircrack-ngisworkingonthepacketstocracktheWEPkey:

19. Thenumberofdatapackets required tocrack thekey isnondeterministic,

butgenerallyintheorderofahundredthousandormore.Onafastnetwork(or using aireplay-ng), this should take 5-10 minutes at most. If thenumberofdatapacketscurrentlyinthefileisnotsufficient,thenaircrack-ng will pause, as shown in the following screenshot, and wait for morepacketstobecaptured;itwillthenrestartthecrackingprocess:

20. Onceenoughdatapacketshavebeencapturedandprocessed,aircrack-ngshouldbeabletobreakthekey.Onceitdoes, itproudlydisplaysit intheterminalandexits,asshowninthefollowingscreenshot:

21. It is important to note thatWEP is totally flawed and anyWEP key (nomatter how complex) will be cracked by Aircrack-ng. The only

requirementisthatalargeenoughnumberofdatapackets,encryptedwiththiskey,aremadeavailabletoaircrack-ng.

Whatjusthappened?

WesetupWEPinourlabandsuccessfullycrackedtheWEPkey.Inordertodothis,wefirstwaitedforalegitimateclientofthenetworktoconnecttotheaccesspoint.After this,we used the aireplay-ng tool to replayARP packets into thenetwork. This caused the network to send ARP replay packets, thus greatlyincreasing the number of data packets sent over the air. We then used theaircrack-ngtooltocracktheWEPkeybyanalyzingcryptographicweaknessesinthesedatapackets.

NotethatwecanalsofakeanauthenticationtotheaccesspointusingtheSharedKey Authentication bypass technique we learnt in the last chapter. This cancomeinhandyif thelegitimateclient leavesthenetwork.Thiswillensurethatwe can spoof an authentication and association and continue to send ourreplayedpacketsintothenetwork.

Haveagohero–fakeauthenticationwithWEPcracking

In the previous exercise, if the legitimate client had suddenly logged off thenetwork,wewouldnothavebeenabletoreplaythepacketsastheaccesspointwillrefusetoacceptpacketsfromun-associatedclients.

Your challenge will be to fake an authentication and association using theShared Key Authentication bypass we learnt in the last chapter, while WEPcrackingisgoingon.Logoff thelegitimateclientfromthenetworkandverifythatyouarestillabletoinjectpacketsintothenetworkandwhethertheaccesspointacceptsandrespondstothem.

WPA/WPA2WPA (or WPA v1 as it is referred to sometimes) primarily uses the TKIPencryption algorithm. TKIP was aimed at improvingWEP, without requiringcompletelynewhardwaretorunit.WPA2incontrastmandatorilyusestheAES-CCMPalgorithmforencryption,whichismuchmorepowerfulandrobustthanTKIP.

BothWPAandWPA2alloweitherEAP-based authentication, usingRADIUSservers (Enterprise)or aPre-Sharedkey (PSK) (personal)-basedauthenticationschema.

WPA/WPA2PSK is vulnerable to a dictionary attack.The inputs required forthis attack are the four-wayWPAhandshake between client and access point,and a wordlist that contains common passphrases. Then, using tools such asAircrack-ng,wecantrytocracktheWPA/WPA2PSKpassphrase.

Anillustrationofthefour-wayhandshakeisshowninthefollowingscreenshot:

ThewayWPA/WPA2PSKworks is that itderives theper-sessionkey, calledthe Pairwise Transient Key (PTK), using the Pre-Shared Key and five otherparameters—SSID of Network, Authenticator Nounce (ANounce), SupplicantNounce (SNounce), Authenticator MAC address (Access Point MAC), andSuppliantMACaddress(Wi-FiClientMAC).Thiskey is thenused toencryptalldatabetweentheaccesspointandclient.

Anattackerwhoiseavesdroppingonthisentireconversationbysniffingtheaircangetallfiveparametersmentionedinthepreviousparagraph.TheonlythinghedoesnothaveisthePre-SharedKey.So,howisthePre-SharedKeycreated?ItisderivedbyusingtheWPA-PSKpassphrasesuppliedbytheuser,alongwiththeSSID.ThecombinationofbothoftheseissentthroughthePassword-BasedKeyDerivationFunction(PBKDF2),whichoutputsthe256-bitsharedkey.

Ina typicalWPA/WPA2PSKdictionaryattack, theattackerwouldusea largedictionaryofpossiblepassphraseswiththeattacktool.Thetoolwouldderivethe256-bitPre-Sharedkey fromeachof thepassphrases anduse itwith theotherparameters,describedearlier,tocreatethePTK.ThePTKwillbeusedtoverifythe Message Integrity Check (MIC) in one of the handshake packets. If itmatches,thentheguessedpassphrasefromthedictionarywascorrect; ifnot, itwasincorrect.

Eventually,iftheauthorizednetworkpassphraseexistsinthedictionary,itwillbe identified. This is exactly how WPA/WPA2 PSK cracking works! Thefollowingfigureillustratesthestepsinvolved:

Inthenextexercise,wewill takealookathowtocrackaWPAPSKwirelessnetwork. The exact same steps will be involved in cracking a WPA2-PSKnetworkusingCCMP(AES)aswell.

Time for action – cracking WPA-PSK weakpassphrasesFollowthegiveninstructionstogetstarted:

1. Let'sfirstconnecttoouraccesspointWirelessLabandsettheaccesspointto useWPA-PSK.Wewill set theWPA-PSKpassphrase toabcdefgh sothatitisvulnerabletoadictionaryattack:

2. We start airodump-ng with the following command so that it startscapturingandstoringallpacketsforournetwork:

airodump-ng–bssid00:21:91:D2:8E:25–channel11–write

WPACrackingDemomon0"

Thefollowingscreenshotshowstheoutput:

3. Nowwecanwaitforanewclienttoconnecttotheaccesspointsothatwecan capture the four-way WPA handshake, or we can send a broadcastdeauthentication packet to force clients to reconnect.We do the latter tospeed things up. The same thing can happen again with the unknownchannel error. Again, use –-ignore-negative-one. This can also requiremorethanoneattempt:

4. As soon as we capture a WPA handshake, the airodump-ng tool willindicate it in the top-right corner of the screen with a WPA handshakefollowedbytheaccesspoint'sBSSID.Ifyouareusing–ignore-negative-one, the tool may replace the WPA handshake with a fixed channelmessage.JustkeepaneyeoutforaquickflashofaWPAhandshake.

5. We can stop the airodump-ng utility now. Let's open up the cap file in

Wireshark and view the four-way handshake. Your Wireshark terminalshouldlooklikethefollowingscreenshot.Ihaveselectedthefirstpacketofthe four-wayhandshake in the trace file in thescreenshot.ThehandshakepacketsaretheonewhoseprotocolisEAPOL:

6. Nowwe will start the actual key cracking exercise! For this, we need a

dictionaryofcommonwords.Kali shipswithmanydictionary files in themetasploit folder located as shown in the following screenshot. It isimportant to note that, in WPA cracking, you are just as good as yourdictionary. BackTrack ships with some dictionaries, but these may beinsufficient.Passwords thatpeoplechoosedependona lotof things.Thisincludes things such as which country users live in, common names andphrases in that region the, security awareness of the users, and a host ofother things. It may be a good idea to aggregate country- and region-specificwordlists,whenundertakingapenetrationtest:

7. Wewillnowinvoketheaircrack-ngutilitywiththepcapfileastheinputand a link to the dictionary file, as shown in the following screenshot. Ihaveusednmap.lst,asshownintheterminal:

8. aircrack-ng uses the dictionary file to try various combinations ofpassphrases and tries to crack the key. If the passphrase is present in thedictionaryfile,itwilleventuallycrackitandyourscreenwilllooksimilartotheoneinthescreenshot:

9. Please note that, as this is a dictionary attack, the prerequisite is that thepassphrase must be present in the dictionary file you are supplying toaircrack-ng. If thepassphrase isnotpresent in thedictionary, theattackwillfail!

Whatjusthappened?

WesetupWPA-PSKonouraccesspointwithacommonpassphrase:abcdefgh.Wethenuseadeauthenticationattacktohavelegitimateclientsreconnecttotheaccess point. When we reconnect, we capture the four-way WPA handshakebetweentheaccesspointandtheclient.

AsWPA-PSKisvulnerabletoadictionaryattack,wefeedthecapturefilethatcontainstheWPAfour-wayhandshakeandalistofcommonpassphrases(intheformofawordlist)toAircrack-ng.Asthepassphraseabcdefghispresentinthewordlist, Aircrack-ng is able to crack theWPA-PSK shared passphrase. It isvery important to note again that, inWPA dictionary-based cracking, you arejustasgoodasthedictionaryyouhave.Thus,itisimportanttocompilealargeandelaboratedictionarybeforeyoubegin.ThoughBackTrackshipswithitsowndictionary,itmaybeinsufficientattimesandmightneedmorewords,especiallytakingintoaccountthelocalizationfactor.

Have a go hero – trying WPA-PSK cracking withCowpatty

CowpattyisatoolthatcanalsocrackaWPA-PSKpassphraseusingadictionaryattack.ThistoolisincludedwithBackTrack.IleaveitasanexerciseforyoutouseCowpattytocracktheWPA-PSKpassphrase.

Also,setanuncommonpassphrase that isnotpresent in thedictionaryand trytheattackagain.YouwillnowbeunsuccessfulincrackingthepassphrasewithbothAircrack-ngandCowpatty.

It is important to note that the same attack applies even to a WPA2 PSKnetwork.Iencourageyoutoverifythisindependently.

SpeedingupWPA/WPA2PSKcrackingAs we have already seen in the previous section, if we have the correctpassphraseinourdictionary,crackingWPA-Personalwillworkeverytimelikeacharm.So,whydon'twe justcreatea largeelaboratedictionaryofmillionsofcommonpasswordsandphrasespeopleuse?Thiswouldhelpusalotandmostofthetime,wewouldendupcrackingthepassphrase.Itallsoundsgreatbutwearemissingonekeycomponenthere—thetimetaken.OneofthemoreCPUandtime-consuming calculations is that of the Pre-Shared key using the PSKpassphrase and the SSID through the PBKDF2. This function hashes thecombinationofbothover4,096 timesbeforeoutputting the256-bitPre-Sharedkey.Thenextstepincrackinginvolvesusingthiskeyalongwithparametersinthe four-wayhandshake andverifying against theMIC in thehandshake.Thisstep is computationally inexpensive. Also, the parameters will vary in thehandshake every time and hence, this step cannot be precomputed. Thus, tospeed up the cracking process, we need to make the calculation of the Pre-Sharedkeyfromthepassphraseasfastaspossible.

We can speed this up by precalculating the Pre-Shared Key, also called thePairwiseMasterKey(PMK)in802.11standardparlance.Itisimportanttonotethat, as theSSID isalsoused tocalculate thePMK,with the samepassphraseandwithadifferentSSID,wewillendupwithadifferentPMK.Thus,thePMKdependsonboththepassphraseandtheSSID.

Inthenextexercise,wewilltakealookathowtoprecalculatethePMKanduseitforWPA/WPA2PSKcracking.

Timeforaction–speedingupthecrackingprocessWecanproceedwiththefollowingsteps:

1. We can precalculate the PMK for a given SSID and wordlist using thegenpmktoolwiththefollowingcommand:

genpmk –f <chosen wordlist>–d PMK-Wireless-Lab –s

"WirelessLab

ThiscreatesthePMK-Wireless-LabfilecontainingthepregeneratedPMK:

2. WenowcreateaWPA-PSKnetworkwiththepassphraseabcdefgh(presentinthedictionaryweused)andcaptureaWPA-handshakeforthatnetwork.We now use Cowpatty to crack the WPA passphrase, as shown in thefollowingscreenshot:

It takes approximately7.18 seconds forCowpatty to crack thekey, usingtheprecalculatedPMKs.

3. Wenowuseaircrack-ngwith the samedictionary file, and thecrackingprocess takes over 22 minutes. This shows how much we are gainingbecauseoftheprecalculation.

4. InordertousethesePMKswithaircrack-ng,weneedtouseatoolcalledairolib-ng. We will give it the options airolib-ng, PMK-Aircrack --import,and cowpatty PMK-Wireless-Lab, where PMK-Aircrack is theaircrack-ngcompatibledatabase tobecreatedandPMK-Wireless-LabisthegenpmkcompliantPMKdatabasethatwecreatedpreviously.

5. Wenowfeedthisdatabasetoaircrack-ngandthecrackingprocessspeedsupremarkably.Weusethefollowingcommand:

aircrack-ng–rPMK-AircrackWPACrackingDemo2-01.cap

6. There are additional tools available on BackTrack such as Pyrit that canleverage multi CPU systems to speed up cracking. We give the pcapfilenamewiththe-roptionandthegenpmkcompliantPMKfilewiththe-ioption.Evenonthesamesystemusedwith theprevious tools,Pyrit takesaround3secondstocrackthekey,usingthesamePMKfilecreatedusinggenpmk.

Whatjusthappened?

We lookedatvariousdifferent tools and techniques to speedupWPA/WPA2-PSKcracking.Thewholeideaistopre-calculatethePMKforagivenSSIDandalistofpassphrasesinourdictionary.

DecryptingWEPandWPApacketsInalltheexerciseswehavedonetillnow,wecrackedtheWEPandWPAkeysusingvarioustechniques.Whatdowedowiththisinformation?Thefirststepistodecryptdatapacketswehavecapturedusingthesekeys.

In the next exercise,wewill decrypt theWEP andWPApackets in the sametracefilethatwecapturedovertheair,usingthekeyswecracked.

Timeforaction–decryptingWEPandWPApacketsWecanproceedwiththefollowingsteps:

1. We will decrypt packets from the WEP capture file we created earlier:WEPCrackingDemo-01.cap. For this, we will use another tool in theAircrack-ngsuitecalledairdecap-ng.Wewillrunthefollowingcommand,as shown in the following screenshot, using the WEP key we crackedpreviously:

airdecap-ng -w abcdefabcdefabcdefabcdef12

WEPCrackingDemo-02.cap

2. The decrypted files are stored in a file named WEPCrackingDemo-02-dec.cap.Weusethetsharkutilitytoviewthefirsttenpacketsinthefile.Please note that you may see something different based on what youcaptured:

3. WPA/WPA2PSKwillworkinexactly thesamewayaswithWEP,usingthe airdecap-ng utility, as shown in the following screenshot, with thefollowingcommand:

airdecap-ng –p abdefg WPACrackingDemo-02.cap –e

"WirelessLab"

Whatjusthappened?

WejustsawhowwecandecryptWEPandWPA/WPA2-PSKencryptedpacketsusing Airdecap-ng. It is interesting to note that we can do the same usingWireshark. We would encourage you to explore how this can be done byconsultingtheWiresharkdocumentation.

ConnectingtoWEPandWPAnetworksWe can also connect to the authorized network after we have cracked thenetworkkey.Thiscancomeinhandyduringpenetration testing.Loggingontothe authorized network with the cracked key is the ultimate proof you canprovidetoyourclientthathisnetworkisinsecure.

Timeforaction–connectingtoaWEPnetworkWecanproceedwiththefollowingsteps:

1. UsetheiwconfigutilitytoconnecttoaWEPnetwork,onceyouhavethekey. In a past exercise, we broke the WEP key—abcdefabcdefabcdefabcdef12:

Whatjusthappened?

WesawhowtoconnecttoaWEPnetwork.

Timeforaction–connectingtoaWPAnetworkWecanproceedwiththefollowingsteps:

1. In the case ofWPA, thematter is a bitmore complicated.TheiwconfigutilitycannotbeusedwithWPA/WPA2PersonalandEnterprise,asitdoesnotsupportit.WewilluseanewtoolcalledWPA_supplicantforthislab.To use WPA_supplicant for a network, we will need to create aconfigurationfile,asshowninthefollowingscreenshot.Wewillnamethisfilewpa-supp.conf:

2. WewilltheninvoketheWPA_supplicantutilitywiththefollowingoptions:-Dwext-iwlan0–cwpa-supp.conftoconnecttotheWPAnetworkwejustcracked.Oncetheconnectionissuccessful,WPA_supplicantwillgiveyouthemessage:ConnectiontoXXXXcompleted.

3. ForboththeWEPandWPAnetworks,onceyouareconnected,youcanusedhcpclienttograbaDHCPaddressfromthenetworkbytypingdhclient3

wlan0.

Whatjusthappened?

The defaultWi-Fi utilityiwconfig cannot be used to connect toWPA/WPA2networks.Thede-factotoolforthisisWPA_Supplicant.Inthislab,wesawhowwecanuseittoconnecttoaWPAnetwork.

Popquiz–WLANencryptionflaws

Q1.WhatpacketsareusedforPacketReplay?

1. Deauthenticationpacket.2. Associatedpacket.3. EncryptedARPpacket.4. Noneoftheabove.

Q2.WhencanWEPbecracked?

1. Always.2. Onlyifaweakkey/passphraseischosen.3. Underspecialcircumstancesonly.4. Onlyiftheaccesspointrunsoldsoftware.

Q3.WhencanWPAbecracked?

1. Always.2. Onlyifaweakkey/passphraseischosen.3. Iftheclientcontainsoldfirmware.4. Evenwithnoclientconnectedtothewirelessnetwork.

SummaryInthischapter,welearntaboutWLANencryption.WEPisflawedandnomatterwhattheWEPkeyis,withenoughdatapacketsamples:itisalwayspossibletocrackWEP.WPA/WPA2iscryptographicallyun-crackablecurrently;however,under special circumstances, such as when a weak passphrase is chosen inWPA/WPA2-PSK, it is possible to retrieve the passphrase using dictionaryattacks.

In the next chapter, we will take a look at different attacks on the WLANinfrastructure,suchasrogueaccesspoints,eviltwins,bit-flippingattacks,andsoon.

Chapter5.AttacksontheWLANInfrastructure

"Thus,whatisofsupremeimportanceinwaristoattacktheenemy'sstrategy" --SunTzu,ArtofWar

Inthischapter,wewillattacktheWLANinfrastructure'score!Wewillfocusonhow we can penetrate into the authorized network using various new attackvectorsandlureauthorizedclientstoconnecttous,asanattacker.

TheWLAN infrastructure iswhatprovideswireless services to all theWLANclientsinasystem.Inthischapter,wewilltakealookatthevariousattacksthatcanbeconductedagainsttheinfrastructure:

DefaultaccountsandcredentialsontheaccesspointDenialofserviceattacksEviltwinandaccesspointMACspoofingRogueaccesspoints

DefaultaccountsandcredentialsontheaccesspointWLAN access points are the core building blocks of the infrastructure. Eventhoughtheyplaysuchanimportantrole,theyaresometimesthemostneglectedin terms of security. In this exercise, we will check whether the defaultpasswordshavebeenchangedontheaccesspointornot.Then,wewillgoontoverifythat,evenifthepasswordshavebeenchanged,theyarestilleasytoguessandcrackusingadictionary-basedattack.

Itisimportanttonotethat,aswemoveontomoreadvancedchapters,itwillbeassumedthatyouhavegonethroughthepreviouschaptersandarenowfamiliarwiththeuseofallthetoolsdiscussedthere.Thiswillallowustobuildonthatknowledgeandtrymorecomplicatedattacks!

Time for action – cracking default accounts on theaccesspointsFollowtheseinstructionstogetstarted:

1. Let'sfirstconnecttoouraccesspointWirelessLabandattempttonavigatetotheHTTPmanagementinterface.WeseethattheaccesspointmodelisTP-LinkWR841N,asshowninthefollowingscreenshot:

2. Fromthemanufacturer'swebsite,wefindthedefaultaccountcredentialsforadminareadmin.Wetrythisontheloginpageandwesucceedinloggingin.Thisshowshoweasyitistobreakintoaccountswithdefaultcredentials.We highly encourage you to obtain the router's usermanual online. Thiswill allow you to understand what you are dealing with during thepenetrationtestandgivesyouaninsightintootherconfigurationflawsyoucouldcheckfor:

Whatjusthappened?

Weverifiedthatthedefaultcredentialswereneverchangedonthisaccesspoint,and this could lead to a full network compromise. Also, even if the default

credentialsarechanged,theresultshouldnotbesomethingthatiseasytoguessorrunasimpledictionary-basedattackon.

Have a go hero – cracking accounts using brute-forceattacks

Inthepreviousexercise,changethepasswordtosomethingthatishardtoguessor find in a dictionary and see whether you can crack it using a brute-forceapproach. Limit the length and characters in the password so that you cansucceed at some point. One of the most common tools used to crack HTTPauthenticationiscalledHydraandisavailableonKali.

DenialofserviceattacksWLANsarepronetoDenialofService(DoS)attacksusingvarioustechniques,includingbutnotlimitedto:

deauthenticationattackDisassociationattackCTS-RTSattackSignalinterferenceorspectrumjammingattack

In the scope of this book, we will discuss deauthentication attacks on theWirelessLANinfrastructureusingthefollowingexperiment:

Timeforaction–deauthenticationDoSattacksFollowtheseinstructionstogetstarted:

1. Let'sconfigure theWirelessLabnetwork touseOpenAuthenticationandnoencryption.ThiswillallowustoseethepacketsusingWiresharkeasily:

2. Let's connect a Windows client to the access point. We will see theconnectionintheairodump-ngscreen:

3. Now,on the attackermachine, let's run adirecteddeauthentication attackagainstthis:

4. Note how the client gets disconnected from the access point completely.Wecanverifythisontheairodump-ngscreenaswell:

5. If we use Wireshark to see the traffic, you will notice a lot ofdeauthenticationpacketsovertheairthatwejustsent:

6. WecandothesameattackbysendingaBroadcastdeauthenticationpacketonbehalfoftheaccesspointtotheentirewirelessnetwork.Thiswillhavetheeffectofdisconnectingallconnectedclients:

Whatjusthappened?

We successfully sent deauthentication frames to both the access point and theclient. This resulted in them getting disconnected and a full loss ofcommunicationbetweenthem.

WealsosentoutBroadcastdeauthenticationpackets,whichwillensurethatnoclientinthevicinitycansuccessfullyconnecttoouraccesspoint.

It is important tonote that, as soon as the client is disconnected, itwill try toconnectbackonceagaintotheaccesspoint,andthusthedeauthenticationattackhastobecarriedoutinasustainedwaytohaveafulldenialofserviceeffect.

This is one of the easiest attacks to orchestrate but has the most devastatingeffect.Thiscaneasilybeusedintherealworldtobringawirelessnetworkdownonitsknees.

Haveagohero–disassociationattacks

Try to check how you can conduct Dis-Association attacks against theinfrastructure using tools available on Kali. Can you do a broadcastdisassociationattack?

EviltwinandaccesspointMACspoofingOneof themostpotent attacksonWLAN infrastructures is the evil twin.Theideaistobasicallyintroduceanattacker-controlledaccesspointinthevicinityoftheWLANnetwork.ThisaccesspointwilladvertisetheexactsameSSIDastheauthorizedWLANnetwork.

Many wireless users may accidently connect to this malicious access point,thinking it ispartof theauthorizednetwork.Onceaconnection isestablished,the attacker canorchestrate aman-in-the-middle attack and transparently relaytrafficwhileeavesdroppingontheentirecommunication.Wewilltakealookathowaman-in-the-middleattackisdoneinalaterchapter.Intherealworld,anattackerwouldideallyusethisattackclosetotheauthorizednetworksothattheusergetsconfusedandaccidentlyconnectstotheattacker'snetwork.

AneviltwinhavingthesameMACaddressasanauthorizedaccesspointisevenmore difficult to detect and deter. This is where access pointMAC Spoofingcomes in! In thenextexperiment,wewill takea lookathowtocreateaneviltwin,coupledwithaccesspointMACspoofing.

Timeforaction–eviltwinsandMACspoofingFollowtheseinstructionstogetstarted:

1. Useairodump-ngtolocatetheaccesspoint'sBSSIDandESSID,whichwewouldliketoemulateintheeviltwin:

2. WeconnectaWirelessclienttothisaccesspoint:

3. Usingthisinformation,wecreateanewaccesspointwiththesameESSIDbutadifferentBSSIDandMACaddressusingtheairbase-ngcommand.Minorerrorsmayoccurwithnewerreleases:

4. This new access point also shows up in the airodump-ng screen.. It isimportanttonotethatyouwillneedtorunairodump-nginanewwindowwiththefollowingcommand:

airodump-ng--channel11wlan0

Let'sseethisnewaccesspoint:

5. Nowwesendadeauthenticationframeto theclient,so itdisconnectsandimmediatelytriestoreconnect:

6. Asweareclosertothisclient,oursignalstrengthishigher,anditconnectstooureviltwinaccesspoint.

7. Wecanalsospoof theBSSDandMACaddressof theaccesspointusingthefollowingcommand:

airbase-ng–a<routermac>--essid"WirelessLab"–c11

mon0

8. Now if we look at through airodump-ng, it is almost impossible todifferentiatebetweenbothvisually:

9. Evenairodump-ngisunabletodiscernthatthereareactuallytwodifferentphysicalaccesspointsonthesamechannel.Thisisthemostpotentformof

theeviltwin.

Whatjusthappened?

Wecreatedaneviltwinfortheauthorizednetworkandusedadeauthenticationattacktohavethelegitimateclientconnectbacktous,insteadoftheauthorizednetworkaccesspoint.

It is important to note that, in the case of the authorized access point usingencryptionsuchasWEP/WPA,itmightbemoredifficulttoconductanattackinwhichtrafficeavesdroppingispossible.WewilltakealookathowtobreaktheWEPkeywithjustaclientusingtheCaffeLatteattackinalaterchapter.

Haveagohero–eviltwinsandchannelhopping

Inthepreviousexercise,runtheeviltwinondifferentchannelsandobservehowtheclient,oncedisconnected,hopschannelstoconnecttotheaccesspoint.Whatis thedeciding factor basedonwhich the client decideswhich accesspoint toconnectto?Isitsignalstrength?Experimentandvalidate.

ArogueaccesspointArogueaccesspointisanunauthorizedaccesspointconnectedtotheauthorizednetwork. Typically, this access point can be used as a backdoor entry by anattacker,thusenablinghimtobypassallsecuritycontrolsonthenetwork.Thiswouldmean that the firewalls, intrusionprevention systems, and soon,whichguard the border of a network, would be able to do little to stop him fromaccessingthenetwork.

Inthemostcommoncase,arogueaccesspointissettoOpenAuthenticationandnoencryption.Therogueaccesspointcanbecreatedinthefollowingtwoways:

Installing an actual physical device on the authorized network as a rogueaccesspoint.(ThisissomethingIleaveasanexercisetoyou.)Also,morethanwirelesssecurity,thishastodowithbreachingthephysicalsecurityoftheauthorizednetwork.Creating a rogue access point in software and bridging it with the localauthorizednetworkEthernetnetwork.Thiswillallowpracticallyanylaptoprunningontheauthorizednetworktofunctionasarogueaccesspoint.Wewilllookatthisinthenextexperiment.

Timeforaction–crackingWEPFollowtheseinstructionstogetstarted:

1. Let'sfirstbringupourrogueaccesspointusingairbase-ngandgiveittheESSIDRogue:

2. Wenowwant to create a bridgebetween theEthernet interface,which ispartoftheauthorizednetwork,andourrogueaccesspointinterface.Todothis,wewillfirst installbridge-utils files,createabridgeinterface,andname it Wifi-Bridge. The following screenshot shows the requiredcommandsinaction:

apt-getinstallbridge-utils

brctladdbrWifi-Bridge

Let'sseethefollowingoutputofthecommand:

3. WewillthenaddboththeEthernetandtheAt0virtualinterfacecreatedbyAirbase-ngtothisbridge:

brctladdifWifi-Bridgeeth0

brctladdifWifi-Bridgeath0

Thescreenshotofthecommandasfollows:

4. Wewillthenbringwiththeseinterfacesuptobringthebridgeupwiththe

followingcommands:

ifconfigeth00.0.0.0up

ifconfigath00.0.0.0up

Thescreenshotofthecommandasfollows:

5. WewillthenenableIPforwardinginthekerneltoensurethatpacketsareforwarded:

echo1>/proc/sys/net/ipv4/ip_forward

Thescreenshotofthecommandasfollows:

6. Brilliant!We are done.Now, anywireless client connecting to our rogueaccess point will have full access to the authorized network using thewireless-to-wired Wifi-Bridge we just built. We can verify this byconnecting a client to the rogue access point.Once connected, if you areusingVista,yourscreenmightlooklikethefollowing:

7. NoticethatitreceivesanIPaddressfromtheDHCPdaemonrunningontheauthorizedLAN:

8. Wecannowaccessanyhostonthewirednetworkfromthiswirelessclientusingthisrogueaccesspoint.Next,wewillpingthegatewayonthewirednetwork:

Whatjusthappened?

WecreatedarogueaccesspointandusedittobridgealltheauthorizednetworkLANtrafficover thewirelessnetwork.Asyoucansee, this isa really serioussecuritythreatasanyonecanbreakintothewirednetworkusingthisbridge.

Haveagohero–rogueaccesspointchallenge

CheckwhetheryoucancreatearogueaccesspointthatusesWPA/WPA2-basedencryptiontolookmorelegitimateonthewirelessnetwork.

Popquiz–attacksontheWLANinfrastructure

Q1.Whatencryptiondoesarogueaccesspointuseinmostcases?

1. None.2. WEP.3. WPA.4. WPA2.

Q2.What is theadvantageofhaving thesameMACaddressas theauthorized

accesspointinaneviltwin?

1. Itmakesdetectingtheeviltwinmoredifficult.2. Itforcestheclienttoconnecttoit.3. Itincreasesthesignalstrengthofthenetwork.4. Noneoftheabove.

Q3.WhatdoDoSattacksdo?

1. Theybringdowntheoverallthroughputofthenetwork.2. Theydonottargettheclients.3. They can only be done if we know the network WEP/WPA/WPA2

credentials.4. Alloftheabove.

Q4.Whatdorogueaccesspointsdoandhowcantheybecreated?

1. Theyallowbackdoorentryintotheauthorizednetwork.2. TheyuseWPA2encryptiononly.3. They can be created as software-based access points or can be actual

devices.4. Both1and3.

SummaryIn this chapter,we explored differentways to compromise the security of theWirelessLANinfrastructure:

CompromisingdefaultaccountsandcredentialsonaccesspointsDenialofserviceattacksEviltwinsandMACSpoofingRogueaccesspointsintheenterprisenetwork

Inthenextchapter,wewilltakealookatdifferentattacksonthewirelessLANclient. Interestingly, most administrators feel that the client has no securityproblems toworryabout.Wewill seehownothingcouldbe furthers from thetruth.

Chapter6.AttackingtheClient

"Securityisjustasstrongastheweakestlink." --FamousQuoteinInformationSecurityDomain

Most penetration testers seem to give all their attention to the WLANinfrastructureanddon'tgivethewirelessclientevenafractionofthat.However,itisinterestingtonotethatahackercangainaccesstotheauthorizednetworkbycompromisingawirelessclientaswell.

In this chapter, we will shift our focus from the WLAN infrastructure to thewireless client. The client can be either a connected or isolated unassociatedclient.Wewill takealookatthevariousattacksthatcanbeusedtotargettheclient.

Wewillcoverthefollowingtopics:

HoneypotandMis-AssociationattacksTheCaffeLatteattackDeauthenticationanddisassociationattacksTheHirteattackAP-lessWPA-Personalcracking

HoneypotandMis-AssociationattacksNormally,whenawirelessclientsuchasalaptopisturnedon,itwillprobefornetworks it has previously connected to. These networks are stored in a listcalled the Preferred Network List (PNL) on Windows-based systems. Also,alongwiththislist,thewirelessclientwilldisplayanynetworksavailableinitsrange.

Ahackermaydooneormoreofthefollowingthings:

Silentlymonitortheprobesandbringupafakeaccesspointwiththesame

ESSID theclient is searching for.Thiswill cause theclient toconnect tothehackermachine,thinkingitisthelegitimatenetwork.Create fake access points with the same ESSID as neighboring ones topersuadetheusertoconnecttohim.SuchattacksareveryeasytoconductincoffeeshopsandairportswhereausermightbelookingtoconnecttoaWi-Ficonnection.Userecordedinformationtolearnaboutthevictim'smovementsandhabits,asweshowindetailinalaterchapter.

TheseattacksarecalledHoneypotattacks,because thehacker'saccesspoint ismis-associatedwiththelegitimateone.

Inthenextexercise,wewillcarryoutboththeseattacksinourlab.

Time for action – orchestrating a Mis-AssociationattackFollowtheseinstructionstogetstarted:

1. In the previous labs,we used a client that had connected to theWirelessLabaccesspoint.Let'sswitchontheclientbutnottheactualWirelessLabaccesspoint.Let'snowrunairodump-ngmon0andchecktheoutput.Youwill very soon find the client to be in the not associated mode andprobingforWirelessLabandotherSSIDsinitsstoredprofile:

2. Tounderstandwhatishappening,let'srunWiresharkandstartsniffingon

themon0interface.Asexpected,youmightseealotofpacketsthatarenotrelevant to our analysis. Apply a Wireshark filter to only display ProbeRequestpacketsfromtheclientMACyouareusing:

3. In my case, the filter would be wlan.fc.type_subtype == 0x04 &&

wlan.sa==<mymac>.You should now seeProbeRequest packets only

fromtheclientforthepreviouslyidentifiedSSIDs.4. Let's now start a fake access point for the networkWireless Lab on the

hackermachineusingthefollowingcommand:

airbase-ng–c3–e"WirelessLab"mon0

5. Withinaminuteorso, theclientshouldconnect tousautomatically.Thisshowshoweasyitistohaveun-associatedclients:

6. Nowwewilltryitincompetitionwithanotherrouter.WewillcreateafakeaccesspointWirelessLabinthepresenceof thelegitimateone.Let's turnour access point on to ensure thatWirelessLab is available to the client.

Forthisexperiment,wehavesettheaccesspointchannelto3.Lettheclientconnecttotheaccesspoint.Wecanverifythisfromairodump-ng,asshowninthefollowingscreenshot:

7. Nowlet'sbringupourfakeaccesspointwiththeSSIDWirelessLab:

8. Notice that the client is still connected to Wireless Lab, the legitimateaccesspoint:

9. We will now send broadcast deauthentication messages to the client onbehalfofthelegitimateaccesspointtobreaktheirconnection:

10. Assuming the signal strength of our fake access point Wireless Lab isstrongerthanthelegitimateonetotheclient,itconnectstoourfakeaccesspointinsteadofthelegitimateaccesspoint:

11. We can verify this by looking at the airodump-ng output to see the newassociationoftheclientwithourfakeaccesspoint:

Whatjusthappened?

WejustcreatedaHoneypotusingtheprobedlistfromtheclientandalsousingthesameESSIDasthatofneighboringaccesspoints.Inthefirstcase,theclientautomaticallyconnectedtous,asitwassearchingforthenetwork.Inthelattercase, as we were closer to the client than the real access point, our signalstrengthwashigher,andtheclientconnectedtous.

Have a go hero – forcing a client to connect to theHoneypot

In the previous exercise, what do we do if the client does not automaticallyconnect to us?Wewould have to send a deauthentication packet to break thelegitimate client-access point connection and then, if our signal strength ishigher, the client will connect to our spoofed access point. Try this out byconnectingaclienttoalegitimateaccesspoint,andthenforcingittoconnecttoyourHoneypot.

TheCaffeLatteattackIn the Honeypot attack, we noticed that clients will continuously probe forSSIDs they have connected to previously. If the client had connected to anaccesspointusingWEP,operatingsystemssuchasWindowscacheandstoretheWEP key. The next time the client connects to the same access point, theWindowswirelessconfigurationmanagerautomaticallyusesthestoredkey.

TheCaffeLatteattackwasinventedbyVivek,oneoftheauthorsofthisbook,andwasdemonstratedinToorcon9,SanDiego,USA.TheCaffeLatteattackisaWEP attack that allows a hacker to retrieve theWEP key of the authorizednetwork, using just the client. The attack does not require the client to beanywhereclosetotheauthorizedWEPnetwork.ItcancracktheWEPkeyusingjusttheisolatedclient.

In thenext exercise,wewill retrieve theWEPkeyof anetwork fromaclientusingtheCaffeLatteattack.

Timeforaction–conductingaCaffeLatteattackFollowtheseinstructionstogetstarted:

1. Let's first set up our legitimate access point with WEP for the networkWirelessLabwiththeABCDEFABCDEFABCDEF12keyinHex:

2. Let's connect our client to it and verify that the connection is successfulusingairodump-ng,asshowninthefollowingscreenshot:

3. Let's unplug the access point and ensure that the client is in the un-associatedstageandsearchesfortheWEPnetworkWirelessLab.

4. Nowweuseairbase-ngtobringupanaccesspointwithWirelessLabastheSSID,withtheparametersasshownhere:

5. As soon as the client connects to this access point,airbase-ng starts theCaffeLatteattack,asshownhere:

6. Wenowstartairodump-ngtocollectthedatapacketsfromthisaccesspointonly,aswedidbeforeintheWEPcrackingscenario:

7. Wealsostartaircrack-ngasintheWEP-crackingexercisewedidbeforeto begin the cracking process. The command line will be aircrack-ngfilename,wherethefilenameisthenameofthefilecreatedbyairodump-ng.

Whatjusthappened?

We were successful in retrieving the WEP key from just the wireless clientwithout requiring an actual access point to be used or present in the vicinity.ThisisthepoweroftheCaffeLatteattack.

Inbasicterms,aWEPaccesspointdoesn'tneedtoprovetoaclientthatitknowstheWEPkeyinordertoreceiveencryptedtraffic.Thefirstpieceoftrafficthat

willalwaysbesenttoarouteruponconnectingtoanewnetworkwillbeanARPrequesttoaskforanIP.

TheattackworksbybitflippingandreplayingARPpacketssentbythewirelessclientpostassociationwiththefakeaccesspointcreatedbyus.ThesebitflippedARP Request packets cause more ARP response packets to be sent by thewirelessclient.

Bit-flippingtakesanencryptedvalueandaltersittocreateadifferentencryptedvalue.Inthiscircumstance,wecantakeanencryptedARPrequestandcreateanARPresponsewithahighdegreeofaccuracy.OncewesendbackavalidARPresponse,wecanreplaythisvalueoverandoveragaintogeneratethetrafficweneedtodecrypttheWEPkey.

NotethatallthesepacketsareencryptedusingtheWEPkeystoredontheclient.Onceweareabletogatheralargenumberofthesedatapackets,aircrack-NGisabletorecovertheWEPkeyeasily.

Haveagohero–practisemakesperfect!

Trychanging theWEPkeyandrepeat theattack.This isadifficultattackandrequiressomepracticetoorchestratesuccessfully.ItwouldalsobeagoodideatouseWiresharkandexaminethetrafficonthewirelessnetwork.

DeauthenticationanddisassociationattacksWehaveseendeauthenticationattacksinpreviouschaptersaswellinthecontextoftheaccesspoint.Inthischapter,wewillexplorethisattackinthecontextoftheclient.

Inthenextlab,wewillsenddeauthenticationpacketstojusttheclientandbreakanestablishedconnectionbetweentheaccesspointandtheclient.

Timeforaction–deauthenticatingtheclientFollowtheseinstructionstogetstarted:

1. Let's first bring our access pointWirelessLab online again. Let's keep itrunningonWEPtoprovethat,evenwithencryptionenabled,itispossibletoattacktheaccesspointandclientconnection.Let'sverifythattheaccesspointisupusingairodump-ng:

2. Let'sconnectourclienttothisaccesspointandverifyitwithairodump-ng:

3. Wewillnowrunaireplay-ngtotargettheaccesspointconnection:

4. Theclientgetsdisconnectedandtriestoreconnecttotheaccesspoint.WecanverifythisusingWiresharkjustaswedidearlier:

5. We have now seen that, even in the presence of WEP encryption, it ispossibletodeauthenticateaclientanddisconnectit.Thesameisvalidevenin the presence ofWPA/WPA2. Let's now set our access point toWPAencryptionandverifyit:

6. Let'sconnectourclienttotheaccesspointandensurethatitisconnected:

7. Let'snowrunaireplay-ngtodisconnecttheclientfromtheaccesspoint:

Whatjusthappened?

We just learnt how to disconnect a wireless client selectively from an accesspointusingdeauthenticationframeseveninthepresenceofencryptionschemassuchasWEP/WPA/WPA2.Thiswasdonebysendingadeauthenticationpacketto just the access point—client pair, instead of sending a broadcastdeauthenticationtotheentirenetwork.

Haveagohero–disassociationattackontheclient

In the previous exercise, we used a deauthentication attack to break theconnection.Tryusingadisassociationpackettobreaktheestablishedconnectionbetweenaclientandanaccesspoint.

TheHirteattackWe've already seen how to conduct the Caffe Latte attack. The Hirte attackextendstheCaffeLatteattackusingfragmentationtechniquesandallowsalmostanypackettobeused.

MoreinformationontheHirteattackisavailableontheAircrack-ngwebsiteathttp://www.aircrack-ng.org/doku.php?id=hirte.

Wewillnowuseaircrack-ngtoconductaHirteattackonthesameclient.

Timeforaction–crackingWEPwiththeHirteattackFollowtheseinstructionstogetstarted:

1. Create aWEP access point exactly as in theCaffeLatte attack using theairbase-ngtool.Theonlyadditionaloptionisthe-Noptioninsteadofthe-LoptiontolaunchtheHirteattack:

2. Startairodump-nginaseparatewindowtocapturepacketsfortheWirelessLabHoneypot:

3. Now, airodump-ng will start monitoring this network and storing thepacketsintheHirte-01.capfile:

4. Once the roamingclientconnects toourHoneypotAP, theHirteattack isautomaticallylaunchedbyairbase-ng:

5. We start aircrack-ng as in the case of the Caffe Latte attack andeventually,thekeywillbecracked.

Whatjusthappened?

Welaunched theHirteattackagainstaWEPclient thatwas isolatedandawayfromtheauthorizednetwork.WecrackedthekeyexactlythesamewayasintheCaffeLatteattackcase.

Haveagohero–practise,practise,practise

WerecommendsettingdifferentWEPkeysontheclientandtryingthisexerciseacoupleoftimestogainconfidence.Youmaynoticemanytimesthatyoumayhavetoreconnecttheclienttogetittowork.

AP-lessWPA-PersonalcrackingInChapter4,wesawhowtocrackWPA/WPA2PSKusingaircrack-ng.Thebasic idea was to capture a four-way WPA handshake and then launch adictionaryattack.

Themilliondollarquestionis:WoulditbepossibletocrackWPA-Personalwithjusttheclient?Noaccesspoint!

Let'srevisittheWPAcrackingexercisetojogourmemory:

To crack WPA, we need the following four parameters from the four-wayhandshake—Authenticator Nounce, Supplicant Nounce, Authenticator MAC,andSupplicantMAC.Now,theinterestingthingisthatwedonotneedallofthefour packets in the handshake to extract this information. We can get thisinformationwithfourpackets;packets1and2orjustpackets2and3.

InordertocrackWPA-PSK,wewillbringupaWPA-PSKHoneypotand,whentheclientconnectstous,onlyMessage1andMessage2willcomethrough.As

wedonotknowthepassphrase,wecannotsendMessage3.However,Message1andMessage2containalltheinformationrequiredtobeginthekeycrackingprocess:

Timeforaction–AP-lessWPAcracking

1. WewillsetupaWPA-PSKHoneypotwiththeESSIDWirelessLab.The-z2optioncreatesaWPA-PSKaccesspoint,whichusesTKIP:

2. Let'salsostartairodump-ngtocapturepacketsfromthisnetwork:

3. Nowwhen our roaming client connects to this access point, it starts thehandshakebutfailstocompleteitafterMessage2,asdiscussedpreviously;however,thedatarequiredtocrackthehandshakehasbeencaptured.

4. Werun theairodump-ng capture file throughaircrack-ngwith thesamedictionaryfileasbefore;eventually,thepassphraseiscrackedasbefore.

Whatjusthappened?

We were able to crack theWPA key with just the client. This was possiblebecause, even with just the first two packets, we have all the informationrequiredtolaunchadictionaryattackonthehandshake.

Haveagohero–AP-lessWPAcracking

WerecommendsettingdifferentWEPkeysontheclientandtryingthisexerciseacoupleoftimestogainconfidence.Youmaynoticemanytimesthatyouhavetoreconnecttheclienttogetittowork.

Popquiz–attackingtheclient

Q1.WhatencryptionkeycantheCaffeLatteattackrecover?

1. None2. WEP3. WPA4. WPA2

Q2.WhatwouldaHoneypotaccesspointtypicallyuse?

1. NoEncryption,OpenAuthentication2. NoEncryption,SharedAuthentication3. WEPEncryption,OpenAuthentication4. Noneoftheabove

Q3.WhichoneofthefollowingisaDoSAttack?

1. Mis-Associationattacks2. Deauthenticationattacks3. Disassociationattacks4. Both2and3

Q4.WhatdoestheCaffeLatteattackrequire?

1. Thatthewirelessclientbeinradiorangeoftheaccesspoint2. ThattheclientcontainsacachedandstoredWEPkey3. WEPencryptionwithatleast128bitencryption4. Both1and3

SummaryInthischapter,welearnedthateventhewirelessclientissusceptibletoattacks.These include the Honeypot and other Mis-Association attacks; Caffe Latteattack to retrieve the key from the wireless client; deauthentication anddisassociationattackscausingaDenialofservice,HirteattackasanalternativetoretrievetheWEPkeyfromaroamingclient;and,finally,crackingtheWPA-Personalpassphrasewithjusttheclient.

In the next chapter,wewill usewhatwe've learned so far to conduct variousadvancedwirelessattacksonboththeclientandinfrastructureside.So,quicklyflipthepagetothenextchapter!

Chapter7.AdvancedWLANAttacks

"Toknowyourenemy,youmustbecomeyourenemy." --SunTzu,ArtofWar

Asapenetration tester, it is important to know theadvancedattacksahackercando,even ifyoumightnotcheckordemonstrate themduringapenetrationtest.Thischapter isdedicatedtoshowinghowahackercanconductadvancedattacksusingwirelessaccessasthestartingpoint.

In this chapter, wewill take a look at howwe can conduct advanced attacksusingwhatwehavelearnedsofar.Wewillprimarilyfocusontheman-in-the-middleattack(MITM),whichrequiresacertainamountofskillandpracticetoconductsuccessfully.Oncewehavedonethis,wewillusethisMITMattackasabase fromwhich to conductmore sophisticatedattacks suchasEavesdroppingandsessionhijacking.

Inthischapter,wewillcoverthefollowingtopics:

MITMattackWirelessEavesdroppingusingMITMSessionhijackingusingMITM

Aman-in-the-middleattackMITMattacksareprobablyoneofthemostpotentattacksonaWLANsystem.Therearedifferentconfigurationsthatcanbeusedtoconducttheattack.Wewilluse the most common one—the attacker is connected to the Internet using awiredLANand is creating a fake access point on his client card.This accesspointbroadcastsanSSIDsimilar toa localhotspot in thevicinity.Ausermayaccidently get connected to this fake access point (or can be forced to via thehigher signal strength theory we discussed in the previous chapters) andmaycontinuetobelievethatheisconnectedtothelegitimateaccesspoint.

Theattackercannowtransparentlyforwardalltheuser'strafficovertheInternetusingthebridgehehascreatedbetweenthewiredandwirelessinterfaces.

Inthefollowinglabexercise,wewillsimulatethisattack.

Timeforaction–man-in-the-middleattackFollowtheseinstructionstogetstarted:

1. To create the man-in-the-middle attack setup, we will first create a softaccesspointcalledmitmonthehackerlaptopusingairbase-ng.Werunthefollowingcommand:

airbase-ng--essidmitm–c11mon0

Theoutputofthecommandisasfollows:

2. Itisimportanttonotethatairbase-ng,whenrun,createsaninterfaceat0(atapinterface).Thinkofthisasthewired-sideinterfaceofoursoftware-basedaccesspointmitm:

3. Let's now create a bridge on the hacker's laptop, consisting of the wired(eth0)andwirelessinterface(at0).Thesuccessionofcommandsusedforthisisasfollows:

brctladdbrmitm-bridge

brctladdifmitm-bridgeeth0

brctladdifmitm-bridgeat0

ifconfigeth00.0.0.0up

ifconfigat00.0.0.0up

4. WecanassignanIPaddresstothisbridgeandchecktheconnectivitywiththegateway.PleasenotethatwecandothisusingDHCPaswell.WecanassignanIPaddresstothebridgeinterfacewiththefollowingcommand:

ifconfigmitm-bridge192.168.0.199up

We can then try pinging the gateway 192.168.0.1 to ensure thatwe areconnectedtotherestofthenetwork.

5. Let's now turnon IP forwarding in thekernel, so that routing andpacketforwardingcanhappencorrectly,usingthefollowingcommand:

echo1>/proc/sys/net/ipv4/ip_forward

Theoutputofthecommandisasfollows:

6. Now let's connect a wireless client to our access point mitm. It willautomatically get an IP address over DHCP (the server running on thewired-sidegateway).TheclientmachineinthiscasereceivestheIPaddress

192.168.0.197.Wecanpingthewired-sidegateway192.168.0.1toverifyconnectivity:

7. Wecanseethatthehostrespondstothepingrequests,asshownhere:

8. Wecanalsoverifythattheclientisconnectedbylookingattheairbase-ngterminalonthehacker'smachine:

9. It is interesting to note here that, because all the traffic is being relayedfromthewirelessinterfacetothewired-side,wehavefullcontroloverthetraffic.We can verify this by startingWireshark and sniffing on the at0interface:

10. Let'snowpingthegateway192.168.0.1fromtheclientmachine.WecanseethepacketsinWireshark(applyadisplayfilterforICMP),eventhoughthepacketsarenotdestinedforus.Thisisthepowerofman-in-the-middleattacks:

Whatjusthappened?

WesuccessfullycreatedthesetupforawirelessMan-in-the-Middleattack.Wedid this by creating a fake access point and bridging it with our Ethernetinterface. This ensured that any wireless client connecting to the fake accesspointwillperceivethatitisconnectedtotheInternetviathewiredLAN.

Haveagohero–man-in-the-middleoverpurewireless

Inthepreviousexercise,webridgedthewirelessinterfacewithawiredone.As

we noted earlier, this is one of the possible connection architectures for anMITM.Thereareothercombinationspossibleaswell.Aninterestingonewouldbetohavetwowirelessinterfaces,onethatcreatesthefakeaccesspointandtheother interface that is connected to the authorized access point. Both theseinterfaces are bridged. So,when awireless client connects to our fake accesspoint, it gets connected to the authorized access point through the attacker'smachine.

Pleasenotethatthisconfigurationwouldrequiretheuseoftwowirelesscardsontheattacker'slaptop.

Checkwhetheryoucanconductthisattackusingthein-builtcardonyourlaptopalongwiththeexternalone—bearinmind,youmaynothavetheinjectiondrivesrequiredforthisactivity.Thisshouldbeagoodchallenge!

WirelessEavesdroppingusingMITMInthepreviouslab,welearnedhowtocreateasetupforMITM.Now,wewilltakealookathowtodoWirelessEavesdroppingwiththissetup.

Thewhole lab revolvesaround theprinciple thatall thevictim's traffic isnowroutedthroughtheattacker'scomputer.Thus, theattackercaneavesdroponallthetrafficsenttoandfromthevictim'smachinewirelessly.

Timeforaction–WirelessEavesdroppingFollowtheseinstructionstogetstarted:

1. Replicate the entire setup as in the previous lab. Fire up Wireshark.Interestingly,eventheMITM-bridgeshowsup.Thisinterfacewouldallowustopeerintothebridgetraffic,ifwewantedto:

2. Startsniffingontheat0interfacesothatwecanmonitoralltrafficsentandreceivedbythewirelessclient:

3. On the wireless client, open up any web page. In my case, the wirelessaccesspoint is alsoconnected toLANand Iwill open it upbyusing theaddresshttp://192.168.0.1:

4. Signinwithyourpasswordandenterthemanagementinterface.5. InWireshark,weshouldbeseeingalotofactivity:

6. Setafilterforhttptoseeonlythewebtraffic:

7. We can easily locate the HTTP post request that was used to send thepasswordtothewirelessaccesspoint:

8. Nextisamagnifiedviewoftheprecedingpacket:

9. ExpandingontheHTTPheader,allowsustoseethatactuallythepasswordweenteredinplaintextwasnotsentasis;instead,ahashhasbeensent.Ifwe takea lookat thepacket, labeledasnumber64 inascreenshoton theprevious page, we can see that a request was made for /md5.js, whichmakesussuspectthatit isamd5hashofthepassword.It isinterestingtonote here that this technique may be prone to a replay attack if acryptographicsalt isnotusedonapersessionbasis in thecreationof thehash.Weleaveitasanexercisefortheusertofindoutthedetails,asthisisnotpartofwirelesssecurityandhencebeyondthescopeofthisbook:

10. Thisshowshoweasyit is tomonitorandeavesdropontrafficsentbytheclientduringaman-in-the-middleattack.

Whatjusthappened?

TheMITMsetupwecreatednowallowsustoeavesdroponthevictim'swirelesstrafficwithoutthevictimknowing.Thisispossiblebecause,inanMITM,allthetrafficisrelayedviatheattacker'smachine.Thus,allofthevictim'sunencryptedtrafficisavailableforeavesdroppingfortheattacker.

Haveagohero–findingGooglesearches

In today's world, all of us would like to keepwhat we search for onGoogleprivate.ThetrafficonGooglesearchisunfortunatelyoverHTTPandplaintextbydefault.

Canyou thinkof an intelligent display filter you could usewithWireshark toviewallGooglesearchesmadebythevictim?

SessionhijackingoverwirelessOneoftheotherinterestingattackswecanbuildontopofMITMisapplicationsessionhijacking.DuringanMITMattack, thevictim'spacketsare sent to theattacker. It is now the attacker's responsibility to relay this to the legitimatedestination and relay the responses from the destination to the victim. Aninterestingthingtonoteisthat,duringthisprocess,theattackercanmodifythedatainthepackets(ifunencryptedandunprotectedfromtampering).Thismeanshecanmodify,mangle,andevensilentlydroppackets.

Inthisnextexample,wewilltakealookatDNShijackingoverwirelessusingtheMITMsetup.Then,usingDNShijacking,wewillhijackthebrowsersessiontohttps://www.google.com.

Timeforaction–sessionhijackingoverwireless

1. Setupthetestexactlyasintheman-in-the-middleattacklab.Onthevictim,let's fire up the browser and type in https://www.google.com. Let's useWireshark to monitor this traffic. Your screen should resemble thefollowing:

2. ApplyaWiresharkfilterforDNSand,aswecansee,thevictimismakingDNSrequestsforhttps://www.google.com:

3. In order to hijack the browser session, we will need to send fake DNSresponsesthatwillresolvetheIPaddressofhttps://www.google.comtothehackermachine'sIPaddress192.168.0.199.Thetoolthatwewilluseforthisiscalleddnsspoofandthesyntaxisasfollows:

dnspoof–imitm-bridge

Theoutputofthecommandisasfollows:

4. Refreshthebrowserwindowsandnow,aswecanseethroughWireshark,as soon as the victim makes a DNS request for any host (includinggoogle.com),Dnsspoofrepliesback:

5. Onthevictim'smachine,weseeanerrorthatsaysUnabletoconnect.This

is because we made the IP address for google.com as 192.168.0.199,which is thehackermachine's IP,but there isnoservice listeningonport80:

6. Let'srunApacheonKaliusingthefollowingcommand:

apachet2ctlstart

Theoutputofthecommandisasfollows:

7. Now,oncewerefreshthebrowseronthevictim,wearegreetedwiththeItWorks!defaultpageofApache:

8. This demonstration shows how it is possible to intercept data and sendspoofedresponsestohijacksessionsonthevictim.

Whatjusthappened?

WedidanapplicationhijackingattackusingaWirelessMITMasthebase.Sowhathappenedbehindthescenes?TheMITMsetupensuredthatwewereableto see all the packets sent by the victim. As soon as we saw a DNS requestpacketcomingfromthevictim,theDnsspoofprogramrunningontheattacker'slaptopsentaDNSresponsetothevictimwiththeattackermachine'sIPaddressthatofgoogle.com.Thevictim'slaptopacceptedthisresponseandthebrowsersentanHTTPrequesttotheattacker'sIPaddressonport80.

Inthefirstpartoftheexperiment, therewasnolisteningprocessonport80oftheattacker'smachineandthus,Firefoxrespondedwithanerror.Then,oncewestartedtheApacheserverontheattacker'smachineonport80(thedefaultport),thebrowser'srequestedreceivedaresponsefromtheattacker'smachinewiththedefaultItWorks!page.

Thislabshowsusthat,oncewehavefullcontrolofthelowerlayers(Layer2in

thiscase),itiseasytohijackapplicationsrunningonhigherlayerssuchasDNSclientsandwebbrowsers.

Haveagohero–applicationhijackingchallenge

ThenextstepinsessionhijackingusingawirelessMITMwillbetomodifythedatabeing transmittedby the client.Explore software availableonKali calledEttercap.Thiswillhelpyoucreatesearchandreplacefiltersfornetworktraffic.

Inthischallenge,writeasimplefiltertoreplacealloccurrencesofsecurityinthenetwork traffic to insecurity. Try searching Google for security and checkwhethertheresultsshowupforinsecurityinstead.

FindingsecurityconfigurationsontheclientIn previous chapters, we have seen how to create Honeypots for open accesspoints,WEP-protectedandWPA,but,whenweare in the field and seeProbeRequests from the client, how do we know which network the probed SSIDbelongto?

Thoughthisseemstrickyatfirst,thesolutiontothisproblemissimple.Weneedto create access points advertising the same SSID but with different securityconfigurationssimultaneously.Whenaroamingclientsearchesforanetwork,itwill automatically connect to oneof these access points basedon the networkconfigurationstoredonit.

So,letthegamesbegin!

Time for action – deauthentication attacks on theclient

1. We will assume that the wireless client has a network Wireless Labconfigured on it, and it actively sends Probe Requests for this network,when it isnotconnected toanyaccesspoint. Inorder to find thesecurityconfigurationofthisnetwork,wewillneedtocreatemultipleaccesspoints.For our discussion, we will assume that the client profile is an opennetwork,WEPprotected,WPA-PSK,orWPA2-PSK.Thismeanswewillhavetocreatefouraccesspoints.Todothis,wewillfirstcreatefourvirtualinterfaces—mon0 to mon3, using the airmon-ng start wlan0 commandmultipletimes:

2. You can view all these newly created interfaces using the ifconfig –acommand:

3. NowwewillcreatetheopenAPonmon0:

4. Let'screatetheWEPprotectedAPonmon1:

5. TheWPA-PSKAPwillbeonmon2:

6. WPA2-PSKAPwillbeonmon3:

7. Wecanrunairodump-ngonthesamechanneltoensurethatallfouraccesspointsareupandrunning,asshowninthefollowingscreenshot:

8. Nowlet'sswitchtheWi-Fionontheroamingclient.DependingonwhichWirelessLabnetworkyouconnectedittopreviously,itwillconnecttothatsecurityconfiguration.Inmycase,itconnectstotheWPA-PSKnetwork,asshowninthefollowingscreenshot:

Whatjusthappened?

We created multiple Honeypots with the same SSID but different securityconfigurations.Dependingonwhichconfiguration theclienthadstored for the"WirelessLab"network,itconnectedtotheappropriateone.

This technique can come in handy as, if you are doing a penetration test, youwon't know which security configurations the client has on its laptop. Thisallows you to find the appropriate one by setting a bait for the client. ThistechniqueisalsocalledWiFishing.

Haveagohero–baitingclients

Create different security configurations on the client for the same SSID, andcheckwhetheryoursetofHoneypotsisabletodetectthem.

It is important to note that many Wi-Fi clients might not actively probe fornetworkstheyhavestoredintheirprofile.Itmightnotbepossibletodetectthesenetworksusingthetechniquewediscussedhere.

Popquiz–advancedWLANattacks

Q1.InanMITMattack,whoisinthemiddle?

1. Theaccesspoint.2. Theattacker.3. Thevictim.4. Noneoftheabove.

Q2.Dnsspoof:

1. SpoofsDNSrequests.2. SpoofsDNSresponses.3. NeedstorunontheDNSserver.4. Needstorunontheaccesspoint.

Q3.AwirelessMITMattackcanbeorchestrated:

1. Onallwirelessclientsatthesametime.2. Onlyonechannelatatime.3. OnanySSID.4. Both3and4.

Q4.WhichistheinterfaceclosesttothevictiminourMITMsetup?

1. At0.2. Eth0.3. Br0.4. En0.

SummaryIn this chapter,we learnedhow to conduct advancedattacksusingwireless asthebase.WecreatedasetupforaMITMattackoverwirelessandthenusedittoeavesdrop on the victim's traffic. We then used the same setup to hijack theapplication layer of the victim (web traffic, to be specific) using a DNSpoisoningattack.

Inthenextchapter,wewilllearnhowtoconductawirelesspenetrationtestrightfrom the planning, discovery, and attack to the reporting stage.We will alsotouchuponthebestpracticestosecureWLANs.

Chapter8.AttackingWPA-EnterpriseandRADIUS

"Thebiggertheyare,thehardertheyFall." --PopularSaying

WPA-Enterprisehasalwayshadanauraofunbreakableabilityaroundit.Mostnetwork administrators think of it as a panacea for all theirwireless securityproblems. In this chapter, we will see that nothing could be further from thetruth.

Inthischapter,wewilllearnhowtoattackWPA-EnterpriseusingdifferenttoolsandtechniquesavailableonKali.

Inthischapter,wewillcoverthefollowingtopics:

SettingupFreeRADIUS-WPEAttackingPEAPonWindowsclientsSecuritybestpracticesforEnterprises

SettingupFreeRADIUS-WPEWewillneedaRADIUSserverfororchestratingWPA-Enterpriseattacks.Themost widely used open source RADIUS server is FreeRADIUS. However,settingitupisdifficultandconfiguringitforeachattackcanbetedious.

Joshua Wright, a well-known security researcher, created a patch forFreeRADIUSthatmakesiteasiertosetupandconductattacks.Thispatchwasreleased as the FreeRADIUS-WPE (Wireless Pwnage Edition). Kali doesn'tnaturallycomewithFreeRADIUS-WPE,soyouneedtoperformthefollowingstepstosetupFreeRADIUS-WPE:

1. Navigatetohttps://github.com/brad-anton/freeradius-wpeandyouwillfindthe downloaded link at https://github.com/brad-anton/freeradius-wpe/raw/master/freeradius-server-wpe_2.1.12-1_i386.deb:

Once it is downloaded, install it with dpkg –i freeradius-server-

wpe_2.1.12-1_i386.debfollowedbyldconfig:

Let'snowquicklysetuptheRADIUSserveronKali.

Time for action – setting up the AP withFreeRADIUS-WPEFollowtheseinstructionstogetstarted:

1. Connectoneof theLANportsof theaccesspoint to theEthernetportonyourmachinerunningKali.Inourcase,theinterfaceiseth0.Bringuptheinterface and get an IP address by running DHCP, as shown in thefollowingscreenshot:

2. Login to the access point and set the security mode to WPA/WPA2-Enterprise, setVersion toWPA2,Encryption toAES.Then, under theEAP(802.1x)section,entertheRadiusServerIPaddressasyourKalibuild'sIPaddress. The Radius Password will be test, as shown in the followingscreenshot:

3. Let's now open a new terminal and go to the directory

/usr/local/etc/raddb. This is where all the FreeRADIUS-WPEconfigurationfilesare:

4. Let'sopeneap.conf.Youwillfindthatthedefault_eap_typecommandissettoMD5.Let'schangethistopeap:

5. Let'sopenclients.conf.ThisiswherewedefinetheallowedlistofclientsthatcanconnecttoourRadiusserver.Interestingly,ifyoubrowserighttothebottom,ignoringtheexamplesettings,thesecretforclientsintherange192.168.0.0/16defaultstotest.Thisisexactlywhatweusedinstep2:

6. We are now all set to start theRADIUS serverwith theradiusd–s–Xcommand:

7. Onceyourunthis,youwillseealotofdebugmessagesonthescreen,buteventuallytheserverwillsettledowntolistenforrequests.Awesome!Weareallsetnowtostartourlabsessionsinthischapter:

Whatjusthappened?

WehavesuccessfullysetupFreeRADIUS-WPE.Wewillusethisintherestoftheexperimentsthatwewilldointhischapter.

Haveagohero–playingwithRADIUS

FreeRADIUS-WPE has tons of options. It may be a good idea to familiarizeyourself with them. Most importantly, take time to check out the differentconfigurationfilesandhowtheyallworktogether.

AttackingPEAPProtected Extensible Authentication Protocol (PEAP) is the most popularversion of EAP in use. This is the EAP mechanism shipped natively withWindows.

PEAPhastwoversions:

PEAPv0 with EAP-MSCHAPv2 (the most popular as this has nativesupportonWindows)PEAPv1withEAP-GTC

PEAPusesserver-sidecertificatesforvalidationoftheRADIUSserver.AlmostallattacksonPEAPleveragemisconfigurationsincertificatevalidation.

In the next lab, we will take look at how to crack PEAP when certificatevalidationisturnedoffontheclient.

Timeforaction–crackingPEAPFollowthegiveninstructionstogetstarted:

1. Wedouble-checktheeap.conffiletoensurethatPEAPisenabled:

2. WethenrestarttheRADIUSserverwithradiusd–s–X:

3. WemonitorthelogfilecreatedbyFreeRADIUS-WPE:

4. Windows has native support for PEAP. Let's ensure that certificateverificationhasbeenturnedoff:

5. WeneedtoclickontheConfiguretabthatisnexttoSecuredpasswordandtell Windows not to automatically use our Windows logon name andpassword:

6. WewillalsohavetoforceittoselectUserauthenticationintheAdvanced

Settingsdialogbox:

7. Once the client connects to the access point, the client is prompted for ausernameandpassword.WeuseMonsterastheusernameandabcdefghiasthepassword:

8. As soon as we do this, we are able to see the MSCHAP-v2 challengeresponseappearinthelogfile:

9. Wenowuseasleaptocrackthisusingapasswordlistfilethatcontainsthepassword abcdefghi, and we are able to crack the password! (For thepurposesofthisdemonstration,wesimplycreatedaone-linefilecalledlistwiththepasswordinit):

Whatjusthappened?

We set up our Honeypot using FreeRADIUS-WPE. The enterprise client ismisconfigured to not use certificate validation with PEAP. This allows us topresentourownfakecertificatetotheclient,whichitgladlyaccepts.Oncethishappens,MSCHAP-v2,theinnerauthenticationprotocol,kicksin.Astheclientuses our fake certificate to encrypt the data,we are easily able to recover theusername,challenge,andresponsetuples.

MSCHAP-v2 is prone to dictionary attacks. We use asleap to crack thechallengeandresponsepair,asitseemstobebasedonadictionaryword.

Haveagohero–attackvariationsonPEAP

PEAPcanbemisconfigured inmultipleways.Evenwith certificatevalidationenabled,iftheadministratordoesnotmentiontheauthenticserversinconnecttothese servers list, the attacker can obtain a real certificate for another domainfrom any of the listed certifying authorities. Thiswill still be accepted by theclient.Othervariationsofthisattackarepossibleaswell.

Wewillencourageyoutoexplorethedifferentpossibilitiesinthissection.

EAP-TTLSWeencourageyou to tryattackssimilar to thosewehavesuggestedforPEAPagainstEAP-TTLS.

SecuritybestpracticesforEnterprisesWe have seen a ton of attacks against WPA/WPA2, both Personal andEnterprise.Basedonourexperience,werecommendthefollowing:

For SOHOs andmedium-sized businesses, useWPA2-PSKwith a strongpassphrase. You have up to 63 characters at your disposal.Make use ofthem.Forlargeenterprises,useWPA2-EnterprisewithEAP-TLS.Thisusesboththe client- and server-side certificates for authentication, and currently isunbreakable.IfyouhavetousePEAPorEAP-TTLSwithWPA2-Enterprise,thenensurethat certificate validation is turned on, the right certifying authorities arechosen,RADIUSserversthatareauthorizedareused,andfinally,thatanysetting that allows users to accept new RADIUS servers, certificates, orcertifyingauthoritiesisturnedoff.

Popquiz–attackingWPA-EnterpriseandRADIUS

Q1.WhichofthefollowingisFreeRADIUS-WPE?

1. ARADIUSserverwrittenfromscratch.2. ApatchtotheFreeRADIUSserver.3. ShipsbydefaultonallLinuxes.4. Noneoftheabove.

Q2.WhichofthefollowingcanbeusedtoattackPEAP?

1. Fakecredentials.2. Fakecertificates.3. UsingWPA-PSK.4. Alloftheabove.

Q3.WhatdoesEAP-TLSuse?

1. Client-sideCertificates.2. Server-sidecertificates.3. Either1or2.4. Both1and2.

Q4.WhatdoesEAP-TTLSuse?

1. Client-sidecertificatesonly.2. Server-sidecertificates.3. Password-basedauthentication.4. LEAP.

SummaryIn this chapter, we saw how we could compromise the security of a WPA-Enterprise network running PEAP or EAP-TTLS, the two most commonauthenticationmechanismsusedinEnterprises.

In thenextchapter,wewill takea lookathowtoputall thatwehave learnedintouseduringanactualpenetrationtest.

Chapter9.WLANPenetrationTestingMethodology

"Theproofisinthepudding." --Popularsaying

Thischapterwill layout thestepsthatgointotakingthetechniquestaughtinthepreviouschaptersandturningthemintoafullwirelesspenetrationtest.

WirelesspenetrationtestingTo perform a wireless penetration test, it is important to follow a definedmethodology.Simplyfiringup theairbaseorairodumpcommandandhopingfor thebestwillnot satisfy thegoalsofa test.Whenworkingasapenetrationtester, you must ensure that you adhere to the standards of the organizationyou'reworkingfor,andiftheydon'thaveany,thenyoushouldholdyourselftothehigheststandards.

Broadly, we can break up a wireless penetration testing exercise into thefollowingphases:

1. Planningphase.2. Discoveryphase.3. Attackphase.4. Reportingphase.

Wewillnowlookateachofthesephasesseparately.

PlanningInthisphase,wemustunderstandthefollowing:

Scopeoftheassessment:Thepenetrationtestershouldworkwiththeclientto define a scope that is achievable and will also provide the greatestamountof insight into the securityof anetwork.Typically, the followinginformationisgathered:

LocationofthepenetrationtestTotalcoverageareaofthepremisesApproximatenumberofaccesspointsandwirelessclientsdeployedWhichwirelessnetworksareincludedintheassessment?Isexploitationinscope?Areattacksagainstusersinscope?Isdenialofserviceinscope?

Effortestimation:Basedon thescopedefined, the testerwill thenhave toestimatehowmuchtimeisrequired.Bearinmindthatrescopingmayoccurfollowing this estimate, as organizations may have limited resourcesavailableintermsofbothtimeandmoney.Legality: Prior to performing a test, the client must give consent. Thisshould explain the testing to be covered and clearly define the level ofindemnity, insurance, and the limitations of the scope. If you are unsure,youwillneedtospeaktoaprofessionalintheseareas.Mostorganizationswill have their own versions that will likely also incorporate an Non-DisclosureAgreement(NDA).

Oncealloftheprecedingrequirementsareinplace,wearereadytogo!

DiscoveryIn this phase, the aim is to identify and apply characteristics to the wirelessdevicesandwirelessnetworkswithinthescope.

Allthetechniquestoperformthesehavebeenlaidoutinthepreviouschaptersbut,inbrief,theaimisto:

EnumeratevisibleandhiddenwirelessnetworksintheareaEnumeratedevices in thearea,alongwith thoseconnected to the targetednetworksMaptherangeofthenetworks,wheretheyarereachablefromandwhetherthere are places amalicious individual could operate from to perform anattack,forexample,acafe.

All of this information should be recorded. If the test is limited to theperformance of reconnaissance only, the testwill end here, and the testerwillattempt to draw conclusions based on this information. Some statements thatwouldbeusefultoaclientarebeasfollows:

Thenumberofdevices thathaveassociationswithopennetworksandthecorporatenetworkThenumberofdevices thathavenetworks thatcanbe linked to locationsthroughsolutionssuchasWiGLETheexistenceofweakencryptionThenetworkssetuparetoostrong

AttackOnce reconnaissance has been performed, exploitationmust be performed forproofofconcept.Iftheattackisbeingperformedaspartofaredteamorwiderassessment,thenexploitationshouldbeperformedtogainaccesstothenetworkassurreptitiouslyaspossible.

Inourattackingphase,wewillexplorethefollowing:

CrackingtheencryptionAttackingtheinfrastructureCompromisingclientsFindingvulnerableclientsFindingunauthorizedclients

Crackingtheencryption

The first step is to retrieve the keys for any vulnerable networks identified. Ifnetworks with WEP exist, perform the WEP-cracking methods explained inChapter4,WLANEncryptionFlaws.IfWPA2-securedsystemsarepresent,youhave two choices. If aiming to be stealthy, arrive on-site at times whenindividualsare likely tobeauthenticatingor re-authenticating.These timesarelikelytobe:

StartofthedayLunchtimeEndoftheday

Atthistime,setupyourWPAkeyretrievalsetupasshowninChapter4,WLANEncryptionFlaws.Alternatively,performthedeauthenticationattack,asshowninChapter6,AttackingtheClient.

Thisisnoisierandmorelikelytobedetectedinamatureorganization.

IfWPA-Enterpriseisinplace,bearinmindyouwillhavetousetheinformationgatheredfromthereconnaissance to target thecorrectnetworkandsetupyour

dummyEnterprisesetupasshownintheAttackingPEAPsectioninChapter8,AttackingWPA-EnterpriseandRADIUS.

You can attempt to break all passphrases but bear inmind that somewill beunbreakable. Following the performance of the test, check with the wirelessadministrator for the passphrase in use. Check to see whether it is a securepassphrase and that you, as a tester, did not experience a tool failure orweremerelyunlucky.

Attackinginfrastructure

Ifnetworkaccessisgainedthroughcrackingtheencryption,performastandardnetworkpenetrationtestifallowedinscope.Thefollowingshouldbeperformedasaminimum:

AportscanIdentifyingwhichservicesarerunningEnumerating any open services, such as unauthenticated FTP, SMB, orHTTPExploitinganyvulnerableservicesidentified

Compromisingclients

After enumerating and testing all wireless systems, there are various types ofengagementsthatwouldsuitperformingattacksagainstclients.

If necessary, after establishingwhich clients are vulnerable to Karma attacks,create a Honeypot to force them to connect with the methods laid out in theAttackingPEAPsectioninChapter8,AttackingWPA-EnterpriseandRADIUS.Therearevarioususefulpiecesofinformationthatcanbegatheredthroughthismethod, but ensure that the collected data serves a purpose and is stored,transmitted,andusedinanethicalandsafemanner.

ReportingFinally,attheendoftesting,itisnecessarytoreportyourfindingstotheclient.It'simportanttoensurethatthereportmatchesthequalityofyourtesting.Astheclientwillonlyseethereport,youhavetogiveitasmuchloveandattentionasyoudotoyourtesting.Thefollowingisaguidelinetothelayoutofthereport:

1. Managementsummary.2. Technicalsummary.3. Findings:

VulnerabilitydescriptionSeverityAffecteddevicesVulnerabilitytype—software/hardware/configurationRemediation

4. Appendices.

Themanagementsummaryshouldbeaimedat talking toaseniornontechnicalaudiencewith a focus on the effects andmitigations required at a high level.Avoidlanguagethatistootechnicalandensurethattherootcausesarecovered.

Thetechnicalsummaryshouldbeamidpointbetweenthemanagementsummaryand findings list. It should be aimed at a developer or a technical leadwith afocusonhowtofixtheissuesandbroadsolutionsthatcouldbeimplemented.

Thefindingslistshoulddescribeeachvulnerabilityatalowlevel,explainingthemethodstoidentify,andreplicate,andvulnerabilities.

Appendices should contain any extra information that would be too long todescribeinashortdescription.Thisiswhereanyscreenshots,proof-of-conceptcode,orstolendatashouldbepresented.

SummaryInthischapter,wediscussedamethodologyforperformingarangeofwirelesstestsandreferredtotherelevantchaptersforeachstep.Wealsolistedmethodsfor reporting vulnerabilities and techniques for making technical datapresentable. In the next and final chapter, we will cover new techniquesdevelopedsincetheinitialpublicationofthisbook,WPS,andprobemonitoringforsurveillance.

Chapter10.WPSandProbes

"Nothingisnewunderthesun." --PopularSaying

This chapter incorporates the new techniques related to attacking WPS andprobe monitoring and also covers the pineapple tool that makes much ofwireless testing a lot easier. These attacks and tools have appeared since thepublicationoftheoriginalbook,andwe'llbemakingsurewe'rebeingasholisticaspossible.

WPSattacksWirelessProtectedSetup (WPS)was introduced in2006 tohelpuserswithoutwireless knowledge to have secure networks. The idea was that their Wi-Fidevicewouldhaveasinglehiddenhardcodedvaluethatwouldallowaccesswithkeymemorization.NewdeviceswouldbeauthenticatedthroughabuttonpressontheWi-Firouter. Individualsoutsidethehousewithoutaccess to thedevicewould not be able to have access, thus reducing the issues surroundingrememberingWPAkeysorsettingshortones.

Inlate2011,asecurityvulnerabilitywasdisclosedenablingbruteforceattackson the WPS authentication system. The traffic required to negotiate a WPSexchangewasspoofable,andtheWPSpinitselfisonlyeightcharactersbetween0-9. To start with, this provides only 100,000,000 possibilities in comparisonwith an eight character azAZ09 password having 218,340,105,584,896combinations.

However,therearefurthervulnerabilities:

OftheeightcharactersoftheWPSpin,thelastcharacterisachecksumofthe previous seven and therefore predictable, leaving a maximum of10,000,000optionsIn addition, the first four and the following three of the remaining

characters are checked separately, which means that there are 104 + 103optionsor11,000

Throughthetwodecisionsmadeintheauthenticationmechanism,wehavegonefrom100,000,000possiblecombinationsto11,000.Thisequatestoasix-hoursdifference when brute-forcing the algorithm. It is these decisions that makeattacksagainstWPSviable.

Inthenextlabexercise,wewillgothroughidentifyingandattackingvulnerableWPSsetupswithWashandReaver.

Timeforaction–WPSattackFollowthegiveninstructionstogetstarted:

1. BeforeweattackaWPS-enabledaccesspoint,weneedtocreateone.TheTP-Linkweusehasthisfeatureturnedonbydefault,whichisworryingbuthandy.Todouble-checkthis,wecanlogontoourrouterandclickonWPS.Itshouldlooklikethefollowing:

2. Nowwe'veconfirmedthatit'sready.Weneedtosetupourtarget.Weneedto set upour testing environment.We'regoing touse theWash tool, andWash requiresamonitoring interface to function.Aswehavedonemanytimesbefore,weneedtosetuponewiththefollowingcommand:

airmon-ngstartwlan0

Theoutputwillbeasfollows:

3. Wehaveamonitoringinterfacesetupasmon0,andwecancallWashwiththefollowingcommand:

wash--ignore-fcs-imon0

The ignore fcs option is due to an issue with an expected format forrequeststhatwashcauses:

4. Wash will display all the nearby devices that support WPS as well aswhethertheyhaveWPSactiveorunlockedandwhatversionisrunning:

5. WecanseetheWirelessLabnetworksupportsWPS.ItusesVersion1andit'snot locked.Fantastic.Wetakenoteof theMACaddress,whichinmycase is E8:94:F6:62:1E:8E, as this will be used to target our next tool:reaver.

6. Reaverattemptstobrute-forcetheWPSpinforagivenMACaddress.Thesyntaxforstartingthisisasfollows:

reaver-imon0-b<mac>-vv

Theoutputwillbeasfollows:

7. Onceitisstarted,thetoolrunsthroughallthepossiblecombinationsfortheWPSandattemptstoauthenticate.Onceitdoesthis,itwillreturntheWPScodeandthepassword,asshowninthefollowingscreenshot:

8. With WPA-PSK in hand, we can authenticate normally now. I left mydevicewiththedefaultWPA-PSKthatmatchestheWPSpin.If,however,youwanttoauthenticatewiththeWPSpin,youcandothisbyspecifyingthepininreaverwiththefollowingcommand:

reaver-imon0-b<mac>-vv-p88404148

Replacemypinwithyourown.

Whatjusthappened?

WesuccessfullyidentifiedawirelessnetworkwithavulnerableinstanceofWPSactivewithWash.WethenusedReavertorecovertheWPAkeyandtheWPSpin. With this information, we could then authenticate with the network andcontinueanetworkpenetrationtest.

Haveagohero–ratelimiting

In thepreviousexercise,weattackedanentirelyunprotectedWPSinstallation.There are multiple methods that can be used to further secure installationswithoutremovingWPSaltogether.

Makeanattempt toset theWPSpintoanarbitraryvalueandtryagain, toseewhetherReaverisaseffectiveatcrackingit.

Acquireawirelessrouterthatallowsyoutorate-limittheWPSattempts.Tryandconfigureyourattacktoavoidtriggeringlockouts.

ProbesniffingWehavespokenaboutprobespreviously,andhowtheycanbeusedtoidentifyhiddennetworksandperformeffectiverogueaccesspointattacks.Theycanalsobe used to identify individuals as targets or track them on a mass scale withminimalequipment.

When a device wishes to connect to a network, it sends a probe request thatcontainsitsownMACaddressandthenameofthenetworkitwishestoconnectto.Wecanusetoolssuchasairodump-ngtotrackthese.However,ifwewishtoidentify whether an individual was present at a specific location at a specifictimeorlookfortrendsinWi-Fiusage,wewillneedtouseadifferentapproach.

Inthissection,wewillutilizetsharkandPythontocollectdata.Youwillreceivethecodeandanexplanationofwhatisbeingdone.

Timeforaction–collectingdataFollowthegiveninstructionstogetstarted:

1. First of all, we need a device that's looking for multiple networks.Generally,anormalsmartphonesuchasanAndroiddeviceoriPhonewilldo the trick. Desktops don't generallymake good targets as they tend toremain in one location. Newer iPhones and Android devices may haveproberequestsdisabledorobfuscated,sodocheckbeforeyougiveup.

2. Onceyouhaveyourdevice,makesuretheWi-Fiisturnedon.3. Thensetupyourmonitoringinterfaceaswehavedonemanytimesbefore:

4. Thenextthingtobedoneistolookforproberequestswithtsharkviathefollowingcommand:

tshark-n-imon0subtypeprobereq

Thescreenshotofthefollowingcommandisasfollows:

5. Youroutputatthispointisalittlerough,asthedefaultoutputfromtsharkis not designed to be readable, just to have asmuch information in it aspossible.Itshouldlooklikethefollowing:

6. You can clearly see the MAC address and SSID of the probe request;however,thisoutputcanbeimproved.Wecanusethefollowingcommandtomakeitmorereadable:

tshark –n –i mon0 subtype probereq –T fields –e

separator=-ewlan.sa–ewlan_mgt.ssid

Thescreenshotofthefollowingcommandisasfollows:

7. Theoutputhereismuchmorereadable:

8. So,nowwehavetheoutputinareadableformat,whatnext?WhatwedoiscreateaPythonscriptthatwillrunthecommandandrecordtheoutputforlater analysis. Before running the code, youwill need to ensure that youhaveyourmonitoringinterfacereadyandthatafilecalledresults.txtiscreatedinthedirectoryyouarein.ThePythonscriptisasfollows:

importsubprocess

importdatetime

results=open("results.txt","a")

while1:

blah = subprocess.check_output(["tshark –n –i mon0

subtypeprobereq–Tfields–eseparator=-ewlan.sa–e

wlan_mgt.ssid–c100"],shell=True)

splitblah=blah.split("\n")

forvalueinsplitblah[:-1]:

splitvalue=value.split("\t")

MAC=str(splitvalue[1])

SSID=str(splitvalue[2])

time=str(datetime.datetime.now())

Results.write(MAC+""+SSID+""+time+"\r\n")

Let'sgetbriefedonthepythonscript:

import subprocess library and datetime library: This allow us torefertothesubprocessanddatetimelibraries.ThesubprocesslibraryallowsustomonitortheinterfacefromtheLinuxcommandline,anddatetimeallowsustogettheaccuratetimeanddatereadings.while1:Thislinemeansrununtilstopped.results = open("results.txt", "a"): This opens a file with theappend rights and assigns it to results.The append rights only allowthe script to add to the contents of the file. This stops the file fromconstantlybeingoverwritten.blah=subprocess.check_output(["tshark–n–Imon0subtype

probereq –T fields –e separator= -e wlan.sa –e

wlan_mgt.ssid –c 100"], shell=True): This opens a shell toperformourpreviously testedtshark command.Theonlydifferencethistimeis—c100.Whatthisflagdoesisitlimitthecommandto100

queries.Thisallowsustoreturntheresultstoourselveswithouthavingtostoptheprogram.Sincewesaidrunforeverafterwritingtheresults,thescriptwillrestartagain.Thislinetakestheoutputfromtheshellandassignsittothevariableblah.splitblah = blah.split("\n"): This takes the variable blah andsplitsitbyline.forvalueinsplitblah[:-1]:Thisrepeatsthefollowingactionforeachlineintheoutput,ignoringthefirstlinethatcontainsheaders.splitvalue=value.split("\t"):Thisbreakseachlineintofurthersmallerchunksusingthetabcharacterasthedelimiter.The following three lines take each chunk of text and assign it to avariable.

MAC=str(splitvalue[1])

SSID=str(splitvalue[2])

time=str(datetime.datetime.now())

results.write(MAC+""+SSID+""+time+"\r\n"):This takesall thevalues, writes them to a file separated by spaces, and ends with areturnandanewlineforneatness.

Theoutputwillbeneatlinesoftextwrittentothefile.

Whatjusthappened?

WetooktheinputfromproberequestsandoutputthemtoafileusingPython.

You may ask yourself what the purpose of this is. This can be achieved bysimplyperformingtheoriginaltsharkcommandandaddinga>>results.txtcommandtotheend.Youwouldbecorrect;however,whatwehavecreatedisaframework for integration with other tools, visualization platforms, databases,andservices.

Forexample,usingtheWiGLEdatabasethatmapsSSIDstolocations,youcanadd a few lines of code to take the SSID variable and query the WiGLEdatabase.

Alternatively,youcouldsetupaMySQLdatabaseandoutputtheresultsthereto

performtheSQLcommandsonit.

This section has provided you with the first steps to create your own probe-monitoring tools. Through experimentation and using this simple code as thefirststep,amultitudeofusefultoolscanbecreated.

Haveagohero–extensionideas

ResearchwhichtoolsareavailablethatallowvisualizationordataanalyticsandareeasilyintegratedwithPython.ToolssuchasMaltegohavefreeversionsthatcanbeusedtoplotinformation.

Set yourself up a MySQL database to record the data and reconfigure theprecedingPythonscripttooutputtheresultstothedatabase.Then,buildanotherscript(ordoitinthesameone)toretrievethedataandoutputittoMaltego.

Reconfigure thescript toqueryWiGLE,andcollectgeolocationdataforproberequests.OutputthisdatathroughMaltego.

Makeanattempttosetupaweb-basedfrontendthroughFlask,Django,orPHPtodisplayyourresults.Investigatecurrentlyexistingsolutionsforpresentingthedataandattemptingtoemulateorimprovethemthroughadiscussionwiththeircreators.

SummaryInthischapter,wediscussedtheattacksagainstWPSthathavecomeaboutsincethe release of the original book and also performed an initial foray intointegratingwirelesstoolswithPython.Alas,wehavecometoendofthebook,Ihopeit'sbeeninformativeandinteresting.Seeyouinanothersevenyearsforthethirdedition.

AppendixA.PopQuizAnswers

Chapter1,WirelessLabSetup

Popquiz–understandingthebasics

Q1 Runthecommandifconfigwlan0.Intheoutput,youshouldseeaflag"UP",thisindicatesthatthecardisfunctional.

Q2 Youwillonlyneedaharddriveifyouwouldliketostoreanythingacrossrebootslikeconfigurationsettingsorscripts.

Q3 ItshowstheARPtableonthelocalmachine.

Q4 WewoulduseWPA_Supplicant.

Chapter2,WLANanditsInherentInsecurities

Popquiz–understandingthebasics

Q1 3

Q2 3

Q3 1

Chapter3,BypassingWLANAuthentication

Popquiz–WLANauthentication

Q1 4

Q2 2

Q3 1

Chapter4,WLANEncryptionFlaws

Popquiz–WLANencryptionflaws

Q1 3

Q2 1

Q3 2

Chapter5,AttacksontheWLANInfrastructure

Popquiz–attacksontheWLANinfrastructure

Q1 1

Q2 1

Q3 1

Q4 4

Chapter6,AttackingtheClient

Popquiz–AttackingtheClient

Q1 1

Q2 1

Q3 2

Q4 4

Chapter7,AdvancedWLANAttacks

Popquiz–advancedWLANattacks

Q1 2

Q2 2

Q3 4

Q4 1

Chapter8,AttackingWPA-EnterpriseandRADIUS

Popquiz–attackingWPA-EnterpriseandRADIUS

Q1 2

Q2 2

Q3 4

Q4 2

Index

A

accesspoint

settingup/Settinguptheaccesspointconfiguring/Timeforaction–configuringtheaccesspoint,Whatjusthappened?configuring, to useWEP /Have a go hero – configuring the accesspointtouseWEPandWPAconfiguring, to useWPA /Have a go hero – configuring the accesspointtouseWEPandWPAconnectingto/Connectingtotheaccesspointconnectingto,wirelesscardused/Timeforaction–configuringyourwirelesscard,Whatjusthappened?tables,filling/Haveagohero–fillinguptheaccesspoint'stables

accesspoints

defaultaccounts,crackingon/Defaultaccountsandcredentialsontheaccesspoint,Timeforaction–crackingdefaultaccountsontheaccesspoints,Whatjusthappened?

accounts

cracking, Brute-force attacks used / Have a go hero – crackingaccountsusingbrute-forceattacks

adapter

about/Timeforaction–experimentingwithyouradapter,Whatjusthappened?

aircrack-NGsuite

URL/Haveagohero–selectingdeauthentication

airodump-NGutility

URL/Whatjusthappened?

AP

settingup,FreeRADIUS-WPEused/Timeforaction–settinguptheAPwithFreeRADIUS-WPE,Whatjusthappened?

AP-lessWPA-Personalcracking

about/AP-lessWPA-Personalcracking

AP-lessWPAcracking

about/Timeforaction–AP-lessWPAcracking,Whatjusthappened?

applicationhijacking

challenge/Haveagohero–applicationhijackingchallenge

B

Brute-forceattacks

used,forcrackingaccounts/Haveagohero–crackingaccountsusingbrute-forceattacks

C

CaffeLatteattack

about/TheCaffeLatteattackconducting/Timeforaction–conductingaCaffeLatteattack,Whatjusthappened?

client

deauthenticating/Timeforaction–deauthenticatingtheclientsecurity configurations, finding / Finding security configurations ontheclientDe-Authenticationattack /Timeforaction–deauthenticationattacksontheclient

clients

baiting/Haveagohero–baitingclients

control

viewing / Time for action – viewingmanagement, control, and dataframes,Whatjusthappened?

controlframes

about/RevisitingWLANframes

Cowpatty

used, for crackingWPA-PSK / Have a go hero – tryingWPA-PSKcrackingwithCowpatty

D

data

collecting/Timeforaction–collectingdata

dataframes

about/RevisitingWLANframesviewing / Time for action – viewingmanagement, control, and dataframes,Whatjusthappened?

datapackets

sniffing,fornetwork/Timeforaction–sniffingdatapacketsforournetworkanalyzing/Haveagohero–analyzingdatapacketsinjecting/Timeforaction–packetinjection

De-Authenticationattack

onclient/Timeforaction–deauthenticationattacksontheclient

deauthenticationattack

about/Deauthenticationanddisassociationattacks

defaultaccounts

cracking, on access points / Default accounts and credentials on theaccesspoint,Timeforaction–crackingdefaultaccountsontheaccesspoints

Denial of Service (DoS) attack / Have a go hero – filling up the accesspoint'stablesDenialofService(DoS)attacks

about/DenialofserviceattacksDe-Authentication attack / Time for action – deauthentication DoSattacks,Whatjusthappened?Dis-Associationattack/Haveagohero–disassociationattacks

disassociationattack

about/Deauthenticationanddisassociationattacksonclient/Haveagohero–disassociationattackontheclient

discoveryphase,wirelesspenetrationtesting/Discovery

E

EAP-TTLS

about/EAP-TTLS

EAPoLKey/Timeforaction–crackingWPA-PSKweakpassphrasesEnterprises

security,bestpractices/SecuritybestpracticesforEnterprises

Ettercap/Haveagohero–applicationhijackingchallengeeviltwin

about/EviltwinandaccesspointMACspoofingand channel hopping / Have a go hero – evil twins and channelhopping

eviltwin,withMACspoofing

about/Timeforaction–eviltwinsandMACspoofing

F

filters

playingwith/Haveagohero–playingwithfilters

FreeRADIUS-WPE

settingup/SettingupFreeRADIUS-WPEURL/SettingupFreeRADIUS-WPEused, for setting up AP / Time for action – setting up the AP withFreeRADIUS-WPE,Whatjusthappened?RADIUS,playingwith/Haveagohero–playingwithRADIUS

H

hacker

tasks/HoneypotandMis-Associationattacks

Hirteattack

URL/TheHirteattackWEP,crackingwith/Timeforaction–crackingWEPwiththeHirteattack,Whatjusthappened?

Honeypotattacks

about / Honeypot and Mis-Association attacks, Have a go hero –forcingaclienttoconnecttotheHoneypot

Hydra/Haveagohero–crackingaccountsusingbrute-forceattacks

K

Kali

URL/Softwarerequirementsinstalling/InstallingKali,Timeforaction–installingKali,Whatjusthappened?installing, on Virtual Box / Have a go hero – installing Kali onVirtualBox,Haveagohero–installingKalionVirtualBox

M

MACfilters

about/MACfiltersinstructions / Time for action – beating MAC filters, What justhappened?

man-in-the-middleattack

about / A man-in-the-middle attack, Time for action – man-in-the-

middleattack,Whatjusthappened?over pure wireless / Have a go hero –man-in-the-middle over purewirelessused, for Wireless Eavesdropping / Wireless Eavesdropping usingMITM, Time for action – Wireless Eavesdropping, What justhappened?

management

viewing / Time for action – viewingmanagement, control, and dataframes

managementframes

about/RevisitingWLANframes

MessageIntegrityCheck(MIC)/WPA/WPA2Mis-Associationattack

orchestrating / Time for action – orchestrating a Mis-Associationattack,Whatjusthappened?

monitormodeinterface

creating /Timeforaction–creatingamonitormode interface,Whatjusthappened?multiplemonitormodeinterfaces,reating/Haveagohero–creatingmultiplemonitormodeinterfaces

MSCHAP-v2/Whatjusthappened?

O

OpenAuthentication

about/OpenAuthenticationbypassing/Timeforaction–bypassingOpenAuthentication

P

PairwiseMasterKey(PMK)/SpeedingupWPA/WPA2PSKcrackingPairwiseTransientKey(PTK)/WPA/WPA2Password-BasedKeyDerivationFunction(PBKDF2)/WPA/WPA2PEAP

attacking/AttackingPEAPversions/AttackingPEAPcracking/Timeforaction–crackingPEAP,Whatjusthappened?attack,variations/Haveagohero–attackvariationsonPEAPEAP-TTLS/EAP-TTLS

planningphase,wirelesspenetrationtesting/PlanningPre-Sharedkey(PSK)/WPA/WPA2PreferredNetworkList(PNL)

about/HoneypotandMis-Associationattacks

probe

sniffing/Probesniffingdata, collecting / Time for action – collecting data, What justhappened?rate,limiting/Haveagohero–extensionideas

promiscousmode/RevisitingWLANframes

R

RadioFrequency(RF)/Whatjusthappened?RADIUS

receiving/Popquiz–attackingWPA-EnterpriseandRADIUS

regulatorydomains

role/Theroleofregulatorydomainsinwirelessadapter, experimenting with / Time for action – experimenting withyouradapterexploring/Haveagohero–exploringregulatorydomains

reportingphase,wirelesspenetrationtesting/Reportingrogueaccesspoint

about/ArogueaccesspointWEP, cracking / Time for action – cracking WEP, What justhappened?challenge/Haveagohero–rogueaccesspointchallenge

S

sessionhijacking

over wireless / Session hijacking over wireless, Time for action –sessionhijackingoverwireless,Whatjusthappened?

SharedKeyAuthentication

about/SharedKeyAuthenticationbypassing/Timeforaction–bypassingSharedAuthentication

SSIDs

hidden SSIDs, uncovering / Hidden SSIDs, Time for action –uncoveringhiddenSSIDs,Whatjusthappened?deauthentication, selecting / Have a go hero – selectingdeauthentication

V

VirtualBox

Kali,installingon/Haveagohero–installingKalionVirtualBox

W

WEP

protocol/WEPencryptioncracking / Time for action – cracking WEP, What just happened?,Timeforaction–crackingWEP,Whatjusthappened?cracking,withHirteattack/Timeforaction–crackingWEPwiththeHirteattack,Whatjusthappened?

WEPconfiguration

connection / Have a go hero – establishing a connection in aWEPconfiguration

WEPnetwork

connecting to / Connecting to WEP and WPA networks, Time foraction–connectingtoaWEPnetwork

WEPpackets

decrypting / DecryptingWEP andWPA packets, Time for action –decryptingWEPandWPApackets,Whatjusthappened?

Wi-FiProtectionAccessv2(WPAv2)/WLANencryptionWiFishing/Whatjusthappened?wirelesscard

settingup/Settingupthewirelesscardconfiguring/Timeforaction–configuringyourwirelesscardused,foraccesspointconnection/Timeforaction–configuringyourwirelesscard,Whatjusthappened?

WirelessEavesdropping

MITMused/WirelessEavesdroppingusingMITM,Timeforaction–WirelessEavesdropping,Whatjusthappened?

wirelesslab

hardware,requisites/Hardwarerequirementssoftware,requisites/Softwarerequirements

wirelesspackets

sniffing/Timeforaction–sniffingwirelesspackets

wirelesspenetrationtesting

about/Wirelesspenetrationtestingplanningphase/Planningdiscoveryphase/Discoveryattackingphase/Attack,Attackinginfrastructurereportingphase/Reporting

wirelesspenetrationtesting,attackingphase

encryption,cracking/Crackingtheencryptioninfrastructure,cracking/Attackinginfrastructureclients,compromising/Compromisingclients

Wiresharktraces

about/Haveagohero–findingdifferentdevices

WLAN

authentication/Popquiz–WLANauthenticationencryption,flaws/Popquiz–WLANencryptionflaws

WLANaccesspoints

about/Defaultaccountsandcredentialsontheaccesspoint

WLANattacks/Popquiz–advancedWLANattacks

WLANencryption

about/WLANencryption

WLANframes

about/RevisitingWLANframesmanagementframes/RevisitingWLANframescontrolframes/RevisitingWLANframesdataframes/RevisitingWLANframes

WLANPacketSniffing

andInjection/Popquiz–WLANpacketsniffingandinjection

WLANSniffing

about/ImportantnoteonWLANsniffingandinjection

WPA

about/WPA/WPA2

WPA-Enterprise

receiving/Popquiz–attackingWPA-EnterpriseandRADIUS

WPA-PSK

weak passphrase, cracking / Time for action – cracking WPA-PSKweakpassphrasescracking,Cowpattyused/Haveagohero–tryingWPA-PSKcrackingwithCowpatty

WPA/WPA2PSK

cracking,speedingup/SpeedingupWPA/WPA2PSKcracking,Timeforaction–speedingupthecrackingprocess

WPA2

about/WPA/WPA2

WPAnetwork

connecting to / Connecting to WEP and WPA networks, Time foraction–connectingtoaWPAnetwork,Whatjusthappened?

WPApackets

decrypting / DecryptingWEP andWPA packets, Time for action –decryptingWEPandWPApackets,Whatjusthappened?

WPS

attacks/WPSattacks,Timeforaction–WPSattackrate,limiting/Haveagohero–ratelimiting

TableofContentsKaliLinuxWirelessPenetrationTestingBeginner'sGuide

TableofContentsKaliLinuxWirelessPenetrationTestingBeginner'sGuideCreditsAbouttheAuthorsAbouttheReviewerwww.PacktPub.com

Supportfiles,eBooks,discountoffers,andmoreWhysubscribe?FreeaccessforPacktaccountholders

DisclaimerPreface

WhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupport

ErrataPiracyQuestions

1.WirelessLabSetupHardwarerequirementsSoftwarerequirementsInstallingKaliTimeforaction–installingKali

Whatjusthappened?Haveagohero–installingKalionVirtualBox

SettinguptheaccesspointTimeforaction–configuringtheaccesspoint

Whatjusthappened?Have a go hero – configuring the access point to useWEPandWPA

Settingupthewirelesscard

Timeforaction–configuringyourwirelesscardWhatjusthappened?

ConnectingtotheaccesspointTimeforaction–configuringyourwirelesscard

Whatjusthappened?Have agohero– establishing a connection in aWEPconfigurationPopquiz–understandingthebasics

Summary2.WLANanditsInherentInsecurities

RevisitingWLANframesTimeforaction–creatingamonitormodeinterface

Whatjusthappened?Have a go hero – creating multiple monitor modeinterfaces

Timeforaction–sniffingwirelesspacketsWhatjusthappened?Haveagohero–findingdifferentdevices

Timeforaction–viewingmanagement,control,anddataframesWhatjusthappened?Haveagohero–playingwithfilters

Timeforaction–sniffingdatapacketsforournetworkWhatjusthappened?Haveagohero–analyzingdatapackets

Timeforaction–packetinjectionWhatjusthappened?Haveagohero–installingKalionVirtualBox

ImportantnoteonWLANsniffingandinjectionTimeforaction–experimentingwithyouradapter

Whatjusthappened?Haveagohero–sniffingmultiplechannels

TheroleofregulatorydomainsinwirelessTimeforaction–experimentingwithyouradapter

Whatjusthappened?Haveagohero–exploringregulatorydomainsPopquiz–WLANpacketsniffingandinjection

Summary

3.BypassingWLANAuthenticationHiddenSSIDsTimeforaction–uncoveringhiddenSSIDs

Whatjusthappened?Haveagohero–selectingdeauthentication

MACfiltersTimeforaction–beatingMACfilters

Whatjusthappened?OpenAuthenticationTimeforaction–bypassingOpenAuthentication

Whatjusthappened?SharedKeyAuthenticationTimeforaction–bypassingSharedAuthentication

Whatjusthappened?Haveagohero–fillinguptheaccesspoint'stablesPopquiz–WLANauthentication

Summary4.WLANEncryptionFlaws

WLANencryptionWEPencryptionTimeforaction–crackingWEP

Whatjusthappened?Have a go hero – fake authentication with WEPcracking

WPA/WPA2Timeforaction–crackingWPA-PSKweakpassphrases

Whatjusthappened?Have a go hero – trying WPA-PSK cracking withCowpatty

SpeedingupWPA/WPA2PSKcrackingTimeforaction–speedingupthecrackingprocess

Whatjusthappened?DecryptingWEPandWPApacketsTimeforaction–decryptingWEPandWPApackets

Whatjusthappened?ConnectingtoWEPandWPAnetworksTimeforaction–connectingtoaWEPnetwork

Whatjusthappened?Timeforaction–connectingtoaWPAnetwork

Whatjusthappened?Popquiz–WLANencryptionflaws

Summary5.AttacksontheWLANInfrastructure

DefaultaccountsandcredentialsontheaccesspointTimeforaction–crackingdefaultaccountsontheaccesspoints

Whatjusthappened?Have a go hero – cracking accounts using brute-forceattacks

DenialofserviceattacksTimeforaction–deauthenticationDoSattacks

Whatjusthappened?Haveagohero–disassociationattacks

EviltwinandaccesspointMACspoofingTimeforaction–eviltwinsandMACspoofing

Whatjusthappened?Haveagohero–eviltwinsandchannelhopping

ArogueaccesspointTimeforaction–crackingWEP

Whatjusthappened?Haveagohero–rogueaccesspointchallengePopquiz–attacksontheWLANinfrastructure

Summary6.AttackingtheClient

HoneypotandMis-AssociationattacksTimeforaction–orchestratingaMis-Associationattack

Whatjusthappened?Have a go hero – forcing a client to connect to theHoneypot

TheCaffeLatteattackTimeforaction–conductingaCaffeLatteattack

Whatjusthappened?Haveagohero–practisemakesperfect!

DeauthenticationanddisassociationattacksTimeforaction–deauthenticatingtheclient

Whatjusthappened?Haveagohero–disassociationattackontheclient

TheHirteattackTimeforaction–crackingWEPwiththeHirteattack

Whatjusthappened?Haveagohero–practise,practise,practise

AP-lessWPA-PersonalcrackingTimeforaction–AP-lessWPAcracking

Whatjusthappened?Haveagohero–AP-lessWPAcrackingPopquiz–attackingtheclient

Summary7.AdvancedWLANAttacks

Aman-in-the-middleattackTimeforaction–man-in-the-middleattack

Whatjusthappened?Haveagohero–man-in-the-middleoverpurewireless

WirelessEavesdroppingusingMITMTimeforaction–WirelessEavesdropping

Whatjusthappened?Haveagohero–findingGooglesearches

SessionhijackingoverwirelessTimeforaction–sessionhijackingoverwireless

Whatjusthappened?Haveagohero–applicationhijackingchallenge

FindingsecurityconfigurationsontheclientTimeforaction–deauthenticationattacksontheclient

Whatjusthappened?Haveagohero–baitingclientsPopquiz–advancedWLANattacks

Summary8.AttackingWPA-EnterpriseandRADIUS

SettingupFreeRADIUS-WPETimeforaction–settinguptheAPwithFreeRADIUS-WPE

Whatjusthappened?Haveagohero–playingwithRADIUS

AttackingPEAP

Timeforaction–crackingPEAPWhatjusthappened?Haveagohero–attackvariationsonPEAP

EAP-TTLSSecuritybestpracticesforEnterprises

Popquiz–attackingWPA-EnterpriseandRADIUSSummary

9.WLANPenetrationTestingMethodologyWirelesspenetrationtestingPlanningDiscoveryAttack

CrackingtheencryptionAttackinginfrastructureCompromisingclients

ReportingSummary

10.WPSandProbesWPSattacksTimeforaction–WPSattack

Whatjusthappened?Haveagohero–ratelimiting

ProbesniffingTimeforaction–collectingdata

Whatjusthappened?Haveagohero–extensionideas

SummaryA.PopQuizAnswers

Chapter1,WirelessLabSetupPopquiz–understandingthebasics

Chapter2,WLANanditsInherentInsecuritiesPopquiz–understandingthebasics

Chapter3,BypassingWLANAuthenticationPopquiz–WLANauthentication

Chapter4,WLANEncryptionFlawsPopquiz–WLANencryptionflaws

Chapter5,AttacksontheWLANInfrastructure

Popquiz–attacksontheWLANinfrastructureChapter6,AttackingtheClient

Popquiz–AttackingtheClientChapter7,AdvancedWLANAttacks

Popquiz–advancedWLANattacksChapter8,AttackingWPA-EnterpriseandRADIUS

Popquiz–attackingWPA-EnterpriseandRADIUSIndex