kali linux wireless penetration testing beginner's guide - chadshare
TRANSCRIPT
TableofContents
KaliLinuxWirelessPenetrationTestingBeginner'sGuideCreditsAbouttheAuthorsAbouttheReviewerwww.PacktPub.com
Supportfiles,eBooks,discountoffers,andmoreWhysubscribe?FreeaccessforPacktaccountholders
DisclaimerPreface
WhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupportErrataPiracyQuestions
1.WirelessLabSetupHardwarerequirementsSoftwarerequirementsInstallingKaliTimeforaction–installingKaliWhatjusthappened?Haveagohero–installingKalionVirtualBoxSettinguptheaccesspointTimeforaction–configuringtheaccesspointWhatjusthappened?Haveagohero–configuringtheaccesspointtouseWEPandWPASettingupthewirelesscardTimeforaction–configuringyourwirelesscardWhatjusthappened?Connectingtotheaccesspoint
Timeforaction–configuringyourwirelesscardWhatjusthappened?Haveagohero–establishingaconnectioninaWEPconfigurationPopquiz–understandingthebasicsSummary
2.WLANanditsInherentInsecuritiesRevisitingWLANframesTimeforaction–creatingamonitormodeinterfaceWhatjusthappened?Haveagohero–creatingmultiplemonitormodeinterfacesTimeforaction–sniffingwirelesspacketsWhatjusthappened?Haveagohero–findingdifferentdevicesTimeforaction–viewingmanagement,control,anddataframesWhatjusthappened?Haveagohero–playingwithfiltersTimeforaction–sniffingdatapacketsforournetworkWhatjusthappened?Haveagohero–analyzingdatapacketsTimeforaction–packetinjectionWhatjusthappened?Haveagohero–installingKalionVirtualBoxImportantnoteonWLANsniffingandinjectionTimeforaction–experimentingwithyouradapterWhatjusthappened?Haveagohero–sniffingmultiplechannelsTheroleofregulatorydomainsinwirelessTimeforaction–experimentingwithyouradapterWhatjusthappened?Haveagohero–exploringregulatorydomainsPopquiz–WLANpacketsniffingandinjectionSummary
3.BypassingWLANAuthenticationHiddenSSIDsTimeforaction–uncoveringhiddenSSIDsWhatjusthappened?Haveagohero–selectingdeauthentication
MACfiltersTimeforaction–beatingMACfiltersWhatjusthappened?OpenAuthenticationTimeforaction–bypassingOpenAuthenticationWhatjusthappened?SharedKeyAuthenticationTimeforaction–bypassingSharedAuthenticationWhatjusthappened?Haveagohero–fillinguptheaccesspoint'stablesPopquiz–WLANauthenticationSummary
4.WLANEncryptionFlawsWLANencryptionWEPencryptionTimeforaction–crackingWEPWhatjusthappened?Haveagohero–fakeauthenticationwithWEPcrackingWPA/WPA2Timeforaction–crackingWPA-PSKweakpassphrasesWhatjusthappened?Haveagohero–tryingWPA-PSKcrackingwithCowpattySpeedingupWPA/WPA2PSKcrackingTimeforaction–speedingupthecrackingprocessWhatjusthappened?DecryptingWEPandWPApacketsTimeforaction–decryptingWEPandWPApacketsWhatjusthappened?ConnectingtoWEPandWPAnetworksTimeforaction–connectingtoaWEPnetworkWhatjusthappened?Timeforaction–connectingtoaWPAnetworkWhatjusthappened?Popquiz–WLANencryptionflawsSummary
5.AttacksontheWLANInfrastructureDefaultaccountsandcredentialsontheaccesspoint
Timeforaction–crackingdefaultaccountsontheaccesspointsWhatjusthappened?Haveagohero–crackingaccountsusingbrute-forceattacksDenialofserviceattacksTimeforaction–deauthenticationDoSattacksWhatjusthappened?Haveagohero–disassociationattacksEviltwinandaccesspointMACspoofingTimeforaction–eviltwinsandMACspoofingWhatjusthappened?Haveagohero–eviltwinsandchannelhoppingArogueaccesspointTimeforaction–crackingWEPWhatjusthappened?Haveagohero–rogueaccesspointchallengePopquiz–attacksontheWLANinfrastructureSummary
6.AttackingtheClientHoneypotandMis-AssociationattacksTimeforaction–orchestratingaMis-AssociationattackWhatjusthappened?Haveagohero–forcingaclienttoconnecttotheHoneypotTheCaffeLatteattackTimeforaction–conductingaCaffeLatteattackWhatjusthappened?Haveagohero–practisemakesperfect!DeauthenticationanddisassociationattacksTimeforaction–deauthenticatingtheclientWhatjusthappened?Haveagohero–disassociationattackontheclientTheHirteattackTimeforaction–crackingWEPwiththeHirteattackWhatjusthappened?Haveagohero–practise,practise,practiseAP-lessWPA-PersonalcrackingTimeforaction–AP-lessWPAcrackingWhatjusthappened?
Haveagohero–AP-lessWPAcrackingPopquiz–attackingtheclientSummary
7.AdvancedWLANAttacksAman-in-the-middleattackTimeforaction–man-in-the-middleattackWhatjusthappened?Haveagohero–man-in-the-middleoverpurewirelessWirelessEavesdroppingusingMITMTimeforaction–WirelessEavesdroppingWhatjusthappened?Haveagohero–findingGooglesearchesSessionhijackingoverwirelessTimeforaction–sessionhijackingoverwirelessWhatjusthappened?Haveagohero–applicationhijackingchallengeFindingsecurityconfigurationsontheclientTimeforaction–deauthenticationattacksontheclientWhatjusthappened?Haveagohero–baitingclientsPopquiz–advancedWLANattacksSummary
8.AttackingWPA-EnterpriseandRADIUSSettingupFreeRADIUS-WPETimeforaction–settinguptheAPwithFreeRADIUS-WPEWhatjusthappened?Haveagohero–playingwithRADIUSAttackingPEAPTimeforaction–crackingPEAPWhatjusthappened?Haveagohero–attackvariationsonPEAPEAP-TTLSSecuritybestpracticesforEnterprisesPopquiz–attackingWPA-EnterpriseandRADIUSSummary
9.WLANPenetrationTestingMethodologyWirelesspenetrationtesting
PlanningDiscoveryAttackCrackingtheencryptionAttackinginfrastructureCompromisingclientsReportingSummary
10.WPSandProbesWPSattacksTimeforaction–WPSattackWhatjusthappened?Haveagohero–ratelimitingProbesniffingTimeforaction–collectingdataWhatjusthappened?Haveagohero–extensionideasSummary
A.PopQuizAnswersChapter1,WirelessLabSetupPopquiz–understandingthebasicsChapter2,WLANanditsInherentInsecuritiesPopquiz–understandingthebasicsChapter3,BypassingWLANAuthenticationPopquiz–WLANauthenticationChapter4,WLANEncryptionFlawsPopquiz–WLANencryptionflawsChapter5,AttacksontheWLANInfrastructurePopquiz–attacksontheWLANinfrastructureChapter6,AttackingtheClientPopquiz–AttackingtheClientChapter7,AdvancedWLANAttacksPopquiz–advancedWLANattacksChapter8,AttackingWPA-EnterpriseandRADIUSPopquiz–attackingWPA-EnterpriseandRADIUS
Index
Kali Linux Wireless Penetration Testing Beginner'sGuideCopyright©2015PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,or transmitted in any formorby anymeans,without thepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,and itsdealersanddistributorswillbeheld liable foranydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthe companies and productsmentioned in this book by the appropriate use ofcapitals. However, Packt Publishing cannot guarantee the accuracy of thisinformation.
Firstpublished:September2011
Secondedition:March2015
Productionreference:1230315
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78328-041-4
www.packtpub.com
CreditsAuthors
VivekRamachandran
CameronBuchanan
Reviewer
MarcoAlamanni
CommissioningEditor
ErolStaveley
AcquisitionEditor
SamWood
ContentDevelopmentEditor
ShubhangiDhamgaye
TechnicalEditor
NaveenkumarJain
CopyEditor
RashmiSawant
ProjectCoordinator
HarshalVed
Proofreaders
SimranBhogal
StephenCopestake
Indexer
MonicaAjmeraMehta
ProductionCoordinator
KomalRamchandani
CoverWork
KomalRamchandani
AbouttheAuthorsVivek Ramachandran has been working on Wi-Fi Security since 2003. Hediscovered the Caffe Latte attack and also broke WEP Cloaking, a WEPprotectionschema,publicly in2007atDEFCON. In2011,hewas the first todemonstrate how malware could use Wi-Fi to create backdoors, worms, andevenbotnets.
Earlier,hewasoneoftheprogrammersofthe802.1xprotocolandPortSecurityinCisco's6500Catalyst seriesofswitchesandwasalsooneof thewinnersoftheMicrosoftSecurityShootoutcontestheld inIndiaamongareported65,000participants. He is best known in the hacker community as the founder ofSecurityTube.net,whereheroutinelypostsvideosonWi-FiSecurity,assemblylanguage, exploitation techniques, and so on. SecurityTube.net receives over100,000uniquevisitorsamonth.
Vivek'sworkonwirelesssecurityhasbeenquoted inBBCOnline, InfoWorld,MacWorld,TheRegister,ITWorldCanada,andsoon.Thisyear,hewillspeakor train at a number of security conferences, including Blackhat, Defcon,Hacktivity, 44con, HITB-ML, BruCON Derbycon, Hashdays, SecurityZone,SecurityByte,andsoon.
Iwouldliketothankmylovelywifeforallherhelpandsupportduringthebook-writingprocess.Iwouldalsoliketothankmyparents,grandparents,andsisterforbelievinginmeandencouragingmeforall theseyears,andlast but not least, Iwould like to thank all the users of SecurityTube.netwhohavealwaysbeenbehindmeand supportingallmywork.Youguysrock!
CameronBuchananisapenetrationtesterbytradeandawriterinhissparetime.He has performed penetration tests around the world for a variety of clientsacrossmany industries. Previously, hewas amember of the RAF.He enjoysdoingstupidthings,suchastryingtomakethingsfly,gettingelectrocuted,anddunkinghimselfinfreezingcoldwaterinhissparetime.HeismarriedandlivesinLondon.
AbouttheReviewerMarco Alamanni has professional experience working as a Linux systemadministrator and information security administrator, in banks and financialinstitutions,inItalyandPeru.HeholdsaBScdegreeincomputerscienceandanMSc degree in information security. His interests in information technologyinclude ethical hacking, digital forensics, malware analysis, Linux, andprogramming, among others. He also collaborates with ITmagazines, writingarticlesaboutLinuxandITsecurity.
I'd like to thank my family and Packt Publishing for giving me theopportunitytoreviewthisbook.
www.PacktPub.com
Supportfiles,eBooks,discountoffers,andmoreFor support files and downloads related to your book, please visitwww.PacktPub.com.
Didyouknow thatPacktofferseBookversionsofeverybookpublished,withPDF and ePub files available? You can upgrade to the eBook version atwww.PacktPub.comand,asaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<[email protected]>formoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,sign up for a range of free newsletters, and receive exclusive discounts andoffersonPacktbooksandeBooks.
https://www2.packtpub.com/books/subscription/packtlib
Doyouneed instant solutions toyour ITquestions?PacktLib isPackt'sonlinedigitalbooklibrary.Here,youcansearch,access,andreadPackt'sentirelibraryofbooks.
Whysubscribe?
FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,print,andbookmarkcontentOndemandandaccessibleviaawebbrowser
FreeaccessforPacktaccountholders
If youhave an accountwithPackt atwww.PacktPub.com,youcanuse this toaccess PacktLib today and view 9 entirely free books. Simply use your logincredentialsforimmediateaccess.
DisclaimerThecontentwithinthisbookisforeducationalpurposesonly.It isdesignedtohelpuserstesttheirownsystemagainstinformationsecuritythreatsandprotecttheir IT infrastructure fromsimilar attacks.PacktPublishingand the authorofthis book take no responsibility for actions resulting from the inappropriateusageoflearningmaterialcontainedwithinthisbook.
PrefaceWirelessNetworkshavebecomeubiquitousintoday'sworld.Millionsofpeopleuseitworldwideeverydayattheirhomes,officesandpublichotspotstologontotheInternetanddobothpersonalandprofessionalwork.Eventhoughwirelessmakeslifeincrediblyeasyandgivesussuchgreatmobility,itcomeswithrisks.In recent times, insecure wireless networks have been used to break intocompanies,banksandgovernmentorganizations.Thefrequencyoftheseattacksisonlyintensified,asnetworkadministratorsarestillcluelesswhenitcomestosecuringwirelessnetworksinarobustandfoolproofway.
Kali LinuxWirelessPenetrationTestingBeginner'sGuide is aimed at helpingthe reader understand the insecurities associated with wireless networks, andhowtoconductpenetrationteststofindandplugthem.Thisisanessentialreadfor thosewhowould like to conduct security audits onwireless networks andalways wanted a step-by-step practical. As every wireless attack explained inthis book is immediately followed by a practical demo, the learning is verycomplete.
WehavechosenKaliLinuxastheplatformtotestallthewirelessattacksinthisbook. Backtrack, as most of you may already be aware, is the world's mostpopular penetration testing distribution. It contains hundreds of security andhackingtools,someofwhichwewilluseinthiscourseofthisbook.
WhatthisbookcoversChapter1,WirelessLabSetup:Therearedozensofexerciseswewillbedoinginthis book. In order to be able to try themout, the readerwill need to setup awirelesslab.Thischapterfocusesonhowtocreateawirelesstestinglabusingoff-the-shelfhardwareandopensourcesoftware.Wewillfirstlookathardwarerequirements, which include wireless cards, antennas, access points and otherWi-Fienableddevices,thenwewillshiftourfocustothesoftwarerequirementswhichincludetheoperatingsystem,Wi-Fidriversandsecuritytools.Finally,wewill create a test bed for our experiments and verify different wirelessconfigurationsonit.
Chapter2,WLANanditsInherentInsecurities:Thischapterfocusesoninherentdesign flaws inwireless networks, thatmake insecureout-of-the-box.Wewillbegin with a quick recap of the 802.11 WLAN protocols using a networkanalyzercalledWireshark.Thiswillgiveusapracticalunderstandingabouthowtheseprotocolswork.Mostimportantly,wewillseehowclientandaccesspointcommunication works at the packer level by analyzingManagement, ControlandDataframes.Wewillthenlearnaboutpacketinjectionandpackersniffinginwirelessnetworks,andlookatsometoolswhichenableustodothesame.
Chapter 3, Bypassing WLAN Authentication: Now we get into how to breakWLANauthenticationmechanism!Wewillgostepbystepandexplorehowtosubvert Open and Shared Key authentications. In the course of this, you willlearn how to analyse wireless packets and figure out the authenticationmechanismofthenetwork.WewillalsolookathowtobreakintonetworkswithHiddenSSIDandMACFilteringenabled.Thesearetwocommonmechanismsemployed by network administrators tomakewireless networksmore stealthyanddifficulttopenetrate;however,theseareextremelysimpletobypass.
Chapter 4,WLANEncryption Flaws: One of themost vulnerable parts of theWLANprotocolistheEncryptionschemas–WEP,WPAandWPA2.Overthepast decade hackers have found multiple flaws in these schemas and havewrittenpublicallyavailablesoftware tobreak themanddecrypt thedata.Also,even thoughWPA/WPA2 is secure by design,misconfiguring those opens upsecurity vulnerabilities, that can be easily exploited. In this chapter, we will
understandtheinsecuritiesineachoftheseencryptionschemasanddopracticaldemosonhowtobreakthem.
Chapter5,AttacksontheWLANInfrastructure:WewillnowshiftourfocustoWLANInfrastructurevulnerabilities.Wewilllookatvulnerabilitiescreatedduetobothconfigurationanddesignproblem.WewilldopracticaldemosofattackssuchasaccesspointMACspoofing,bitflippingandreplayattacks,rogueaccesspoints, fuzzinganddenialofservices.Thischapterwillgive thereaderasolidunderstandingofhowtodoapenetrationtestoftheWLANinfrastructure.
Chapter6,AttackingtheClient:Thischaptermightopenyoureyesifyoualwaysbelievedthatwirelessclientsecuritywassomethingyoudidnothave toworryabout! Most people exclude the client from their list when they think aboutWLANsecurity.Thischapterwillprovebeyonddoubtwhytheclientisjustasimportant as the access pointwhen penetration testing aWLANnetwork.Wewill look at how to compromise the security using client side attacks such asMiss-Association, Caffe Latte, disassociation, ad-hoc connections, fuzzing,honeypotsandahostofothers.
Chapter7,AdvancedWLANAttacks:Nowthatwehavealreadycoveredmostofthebasicattacksonboththeinfrastructureandtheclient,wewilllookatmoreadvancedattacksinthischapter.Theseattackstypicallyinvolveusingmultiplebasic attacks in conjunction to break security in more challenging scenarios.Someoftheattackswhichwewilllearnincludewirelessdevicefingerprinting,man-in-the-middle over wireless, evading wireless intrusion detection andpreventionsystems, rogueaccesspointsoperatingusingcustomprotocolandacouple of others. This chapter presents the absolute bleeding edge inwirelessattacksoutintherealworld.
Chapter8,AttackingWPA-EnterpriseandRADIUS:Thischaptergraduates theusertothenextlevelbyintroducinghimtoadvancedattacksonWPA-EnterpriseandtheRADIUSserversetup.TheseattackswillcomeinhandywhenthereaderhastopenetrationtestlargeenterprisenetworkswhichrelyonWPA-EnterpriseandRADIUSauthentication toprovide themwithsecurity.This isprobablyasadvancedasWi-Fiattackscangetintherealworld.
Chapter 9, WLAN Penetrating Testing Methodology: This is where all thelearningfromthepreviouschapterscomestogether,andwewilllookathowto
doawirelesspenetrationtestinasystematicandmethodicalway.Wewilllearnabout the various phases of penetration testing—Planning, Discovery, Attackand Reporting, and apply it to wireless penetration testing. We will alsounderstandhowtoproposerecommendationsandbestpracticesafterawirelesspenetrationtest.
Chapter 10,WPSandProbes: This chapter covers the two new attacks in theindustry that have developed since the initial publication of this book—WPSbrute-forceandprobesniffingformonitoring.
WhatyouneedforthisbookTo follow and recreate the practical exercises in this book youwill need twolaptopswithbuiltinWi-Ficards,aUSBwirelessWi-Fiadapter,KaliLinuxandsomeotherhardwareandsoftware.WehavedetailedthisinChapter1,WirelessLabSetup.
As an alternate to the two laptops, you could also create a Virtual MachinehousingKaliLinuxandconnectthecardtoitovertheUSBinterface.Thiswillhelpyougetstartedwithusingthisbookmuchfaster,butwewouldrecommendadedicatedmachinerunningKaliLinuxforactualassessmentsinthefield.
From a prerequisite perspective, readers should be aware of the basics ofwirelessnetworks.Thisincludeshavingpriorknowledgeaboutthebasicsofthe802.11protocolandclient-accesspointcommunication.Thoughwewillbrieflytouchupon someof thiswhenwe setup the lab, it is expected that theuser isalreadyawareoftheseconcepts.
WhothisbookisforThoughthisbookisaBeginner'sseries,itismeantforalllevelsofusers,fromamateurs right through to wireless security experts. There is something foreveryone.Thebookstartswithsimpleattacksbutthenmovesontoexplainthemorecomplicatedones,andfinallydiscussesbleedingedgeattacksandresearch.As all attacks are explained using practical demonstrations, it is very easy forreadersatalllevelstoquicklytrytheattackoutbythemselves.Pleasenotethateven though the book highlights the different attacks, which can be launchedagainstawirelessnetwork, therealpurpose is toeducate theuser tobecomeawirelesspenetrationtester.Anadeptpenetrationtesterwouldunderstandalltheattacksoutthereandwouldbeabletodemonstratethemwithease,ifrequestedbyhisclient.
ConventionsIn thisbook,youwill findanumberof stylesof text thatdistinguishbetweendifferentkindsof information.Herearesomeexamplesof thesestyles,andanexplanationoftheirmeaning.
Code words in text, database table names, folder names, filenames, fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"Openaconsoleterminalandtypeiniwconfig."
Anycommand-lineinputoroutputiswrittenasfollows:
airodump-ng –bssid 00:21:91:D2:8E:25 --channel 11 --write
WEPCrackingDemomon0
Newtermsandimportantwordsareshowninbold.Words thatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:"BootthelaptopwiththisDVDandselecttheoptionInstallfromtheBootmenu."
Note
Warningsorimportantnotesappearinaboxlikethis.
Tip
Tipsandtricksappearlikethis.
ReaderfeedbackFeedback from our readers is always welcome. Let us know what you thinkabout this book—what you liked or may have disliked. Reader feedback isimportantforustodeveloptitlesthatyoureallygetthemostoutof.
To send us general feedback, simply send an e-mail to<[email protected]>, andmention the book title via the subject of yourmessage.
If there is a topic that you have expertise in and you are interested in eitherwriting or contributing to a book, see our author guide onwww.packtpub.com/authors.
CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.
Errata
Although we have taken every care to ensure the accuracy of our content,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoing so, you can save other readers from frustration and help us improvesubsequentversionsof thisbook. Ifyoufindanyerrata,please report thembyvisiting http://www.packtpub.com/submit-errata, selecting your book, clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedonourwebsite,oraddedtoanylistofexistingerrata,undertheErratasection of that title. Any existing errata can be viewed by selecting your titlefromhttp://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across allmedia. At Packt, we take the protection of our copyright and licenses veryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet, please provide us with the location address or website nameimmediatelysothatwecanpursuearemedy.
Please contact us at <[email protected]> with a link to the suspectedpiratedmaterial.
Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.
Questions
Youcancontactusat<[email protected]>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.
Chapter1.WirelessLabSetup
"IfIhadeighthourstochopdownatree,I'dspendsixhourssharpeningmyaxe." --AbrahamLincoln,16thUSPresident
Behindeverysuccessfulexecutionishoursordaysofpreparation,andwirelesspenetrationtestingisnoexception.Inthischapter,wewillcreateawirelesslabthat we will use for our experiments in this book. Consider this lab as yourpreparationarenabeforeyoudiveintoreal-worldpenetrationtesting!
Wirelesspenetrationtestingisapracticalsubject,anditisimportanttofirstsetupalabwherewecantryoutallthedifferentexperimentsinthisbookinasafeandcontrolledenvironment.It is important thatyousetupthis labfirstbeforemovingoninthisbook.
Inthischapter,wewilltakealookatthefollowing:
HardwareandsoftwarerequirementsInstallingKaliSettingupanaccesspointandconfiguringitInstallingthewirelesscardTestingconnectivitybetweenthelaptopandtheaccesspoint
Soletthegamesbegin!
HardwarerequirementsWewillneedthefollowinghardwaretosetupthewirelesslab:
Two laptopswith internalWi-Ficards:Wewilluseoneof the laptopsasthevictiminourlabandtheotherasthepenetrationtester'slaptop.Thoughalmostanylaptopwouldfitthisprofile,laptopswithatleast3GBRAMaredesirable. This is becausewemay be running a lot ofmemory-intensive
softwareinourexperiments.Onewireless adapter (optional): Depending on the wireless card of yourlaptop,wemayneed aUSBWi-Fi card that can support packet injectionandpacketsniffing,whichissupportedbyKali.Thebestchoiceseemstobe theAlfaAWUS036H card fromAlfaNetworks, asKali supports thisout-of-the-box.Thisisavailableonwww.amazon.comforaretailpriceof£18 at the time of writing. An alternative option is the Edimax EW-7711UAN,whichissmallerand,marginally,cheaper.One access point: Any access point that supports WEP/WPA/WPA2encryption standards would fit the bill. I will be using a TP-LINK TL-WR841NWireless router for thepurposeof illustration in thisbook.Youcan purchase it fromAmazon.com for a retail price of around £20 at thetimeofwriting.AnInternetconnection:Thiswillcome inhandyforperformingresearch,downloadingsoftware,andforsomeofourexperiments.
SoftwarerequirementsWewillneedthefollowingsoftwaretosetupthewirelesslab:
Kali:Thissoftwarecanbedownloadedfromtheofficialwebsitelocatedathttp://www.kali.org.Thesoftwareisopensource,andyoushouldbeabletodownloaditdirectlyfromthewebsite.WindowsXP/Vista/7:Youwill need any one ofWindowsXP,WindowsVista, orWindows 7 installed on one of the laptops. This laptopwill beusedasthevictimmachinefortherestofthebook.
Note
Itisimportanttonotethat,eventhoughweareusingaWindows-basedOSfor our tests, the techniques learnt can be applied to any Wi-Fi-capabledevicessuchassmartphonesandtablets,amongothers.
InstallingKaliLet'snowquicklytakealookathowtogetup-and-runningwithKali.
Kali will be installed on the laptop that will serve as the penetration tester'smachinefortherestofthebook.
Timeforaction–installingKaliKaliisrelativelysimpletoinstall.WewillrunKalibybootingitasaLiveDVDandtheninstallitontheharddrive.
Performthefollowinginstructionsstepbystep:
Burn theKali ISO (weareusing theKali 32-bit ISO)youdownloadedonto abootableDVD.
1. BootthelaptopwiththisDVDandselecttheoptionInstallfromtheBootmenu:
2. Ifbootingwassuccessful,thenyoushouldseeanawesomeretroscreenasfollows:
3. This installer issimilar totheGUI-basedinstallersofmostLinuxsystemsand should be simple to follow. Select the appropriate options in everyscreen and start the installation process. Once the installation is done,restartthemachineaspromptedandremovetheDVD.
4. Once themachine restarts, a login screen will be displayed. Type in thelogin as root and the password as whatever you set it to during theinstallationprocess.YoushouldnowbeloggedintoyourinstalledversionofKali.Congratulations!
Iwillchangethedesktopthemeandsomesettingsforthisbook.Feelfreetouseyourownthemesandcolorsettings!
Whatjusthappened?
WehavesuccessfullyinstalledKalionthelaptop!Wewillusethislaptopasthepenetrationtester'slaptopforallotherexperimentsinthisbook.
Haveagohero–installingKalionVirtualBox
WecanalsoinstallKaliwithinvirtualizationsoftwaresuchasVirtualBox.Ifyoudon't want to dedicate a full laptop to Kali, this is the best option. Kali'sinstallationprocessinVirtualBoxisexactlythesame.Theonlydifferenceisthepre-setup,whichyouwillhavetocreateinVirtualBox.Haveagoatit!YoucandownloadVirtualBoxfromhttp://www.virtualbox.org.
Oneof theotherwaysinwhichwecaninstallanduseKali isviaUSBdrives.ThisisparticularlyusefulifyoudonotwanttoinstallontheharddrivebutstillwanttostorepersistentdataonyourKaliinstance,suchasscriptsandnewtools.Weencourageyoutotrythisoutaswell!
SettinguptheaccesspointNowwewillsetuptheaccesspoint.Asmentionedearlier,wewillbeusingtheTP-LINK TL-WR841NWireless Router for all the experiments in this book.However, feel free to use any other access point. The basic principles ofoperationandusageremainthesame.
Timeforaction–configuringtheaccesspointLet'sbegin!WewillsettheaccesspointuptouseOpenAuthenticationwithanSSIDofWirelessLab.
Followtheseinstructionsstepbystep:
1. PowerontheaccesspointanduseanEthernetcabletoconnectyourlaptoptooneoftheaccesspoint'sEthernetports.
2. Enter the IP address of the access point configuration terminal in yourbrowser.FortheTP-Link,itisbydefault192.168.1.1.Youshouldconsultyouraccesspoint'ssetupguidetofinditsIPaddress.Ifyoudonothavethemanuals for theaccesspoint,youcanalso find the IPaddressby runningthe route –n command. The gateway IP address is typically the accesspoint's IP.Onceyouareconnected,you should seeaconfigurationportalthatlookslikethis:
3. Explore the various settings in the portal after logging in and find thesettingsrelatedtoconfiguringanewSSID.
4. ChangetheSSIDtoWirelessLab.Dependingontheaccesspoint,youmayhavetorebootitforthesettingstochange:
5. Similarly, find the settings related to Wireless Security and change thesettingtoDisableSecurity.DisableSecurityindicatesthatitisusingOpenAuthenticationmode.
6. Save the changes to the access point and reboot it if required.Nowyouraccesspointshouldbeup-and-runningwithanSSIDWirelessLab.
An easy way to verify this is to use the Wireless Configuration utility onWindows and observe the available networks using theWindows laptop.YoushouldfindWirelessLabasoneofthenetworksinthelisting:
Whatjusthappened?
Wehave successfully setupour accesspointwith anSSIDWirelessLab. It isbroadcastingitspresenceandthisisbeingpickedupbyourWindowslaptopandotherswithintheRadioFrequency(RF)rangeoftheaccesspoint.
ItisimportanttonotethatweconfiguredouraccesspointinOpenmode,whichistheleastsecure.ItisadvisablenottoconnectthisaccesspointtotheInternetforthetimebeing,asanyonewithintheRFrangewillbeabletouseittoaccesstheInternet.
Have a go hero – configuring the access point to useWEPandWPA
Playaroundwiththeconfigurationoptionsofyouraccesspoint.Trytogetitup-and-runningusingencryptionschemessuchasWEPandWPA/WPA2.Wewillusethesemodesinlaterchapterstoillustrateattacksagainstthem.
SettingupthewirelesscardSetting up our wireless adapter is much easier than the access point. Theadvantage is that Kali supports this card out-of-the-box and ships with allrequisitedevicedriverstoenablepacketinjectionandpacketsniffing.
Timeforaction–configuringyourwirelesscardWewillbeusingthewirelessadapterwiththepenetrationtester'slaptop.
Pleasefollowtheseinstructionsstep-by-steptosetupyourcard:
1. PluginthecardtooneoftheKalilaptop'sUSBportsandbootit.
Once you log in, open a console terminal and type in iwconfig. Yourscreenshouldlookasfollows:
As you can see, wlan0 is the wireless interface created for the wirelessadapter.Type inifconfigwlan0 tobring the interfaceup.Then, type inifconfigwlan0toseethecurrentstateoftheinterface:
2. The MAC address 00:c0:ca:3e:bd:93 should match the MAC addresswritten under your Alfa card. I am using the Edimax that gives me thepreceding MAC address 80:1f:02:8f:34:d5. This is a quick check to
ensurethatyouhaveenabledthecorrectinterface.
Whatjusthappened?
KalishipswithalltherequireddriversfortheAlfaandEdimaxadaptersoutofthe box.As soon as themachine booted, the adapterwas recognized andwasassigned the network interface wlan0. Now our wireless adapter is up andfunctional!
ConnectingtotheaccesspointNowwewilltakealookathowtoconnecttotheaccesspointusingthewirelessadapter. Our access point has an SSID Wireless Lab and does not use anyauthentication.
Timeforaction–configuringyourwirelesscardHerewego!Followthesestepstoconnectyourwirelesscardtotheaccesspoint:
1. Let's first see what wireless networks our adapter is currently detecting.Issue the command iwlist wlan0 scanning and you will find a list ofnetworksinyourvicinity:
KeepscrollingdownandyoushouldfindtheWirelessLabnetworkinthislist.Inmysetup,itisdetectedasCell05;itmaybedifferentinyours.TheESSIDfieldcontainsthenetworkname.
2. Asmultiple access points can have the same SSID, verify that theMACaddress mentioned in the preceding Address field matches your accesspoint'sMAC.A fast andeasyway toget theMACaddress isunderneaththeaccesspointorusingweb-basedGUIsettings.
3. Now, issue the iwconfig wlan0 essid "Wireless Lab" command andthen iwconfig wlan0 to check the status. If you have successfully
connected to the access point, you should see the MAC address of theaccesspointintheAccessPoint:fieldintheoutputofiwconfig.
4. We know that the access point has a management interface IP address192.168.0.1 from itsmanual.Alternately, this is the same as the defaultrouter IP address whenwe run the route –n command. Let's set our IPaddress in the same subnet by issuing theifconfigwlan0192.168.0.2netmask255.255.255.0upcommand.Verifythecommandsucceededbytypingifconfigwlan0andcheckingtheoutput.
5. Now let's ping the access point by issuing the ping 192.168.0.1
command. If the network connection has been set up properly, then youshouldseetheresponsesfromtheaccesspoint.Youcanadditionallyissueanarp–acommandtoverifythattheresponseiscomingfromtheaccesspoint.Youshouldseethat theMACaddressof theIP192.168.0.1 is theaccess point'sMAC addresswe noted earlier. It is important to note thatsome of the more recent access points might have responses to InternetControlMessage Protocol (ICMP) echo request packets disabled. This istypically done to make the access point secure out-of-the-box with onlyminimal configuration settings available. In such a case, you can try tolaunchabrowserandaccessthewebinterfacetoverifythattheconnectionisup-and-running:
On the access point, we can verify connectivity by looking at theconnectionlogs.Asyoucanseeinthefollowinglog,theMACaddressofthe wireless card 4C:0F:6E:70:BD:CB has been logged making DHCPrequestsfromtherouter:
Whatjusthappened?
WejustconnectedtoouraccesspointsuccessfullyfromKaliusingourwirelessadapterasthewirelessdevice.Wealsolearnthowtoverifythataconnectionhasbeenestablishedatboththewirelessclientandtheaccesspointside.
Have a go hero – establishing a connection in a WEPconfiguration
Here is a challenging exercise for you—set up the access point in a WEPconfiguration. For each of these, try establishing a connectionwith the accesspoint using the wireless adapter. Hint: check the manual for the iwconfigcommandbytypingmaniwconfigtoseehowtoconfigurethecardtoconnecttoWEP.
Popquiz–understandingthebasics
Q1.Afterissuingthecommandifconfigwlan0,howdoyouverifythewirelesscardisupandfunctional?
Q2.CanwerunallourexperimentsusingtheKali liveCDalone?Canwenot
installtheCDtotheharddrive?
Q3.Whatdoesthecommandarp–ashow?
Q4.WhichtoolshouldweuseinKalitoconnecttoWPA/WPA2networks?
SummaryThischapterprovidedyouwithdetailedinstructionsonhowtosetupyourownwirelesslab.Also,intheprocess,youlearnedthebasicstepsfor:
Installing Kali on your hard drive and exploring other options such asVirtualMachinesandUSBsConfiguringyouraccesspointoverthewebinterfaceUnderstanding and using several commands to configure and use yourwirelesscardVerifying the connection state between thewireless client and the accesspoint
Itisimportantthatyougainconfidenceinconfiguringthesystem.Ifyouaren'tconfident, it is advisable that you repeat the preceding examples a couple oftimes.Inlaterchapters,wewilldesignmorecomplicatedscenarios.
In the next chapter, we will learn about inherent design-based insecurities inWLANs design. We will use the network analyzer tool, Wireshark, tounderstandtheseconceptsinapracticalway.
Chapter2.WLANanditsInherentInsecurities
"Theloftierthebuilding,thedeeperthefoundationmustbelaid." --ThomasKempis
Nothing great can be built on aweak foundation, and in our context, nothingsecurecanbebuiltonsomethingthatisinherentlyinsecure.
WLANs,bydesign,havecertain insecurities thatarerelativelyeasy toexploit,forexample,bypacketspoofing,packet injection,andsniffing(thiscouldevenhappenfromfaraway).Wewillexploretheseflawsinthischapter.
Inthischapter,weshalllookatthefollowing:
RevisitingWLANframesDifferentframetypesandsubtypesUsingWiresharktosniffmanagement,control,anddataframesSniffingdatapacketsforagivenwirelessnetworkInjectingpacketsintoagivenwirelessnetwork
Let'sgetstarted!
RevisitingWLANframesAsthisbookdealswiththesecurityaspectsofwireless,wewillassumethatyoualreadyhaveabasicunderstandingoftheprotocolandthepacketheaders.Ifnot,or if it's been some time since youworked onwireless, thiswould be a goodtimetorevisitthistopicagain.
Let'snowquicklyreviewsomebasicconceptsofWLANsthatmostofyoumayalreadybeawareof.InWLANs,communicationhappensoverframes.Aframewouldhavethefollowingheaderstructure:
TheFrameControlfielditselfhasamorecomplexstructure:
TheTypefielddefinesthreetypesofWLANframe:
1. Management frames:Management frames are responsible formaintainingcommunication between access points and wireless clients. Managementframescanhavethefollowingsubtypes:
AuthenticationDeauthenticationAssociationrequestAssociationresponseReassociationrequestReassociationresponseDisassociation
BeaconProberequestProberesponse
2. Control frames: Control frames are responsible for ensuring a properexchangeofdatabetweenaccesspointsandwirelessclients.Controlframescanhavethefollowingsubtypes:
RequesttoSend(RTS)CleartoSend(CTS)Acknowledgement(ACK)
3. Dataframes:Dataframescarrytheactualdatathat issentonthewirelessnetwork.Therearenosubtypesfordataframes.
We will discuss the security implications of each of these frames when wediscussdifferentattacksinlaterchapters.
Wewill now look at how to sniff these frames over awireless network usingWireshark.Thereareothertools—suchasAirodump-NG,Tcpdump,orTshark—thatyoucanuseforsniffingaswell.Wewill,however,mostlyuseWiresharkinthisbook,butweencourageyoutoexploreothertoolsaswell.Thefirststeptodothisistocreateamonitormodeinterface.Thiswillcreateaninterfaceforouradapter,whichallowsustoreadallwirelessframesintheair,regardlessofwhether they are destined for us or not. In the wiredworld, this is popularlycalledpromiscousmode.
Timeforaction–creatingamonitormodeinterfaceLet'snowsetourwirelessadapterintomonitormode.
Followtheseinstructionstogetstarted:
1. BootKaliwithyour adapter connected.Onceyouarewithin the console,enteriwconfig toconfirmthatyourcardhasbeendetectedandthedriverhasbeenloadedproperly.
2. Usetheifconfigwlan1upcommandtobringthecardup(wherewlan1isyouradapter).Verifywhether thecard isupbyrunningifconfigwlan1.YoushouldseethewordUPinthesecondlineoftheoutputasshowninthefollowingscreenshot:
3. Toputourcardintomonitormode,wewillusetheairmon-ngutilitythatisavailable by default on Kali. First run airmon-ng command to verifywhether itdetects theavailablecards.Youshould see thewlan0 interfacelistedintheoutput:
4. Now enter airmon-ng start wlan1 command to create amonitormode
interface corresponding to the wlan0 device. This new monitor modeinterface will be named mon0. (You can verify if it has been created byrunningairmon-ngwithoutargumentsagain).
5. Also, running ifconfig mon0 should now display a new interface calledmon0.
Whatjusthappened?
We have successfully created a monitor mode interface called mon0. Thisinterfacewillbeusedtosniffwirelesspacketsofftheair.Thisinterfacehasbeencreatedforourwirelessadapter.
Have a go hero – creating multiple monitor modeinterfaces
Itispossibletocreatemultiplemonitormodeinterfacesusingthesamephysicalcard.Usetheairmon-ngutilitytoseehowyoucandothis.
Awesome!Wehaveamonitormodeinterfacejustwaitingtoreadsomepacketsofftheair.Solet'sgetstarted.
Inthenextexercise,wewilluseWiresharktosniffpacketsofftheairusingthemon0monitormodeinterfacewejustcreated.
Timeforaction–sniffingwirelesspacketsFollowthefollowinginstructionstobeginsniffingpackets:
1. PoweruptheAccessPointWirelessLabthatweconfiguredinChapter1,WirelessLabSetup.
2. StartWiresharkbytypingWireshark& intheconsole.OnceWiresharkisrunning,navigatetoCapture|Interfaces.
3. Selectpacketcapturefromthemon0interfacebyclickingontheStartbuttonto the right of the mon0 interface as shown in the previous screenshot.Wiresharkwillbegin thecapture, andnowyoushould seepacketswithin
theWiresharkwindow.
4. Thesearewirelesspacketsthatyourwirelessadapterissniffingofftheair.In order to view any packet, select it in the top window and the entirepacketwillbedisplayedinthemiddlewindow.
Clickon the triangle in frontof IEEE802.11WirelessLANmanagementframetoexpandandviewadditionalinformation.
Look at the different header fields in the packet and correlate them with theWLANframetypesandsub-typesyouhavelearnedearlier.
Whatjusthappened?
We just sniffed out first set of packets off the air! We launched Wireshark,whichusedthemonitormodeinterfacemon0wecreatedpreviously.Youshouldnotice,by lookingatWireshark's footer region, thespeedatwhich thepacketsarebeingcapturedandalsothenumberofpacketscapturedtillnow.
Haveagohero–findingdifferentdevices
Wiresharktracescanbeabitdauntingattimes;evenforareasonablypopulatedwirelessnetwork,youcouldendupsniffingafewthousandpackets.Hence,itisimportanttobeabletodrilldowntothosepacketsthatinterestus.ThiscanbeaccomplishedusingfiltersinWireshark.Explorehowyoucanusethesefilterstoidentifyuniquewirelessdevices in the traces–both accesspoints andwirelessclients.
Ifyouareunabletodothis,don'tworryasthisisthenextthingwewilllearn.
Timeforaction–viewingmanagement,control,anddataframesNowwewill learn how to apply filters inWireshark to look atManagement,ControlandDataFrames.
Pleasefollowthebelowinstructionsstepbystep:
1. ToviewalltheManagementframesinthepacketsbeingcaptured,enterthefilterwlan.fc.type==0intothefilterwindowandclickApply.Youcanstop the packet capture if youwant to prevent the packets from scrollingdowntoofast.
2. ToviewControlFrames,modify thefilterexpressiontoreadwlan.fc.type==1.
3. Toviewdataframes,modifythefilterexpressiontowlan.fc.type==2.
4. To additionally select a sub-type, use the wlan.fc.subtype filter. Forexample,toviewalltheBeaconframesamongallManagementframes,usethefollowingfilter:
(wlan.fc.type==0)&&(wlan.fc.subtype==8).
5. Alternately, you can right-click on anyof the header fields in themiddlewindowandthenselectApplyasFilter|Selectedtoadditasafilter.
6. This will automatically add the correct filter expression for you in theFilterfield.
Whatjusthappened?
We just learned how to filter packets in Wireshark using various filterexpressions. This helps us monitor selected packets from devices we areinterestedin,insteadoftryingtoanalyzeallthepacketsintheair.
Also, we can see that the packet headers of Management, Control and Dataframesareinplaintextandarenotencrypted.Anyonewhocansniffthepacketscanread theseheaders. It isalso important tonote that it isalsopossibleforahacker to modify any of these packets and re-transmit them. As there is no
integrityorreplayattackmitigationintheprotocol,thisisveryeasytodo.Wewilllookatsomeoftheseattacksinlaterchapters.
Haveagohero–playingwithfilters
You can consult Wireshark's manual to know more about available filterexpressions and how to use them. Try playing around with various filtercombinationstillyouareconfidentthatyoucandrilldowntoanylevelofdetail,eveninaverylargepackettrace.
In the next exercise, we will look at how to sniff data packets transferredbetweenouraccesspointandwirelessclient.
Time for action – sniffing data packets for ournetworkIn this exercise, we will learn how to sniff data packets for a given wirelessnetwork. For the sake of simplicity, we will look at packets without anyencryption.
Followtheseinstructionstogetstarted:
1. Switch on the access point we named Wireless Lab. Let it remainconfiguredtousenoencryption.
2. Wewill first need to find the channel onwhich theWireless Lab accesspointisrunning.Todothis,openaterminalandrunairodump-ng--bssid<mac>mon0where<mac>,whichistheMACaddressofouraccesspoint.Lettheprogramrun,andshortlyyoushouldseeyouraccesspointshownonthescreenalongwiththechannelitisrunningon.
3. We can see from the preceding screenshot that our access pointWirelessLab is running on Channel 11. Note that this may be different for youraccesspoint.
Inorder to sniff datapackets going to and fro from this accesspoint,weneedtolockourwirelesscardonthesamechannel,thatischannel11.Todo this, run the iwconfig mon0 channel 11 command and then runiwconfig mon0 to verify it. You should see the Frequency: 2.462 GHzvalueintheoutput.ThiscorrespondstoChannel11.
4. Now fire up Wireshark and start sniffing on the mon0 interface. AfterWiresharkhasstartedsniffingthepackets,applyafilterforthebssidofouraccesspointasshownbelowusingwlan.bssid==<mac>inthefilterarea.UsetheappropriateMACaddressforyouraccesspoint.
5. Inorder tosee thedatapackets forouraccesspoint,add the following tothefilter(wlan.bssid==<mac>)&&(wlan.fc.type_subtype==0x20).Open your browser on the client laptop and type in the managementinterface the URL of the access point. In my case, as we have seen inChapter 1, Wireless Lab Setup, it is http://192.168.0.1. This willgeneratedatapacketsthatWiresharkwillcapture.
6. Packetsniffingallowsus toanalyzeunencrypteddatapacketsveryeasily.Thisisthereasonwhyweneedtouseencryptioninwireless.
Whatjusthappened?
We have just sniffed data packets over the air withWireshark using variousfilters.Asouraccesspointisnotusinganyencryption,weareabletoseeallthedatainplaintext.ThisisamajorsecurityissueasanyonewithinRFrangeoftheaccesspointcanseeallthepacketsifheusesasniffersuchasWireshark.
Haveagohero–analyzingdatapackets
Use Wireshark to analyze the data packets further. You would notice that aDHCP request is made by the client and, if a DHCP server is available, itrespondswithanaddress.ThenyouwouldfindARPpacketsandotherprotocolpacketsontheair.Thisisaniceandsimplewaytodopassivehostdiscoveryonthe wireless network. It is important to be able to see a packet trace andreconstruct how applications on thewireless host are communicatingwith therest of the network. One of the interesting featuresWireshark provides is theability to follow a stream. This allows you to viewmultiple packets together,thatarepartofaTCPexchange,inthesameconnection.
Also,tryloggingintowww.gmail.comoranyotherpopularwebsiteandanalyzethedatatrafficgenerated.
We will now see a demonstration of how to inject packets into a wirelessnetwork.
Timeforaction–packetinjectionWe will be using the aireplay-ng tool, which is available in Kali, for thisexercise.
Followtheinstructionsbelowcarefully:
1. Inordertodoaninjectiontest,firststartWiresharkandthefilterexpression(wlan.bssid == <mac>) && !(wlan.fc.type_subtype == 0x08). Thiswillensurethatweonlyseenon-beaconpacketsforourlabnetwork.
2. Now run the following command aireplay-ng -9 -e Wireless Lab -a<mac>mon0onaterminal.
3. Go back toWireshark and you should see a lot of packets on the screennow. Some of these packets have been sent by aireplay-ng, which welaunched,andothersarefromtheaccesspointWirelessLabinresponsetotheinjectedpackets.
Whatjusthappened?
Wejustsuccessfullyinjectedpacketsintoourtestlabnetworkusingaireplay-ng.It is important to note that our card injected these arbitrary packets into thenetworkwithoutbeingactuallyconnectedtotheaccesspointWirelessLab.
Haveagohero–installingKalionVirtualBox
Wewilllookatpacketinjectioningreaterdetailinlaterchapters;however,feelfreetoexploreotheroptionsoftheAireplay-ngtooltoinjectpackets.YoucanverifywhetherinjectionsucceededbyusingWiresharktomonitortheair.
ImportantnoteonWLANsniffingandinjectionWLANs typicallyoperatewithin threedifferent frequency ranges– :2.4GHz,3.6 GHz and 4.9/5.0 GHz. Not all Wi-Fi cards support all these ranges andassociatedbands.Forinstance,,anAlfacardonlysupportsIEEE802.11b/g.Thiswouldmeanthatthiscardcannotoperatein802.11a/n.Thekeyhereistosnifforinjectpacketsinaparticularband;yourWi-Ficardwillneedtosupportit.
Another interesting aspect ofWi-Fi is that, in each of these bands, there aremultiplechannels.ItisimportanttonotethatyourWi-Ficardcanonlybeononechannelatanygivenmoment.Itisnotpossibletotuneintomultiplechannelsatthesametime.ThebestanalogyIcangiveyouisyourcarradio.Youcantuneittoonlyoneof theavailablechannelsatanygiven time.Ifyouwant tohear tosomethingelse,youwillhavetochangethechannel.ThesameprincipleappliestoWLANSniffing.Thisbringsustoanimportantconclusion—wecannotsniffallchannelsatthesametime;wewillneedtoselectthechannelthatisofinteresttous.Whatthismeansisthat,ifouraccesspointofinterestisonchannel1,wewillneedtosetourcardonchannel1.
ThoughwehaveaddressedWLANsniffing in theaboveparagraphs, the sameappliestoinjectionaswell.Toinjectpacketsonaspecificchannel,wewillneedtoputthecardradioonthatchannel.
Let's nowdo some exercises on setting our card to specific channels, channelhopping,settingregulatorydomains,powerlevelsetc.
Timeforaction–experimentingwithyouradapterFollowtheinstructionsbelowcarefully:
1. Entertheiwconfigwlan0commandtocheckthecapabilitiesofyourcard.Asyoucanseeinthefigurebelow,myadaptercanoperateintheb,g,andnbands.
2. Tosetthecardonaparticularchannel,weusetheiwconfigmon0channelXcommands.
3. Theiwconfigseriesofcommandsdoesnothaveachannelhoppingmode.Onecouldwriteasimplescriptoverittomakeitdoso.AneasierwayistouseAirodump-NGwithoptionstoeitherhopchannelsarbitrarily,useonlyasubset,oruseonlyselectedbands.Alltheseoptionsareillustratedinthescreenshotbelowwhenwerunairodump-ng--help:
Whatjusthappened?
Weunderstood that bothwireless sniffing and packet injection depend on thehardwaresupportavailable.Thismeansthatwecanonlyoperateonbandsandchannelsallowedbyourcard.Also,thewirelesscardradiocanonlybeononechannel at a time. This further means that we can only sniff or inject in onechannelatatime.
Haveagohero–sniffingmultiplechannels
If you need to simultaneously sniff on multiple channels, you will requiremultiple physicalWi-Fi cards. If you canprocure additional cards, then try tosniffonmultiplechannelssimultaneously.
TheroleofregulatorydomainsinwirelessThecomplexitiesofWi-Fidon'tendhere.Everycountryhasitsownunlicensedspectrumallocationpolicy.This specificallydictatesallowedpower levels andallowed users for the spectrum. In theUS, for example, the FCCdecides thisand, if youuseWLANs in theUS,youhave to abideby these regulations. Insomecountries,notdoingthisisapunishableoffense.
Nowlet'slookathowwecanfindthedefaultregulatorysettingsandthenhowtochangethemifrequired.
Timeforaction–experimentingwithyouradapterFollowtheseinstructionscarefully:
1. Rebootyourcomputeranddonotconnectyouradaptertoityet.2. Onceloggedin,monitorthekernelmessagesusingthetailcommand:
Insert the adapter, and you should see something that resembles thefollowingscreenshot.Thisshowsthedefaultregulatorysettingsappliedtoyourcard:
3. Let's assume that you are based in the US. To change your regulatorydomain to the US, we issue the command iw reg set US in a newterminal:
If the command is successful, we get an output such as the one in thefollowing screenshot in the terminal where we monitoring/var/log/messages:
4. Nowtrychangingthecardtochannel11; itwillwork.But,whenyoutrychanging it to channel 12, you get an error. This is because channel 12,cannotbeusedintheUS.
5. Thesameappliesforpowerlevels.TheUSonlyallowsamaximumof27dBm (500 milliwatts); thus even though my adapter has an advertisedpowerof1Watt(30dBm),wecannotsetthecardtothemaximumtransmitpower:
6. However, ifwewere inBolivia, thenwe could transmit at a power of 1Watt as this is allowed there.Aswe can see, oncewe set the regulatorydomain to Bolivia—iw reg set BO—we can change the card power to30DMB or 1 Watt. We can also use channel 12 in Bolivia, which wasdisallowedintheUS:
Whatjusthappened?
Every country has its own regulations for the use of the unlicensed wirelessband.Whenwe set our regulatory domain to a specific country, our cardwillobey the allowed channels and power levels specified. However, it is easy tochange the regulatory domain of the card and force it to work on disallowedchannelsandtotransmitatapowerlevelthatisgreaterthanallowed.
Haveagohero–exploringregulatorydomains
Lookat thevariousparametersyoucanset suchaschannel,power, regulatorydomainsetc.using theiwseriesofcommandsonKali.Thisshouldgiveyouafirm understanding of how to configure your card when you are in variouscountriesandrequiretochangeyourcardsettings.
Popquiz–WLANpacketsniffingandinjection
Q1.WhichframetypesareresponsibleforauthenticationinWLANs?
1. Control2. Management3. Data4. QoS
Q2.Whatisthenameofthesecondmonitormodeinterfacethatcanbecreatedonwlan0usingairmon-ng?
1. Mon02. Mon13. 1Mon4. Monb
Q3.Whatisthefilterexpressiontoviewallnon-beaconframesinWireshark?
1. !(wlan.fc.type_subtype==0x08)2. wlan.fc.type_subtype==0x083. (nobeacon)4. Wlan.fc.type==0x08
SummaryInthischapter,wehavemadesomekeyobservationsaboutWLANprotocols.
Management,Control andData framesareunencryptedand thuscanbeeasilyreadbysomeonewhoismonitoringtheairspace.Itisimportanttonoteherethatthedatapacketpayloadcanbeprotectedusingencryptiontokeepitconfidential.Wewilltalkaboutthisinthenextchapter.
Wecansnifftheentireairspaceinourvicinitybyputtingourcardintomonitormode.
AsthereisnointegrityprotectioninManagementandControlframes,itisveryeasy to inject these packets bymodifying them or replaying them as-is usingtoolssuchasaireplay-ng.
Unencrypted data packets can also be modified and replayed back to thenetwork. If the packet is encrypted, we can still replay the packet as-is, asWLANbydesigndoesnothavepacketreplayprotection.
Inthenextchapter,wewilllookatdifferentauthenticationmechanismsthatareused in WLANs such as MAC filtering and shared Authentication etc. andunderstandthevarioussecurityflawsinthemthroughlivedemonstrations.
Chapter3.BypassingWLANAuthentication
"Afalsesenseofsecurityisworsethanbeingunsure." --Anonymous
A false sense of security is worse than being insecure, as you may not bepreparedtofacetheeventualityofbeinghacked.
WLANs can haveweak authentication schemas that can be easily broken andbypassed.Inthischapter,wewilltakealookatthevariousbasicauthenticationschemasusedinWLANsandlearnhowtobeatthem.
Inthischapter,wewilltakealookatthefollowingtopics:
UncoveringhiddenSSIDsBeatingMACfiltersBypassingOpenAuthenticationBypassingSharedKeyAuthentication
HiddenSSIDsIn the default configuration mode, all access points send out their SSIDs inBeacon frames. This allows clients in the vicinity to discover them easily.HiddenSSIDs is aconfigurationwhere theaccesspointdoesnotbroadcast itsSSID in Beacon frames. Thus, only clients that know the SSID of the accesspointcanconnecttoit.
Unfortunately,thismeasuredoesnotproviderobustsecurity,butmostnetworkadministrators thinkitdoes.HiddenSSIDsshouldnotbeconsideredasecuritymeasurebyanystretchof the imagination.Wewillnowtakea lookathowtouncoverhiddenSSIDs.
Timeforaction–uncoveringhiddenSSIDsPerformthefollowinginstructionstogetstarted:
1. Using Wireshark, if we monitor Beacon frames in the Wireless Labnetwork,weareabletoseetheSSIDinplaintext.YoushouldseeBeaconframes,asshowninthefollowingscreenshot:
2. Configure your access point to set theWirelessLab network as a hiddenSSID.Theconfigurationoptiontodothismaydifferacrossaccesspoints.Inmycase, I need to check theInvisible option in theVisibilityStatusoption,asshowninthefollowingscreenshot:
3. NowifyoutakealookattheWiresharktrace,youwillfindthattheSSIDWirelessLabhasdisappearedfromtheBeaconframes.ThisiswhathiddenSSIDsareallabout:
4. InordertobypassBeaconframes,wewillfirstusethepassivetechniqueofwaiting for a legitimate client to connect the access point. This willgenerate probe request and probe response packets that will contain theSSIDofthenetwork,thusrevealingitspresence:
5. Alternately, you can use theaireplay-ng utility to send deauthenticationpacketstoallstationsonbehalfoftheWirelessLabaccesspointbytypingaireplay-ng-05-a<mac>--ignore-negativemon0,where<mac> isthe MAC address of the router. The -0 option is used to choose adeauthenticationattack,and5isthenumberofdeauthenticationpacketstosend. Finally, -a specifies theMAC address of the access point you aretargeting:
6. The preceding deauthentication packetswill force all legitimate clients todisconnect and reconnect. It would be a good idea to add a filter fordeauthenticationpacketstoviewtheminanisolatedway:
7. TheproberesponsesfromtheaccesspointwillenduprevealingitshiddenSSID.ThesepacketswillshowuponWiresharkasshownnext.Oncethelegitimateclientsconnectback,wecanseethehiddenSSIDusingtheproberequest andprobe response frames.You canuse the filter (wlan.bssid==00:21:91:d2:8e:25) && !(wlan.fc.type_subtype == 0x08) to monitor allnon-Beaconpacketstoandfrofromtheaccesspoint.The&&signstands
for the logical AND operator and the ! sign stands for the logical NOToperator:
Whatjusthappened?
Even though the SSID is hidden and not broadcasted, whenever a legitimateclienttriestoconnecttotheaccesspoint,theyexchangeproberequestandproberesponsepackets.ThesepacketscontaintheSSIDoftheaccesspoint.Asthesepacketsarenotencrypted, theycanbeveryeasilysniffed from theairand theSSIDcanbefound.
Wewillcoverusingproberequestsforotherpurposessuchastrackinginalater
chapter.
Inmanycases,allclientsmaybealreadyconnectedtotheaccesspointandtheremay be no probe request/response packets available in the Wireshark trace.Here,we can forcibly disconnect the clients from the access point by sendingforgeddeauthenticationpacketsontheair.Thesepacketswillforcetheclientstoreconnectbacktotheaccesspoint,thusrevealingtheSSID.
Haveagohero–selectingdeauthentication
In the previous exercise, we sent broadcast deauthentication packets to forcereconnectionofallwirelessclients.Trytoverifyhowyoucanselectivelytargetindividualclientsusingtheaireplay-ngutility.
It is important to note that, even though we are illustrating many of theseconcepts usingWireshark, it is possible toorchestrate these attackswithothertools,suchas theaircrack-ngsuiteaswell.Weencourageyoutoexplore theentire aircrack-NG suite of tools and other documentation located on theirwebsiteathttp://www.aircrack-ng.org.
MACfiltersMACfiltersareanage-old techniqueusedforauthenticationandauthorizationandhavetheirrootsinthewiredworld.Unfortunately,theyfailmiserablyinthewirelessworld.
Thebasic idea is toauthenticatebasedon theMACaddressof theclient.TheMACfilterisanidentificationcodeassignedtoanetworkinterface;arouterwillbeabletocheckthiscodeandcompareittoalistofapprovedMACs.ThislistofallowedMAC addresseswill bemaintained by the network administrator andwillbe fed into theaccesspoint.Wewillnowtakea lookathoweasy it is tobypassMACfilters.
Timeforaction–beatingMACfiltersLet'sfollowtheinstructionstogetstarted:
1. Let'sfirstconfigureouraccesspointtouseMACfilteringandthenaddtheclientMACaddressof thevictimlaptop.Thesettingspagesonmyrouterlooksasfollows:
2. OnceMACfilteringisenabled,onlytheallowedMACaddresswillbeabletosuccessfullyauthenticatewiththeaccesspoint.Ifwetrytoconnecttotheaccess point from a machine with a non-whitelisted MAC address, theconnectionwillfail.
3. Behind the scenes, the access point is sending Authentication failuremessagestotheclient.Thepackettraceresemblesthefollowing:
4. In order to beatMAC filters, we can use airodump-ng to find theMACaddressesofclientsconnectedtotheaccesspoint.Wecandothisbyissuingtheairodump-ng-c11-a--bssid<mac>mon0command.Byspecifyingthe bssid command, we will onlymonitor the access point, which is ofinteresttous.The-c11commandsetsthechannelto11wheretheaccesspoint is. The -a command ensures that, in the client section of the
airodump-NG output, only clients associated and connected to an accesspointareshown.ThiswillshowusalltheclientMACaddressesassociatedwiththeaccesspoint:
5. Oncewefindawhitelistedclient'sMACaddress,wecanspoof theMACaddress of the client using the macchanger utility, which ships withBackTrack.Youcanusethemacchanger–m<mac>wlan0commandtogetthisdone.TheMACaddressyouspecifywiththe-mcommandoptionisthenewspoofedMACaddressforthewlan0interface:
6. Asyoucanclearlysee,wearenowabletoconnecttotheaccesspointafterspoofingtheMACaddressofawhitelistedclient.
Whatjusthappened?
We monitored the air using airodump-ng and found the MAC address oflegitimate clients connected to the wireless network. We then used themacchanger utility to change our wireless card's MAC address to match theclient's.This fooled theaccesspoint intobelieving thatwewere the legitimateclient,anditallowedusaccesstoitswirelessnetwork.
Youareencouragedtoexplorethedifferentoptionsoftheairodump-NGutilityby going through the documentation on their website at http://www.aircrack-ng.org/doku.php?id=airodump-ng.
OpenAuthenticationThetermOpenAuthenticationisalmostamisnomer,asitactuallyprovidesnoauthentication at all. When an access point is configured to use OpenAuthentication,itwillsuccessfullyauthenticateallclientsthatconnecttoit.
WewillnowdoanexercisetoauthenticateandconnecttoanaccesspointusingOpenAuthentication.
Timeforaction–bypassingOpenAuthenticationLet'snowtakealookathowtobypassOpenAuthentication:
1. We will first set our lab access point Wireless Lab to use OpenAuthentication.Onmyaccesspoint,thisissimplydonebysettingSecurityModetoDisableSecurity:
2. We then connect to this access point using the iwconfig wlan0 essidWirelessLabcommandandverifythattheconnectionhassucceededandthatweareconnectedtotheaccesspoint.
3. Notethatwedidnothavetosupplyanyusername/password/passphrasetogetthroughOpenAuthentication.
Whatjusthappened?
Thisisprobablythesimplestexercisesofar.Asyousaw,thereisnobarriertoconnecting to an Open Authentication network and connecting to the accesspoint.
SharedKeyAuthenticationShared Key Authentication uses a shared secret such as the WEP key toauthenticate the client. The exact exchange of information is illustrated in thefollowingscreenshot(takenfromwww.netgear.com):
Thewireless client sends an authentication request to the access point, whichrespondsbackwithachallenge.Theclientnowneedstoencryptthischallengewiththesharedkeyandsenditbacktotheaccesspoint,whichdecryptsthistocheckwhetheritcanrecovertheoriginalchallengetext.Ifitsucceeds,theclientsuccessfullyauthenticates;ifnot,itsendsanauthenticationfailedmessage.
The security problem here is that an attacker passively listening to this entirecommunicationbysniffingtheairhasaccesstoboththeplaintextchallengeandthe encrypted challenge. He can apply the XOR operation to retrieve thekeystream.Thiskeystreamcanbeusedtoencryptanyfuturechallengesentby
theaccesspointwithoutneedingtoknowtheactualkey.
Themost common form of shared authentication is known asWEP orWiredEquivalentProtocol. It iseasy tobreak,andnumerous toolshavebeencreatedovertimetofacilitatethecrackingofWEPnetworks.
Inthisexercise,wewill learnhowtosniff theair toretrievethechallengeandtheencryptedchallenge,retrievethekeystream,anduseittoauthenticatetotheaccesspointwithoutneedingthesharedkey.
Timeforaction–bypassingSharedAuthenticationBypassing Shared Authentication is a bit more challenging than the previousexercises,sofollowthestepscarefully:
1. Let's first set up Shared Authentication for ourWireless Lab network. IhavedonethisonmyaccesspointbysettingthesecuritymodeasWEPandAuthenticationasSharedKey:
2. Let'snowconnecta legitimateclient to thisnetworkusing thesharedkeywehavesetinstep1.
3. In order to bypass SharedKeyAuthentication,wewill first start sniffingpacketsbetween theaccesspointand itsclients.However,wewouldalso
liketologtheentiresharedauthenticationexchange.Todothis,weusetheairodump-ngutilityusingtheairodump-ngmon0-c11--bssid<mac>-w keystream command. The -w option, which is new here, requestsAirodump-NGtostorethepacketsinafilewhosenameisprefixedwiththeword keystream. Incidentally, it might be a good idea to store differentsessions of packet captures in different files. This allows you to analyzethemlongafterthetracehasbeencollected:
4. Wecaneitherwaitforalegitimateclienttoconnecttotheaccesspointorforce a reconnect using the deauthentication technique used previously.Once a client connects and the shared key authentication succeeds,airodump-ngwill capture this exchange automatically by sniffing the air.AnindicationthatthecapturehassucceedediswhentheAUTHcolumnreadsWEP.
5. The captured keystream is stored in a file prefixed with the wordskeystreamfileinthecurrentdirectory.Inmycase,thenameofthefileiskeystream-01-00-21-91-D2-8E-25.xor.
6. Inorder tofakeasharedkeyauthentication,wewillusetheaireplay-ngtool.Weruntheaireplay-ng-10-e"WirelessLab"-ykeystream-01-00-21-91-D2-8E-25.xor -a <mac> -h AA:AA:AA:AA:AA:AA mon0
command.Thisaireplay-ngcommandusesthekeystreamweretrievedinstep 5 and tries to authenticatewith the access pointwithSSIDWirelessLab and MAC address 00:21:91:D2:8E:25, and uses an arbitrary clientMACaddressAA:AA:AA:AA:AA:AA.FireupWiresharkandsniffallpacketsofinterestbyapplyingawlan.addr==AA:AA:AA:AA:AA:AAfilter.Wecanverify this using Wireshark. You should see a trace on the Wiresharkscreen,asshowninthefollowingscreenshot:
8. Thesecondpacketconsistsoftheaccesspointsendingtheclientchallengetext,asshowninthefollowingscreenshot:
10. As the aireplay-ng tool used the derived keystream for encryption, theauthenticationsucceedsandtheaccesspointsendsasuccessmessageinthefourthpacket:
11. After the authentication succeeds, the tool fakes an association with theaccesspoint,whichsucceedsaswell:
12. If you check the wireless logs in your access point's administrativeinterface, you should now see a wireless client with the MAC addressAA:AA:AA:AA:AA:AAconnected:
Whatjusthappened?
We were successful in deriving the keystream from a shared authenticationexchange,andweusedittofakeanauthenticationtotheaccesspoint.
Haveagohero–fillinguptheaccesspoint'stables
Access points have a maximum client count after which they start refusingconnections. By writing a simple wrapper over aireplay-ng, it is possible toautomate and send hundreds of connection requests from random MACaddressestotheaccesspoint.Thiswillendupfillingtheinternaltablesandoncethemaximumclientcount is reached, theaccesspointwill stopacceptingnewconnections.ThisistypicallywhatiscalledaDenialofService(DoS)attackandcanforcetheroutertorebootormakeitdysfunctional.Thiscanleadtoall thewireless clients being disconnected and being unable to use the authorizednetwork.
Checkwhetheryoucanverifythisinyourlab!
Popquiz–WLANauthentication
Q1.Howcanyouforceawirelessclienttore-connecttotheaccesspoint?
1. Bysendingadeauthenticationpacket.2. Byrebootingtheclient.3. Byrebootingtheaccesspoint.4. Alloftheabove.
Q2.WhatdoesOpenAuthenticationdo?
1. Itprovidesdecentsecurity.2. Itprovidesnosecurity.3. Itrequirestheuseofencryption.4. Noneoftheabove.
Q3.HowdoesbreakingSharedKeyAuthenticationwork?
1. Byderivingthekeystreamfromthepackets.2. Byderivingtheencryptionkey.3. Bysendingdeauthenticationpacketstotheaccesspoint.4. Byrebootingtheaccesspoint.
SummaryIn this chapter, we learnt about WLAN Authentication. Hidden SSIDs are asecurity-through-obscurity feature and are is relatively simple to beat. MACaddress filters do not provide any security, asMAC addresses can be sniffedfrom the air from the wireless packets. This is possible because the MACaddressesareunencrypted in thepacket.OpenAuthenticationprovidesno realauthenticationatall.SharedKeyAuthenticationisabittrickytobeatbut,withthe help of the right tools, we can derive the store and the keystream, usingwhichitispossibletoanswerallfuturechallengessentbytheaccesspoint.Theresultisthatwecanauthenticatewithoutneedingtoknowtheactualkey.
In the next chapter, we will take a look at different WLAN encryptionmechanisms—WEP,WPA,andWPA2—andlookattheinsecuritiesthatplaguethem.
Chapter4.WLANEncryptionFlaws
"640Kismorememorythananyonewilleverneed." --BillGates,Founder,Microsoft
Evenwiththebestofintentions,thefutureisalwaysunpredictable.TheWLANcommitteedesignedWEPandthenWPAtobefoolproofencryptionmechanismsbut, over time, both these mechanisms had flaws that have been widelypublicizedandexploitedintherealworld.
WLANencryptionmechanisms have hada long history of being vulnerable tocryptographicattacks.ItstartedwithWEPinearly2000,whicheventuallywascompletely broken. In recent times, attacks are slowly targeting WPA. EventhoughthereisnopublicattackavailablecurrentlytobreakWPAinallgeneralconditions,thereareattacksthatarefeasibleunderspecialcircumstances.
Inthischapter,wewilltakealookatthefollowingtopics:
DifferentencryptionschemasinWLANsCrackingWEPencryptionCrackingWPAencryption
WLANencryptionWLANstransmitdataovertheairandthusthereisaninherentneedtoprotectdataconfidentiality.Thisisbestdoneusingencryption.TheWLANcommittee(IEEE802.11)formulatedthefollowingprotocolsfordataencryption:
WiredEquivalentPrivacy(WEP)Wi-FiProtectedAccess(WPA)Wi-FiProtectionAccessv2(WPAv2)
In this chapter,wewill take a look at each of these encryption protocols anddemonstratevariousattacksagainstthem.
WEPencryptionTheWEPprotocolwasknowntobeflawedasearlyas2000but,surprisingly,itis still continuing to be used and access points still ship with WEP enabledcapabilities.
TherearemanycryptographicweaknessesinWEPandtheywerediscoveredbyWalker,Arbaugh,Fluhrer,Martin,Shamir,KoreK,andmanyothers.EvaluationofWEPfromacryptographicstandpointisbeyondthescopeofthisbook,asitinvolvesunderstandingcomplexmath.Inthissection,wewilltakealookathowto break WEP encryption using readily available tools on the BackTrackplatform. This includes the entire aircrack-ng suite of tools—airmon-ng,aireplay-ng,airodump-ng,aircrack-ng,andothers.
ThefundamentalweaknessinWEPisitsuseofRC4andashortIVvaluethatisrecycledevery224frames.While this isa largenumber in itself, there isa50percentchanceoffourreusesevery5,000packets.Tousethistoouradvantage,wegeneratea largeamountof trafficso thatwecan increase the likelihoodofIVsthathavebeenreusedandthuscomparetwociphertextsencryptedwiththesameIVandkey.
Let'snowfirstsetupWEPinourtestlabandseehowwecanbreakit.
Timeforaction–crackingWEPFollowthegiveninstructionstogetstarted:
1. Let's firstconnect toouraccesspointWirelessLabandgo to thesettingsareathatdealswithwirelessencryptionmechanisms:
2. Onmyaccesspoint,thiscanbedonebysettingtheSecurityModetoWEP.Wewill alsoneed to set theWEPkey length.Asshown in the followingscreenshot,IhavesetWEPtouse128bitkeys.IhavesetthedefaultkeytoWEPKey1and thevalue inhex toabcdefabcdefabcdefabcdef12as the
128-bitWEPkey.Youcansetthistowhateveryouchoose:
3. Oncethesettingsareapplied,theaccesspointshouldnowbeofferingWEPas the encryption mechanism of choice. Let's now set up the attacker
machine.4. Let'sbringupWlan0byissuingthefollowingcommand:
ifconfigwlan0up
5. Then,wewillrunthefollowingcommand:
airmon-ngstartwlan0
6. Thisisdonesoastocreatemon0,themonitormodeinterface,asshowninthe following screenshot. Verify that the mon0 interface has been createdusingtheiwconfigcommand:
7. Let's run airodump-ng to locate our lab access point using the followingcommand:
airodump-ngmon0
8. Asyoucanseeinthefollowingscreenshot,weareabletoseetheWirelessLabaccesspointrunningWEP:
9. Forthisexercise,weareonlyinterestedintheWirelessLab,solet'senterthefollowingcommandtoonlyseepacketsforthisnetwork:
airodump-ng –bssid 00:21:91:D2:8E:25 --channel 11 --
writeWEPCrackingDemomon0
Theprecedingcommandlineisshowninthefollowingscreenshot:
10. Wewillrequestairodump-ngtosavethepacketsintoapcapfileusingthe--writedirective:
11. Nowlet'sconnectourwirelessclienttotheaccesspointandusetheWEPkey as abcdefabcdefabcdefabcdef12. Once the client has successfullyconnected,airodump-ngshouldreportitonthescreen.
12. Ifyoudoanlsinthesamedirectory,youwillbeabletoseefilesprefixedwithWEPCrackingDemo-*,asshowninthefollowingscreenshot.Thesearetrafficdumpfilescreatedbyairodump-ng:
13. If you notice the airodump-ng screen, the number of data packets listedunderthe#Datacolumnisveryfewinnumber(only68).InWEPcracking,we need a large number of data packets, encryptedwith the same key toexploitweaknessesintheprotocol.So,wewillhavetoforcethenetworktoproducemoredatapackets.Todothis,wewillusetheaireplay-ngtool:
14. WewillcaptureARPpacketson thewirelessnetworkusingAireplay-ngandinjectthembackintothenetworktosimulateARPresponses.Wewillbe starting Aireplay-ng in a separate window, as shown in the nextscreenshot.Replayingthesepacketsafewthousandtimes,wewillgeneratealotofdatatrafficonthenetwork.EventhoughAireplay-ngdoesnotknowtheWEPkey,itisabletoidentifytheARPpacketsbylookingatthesizeof
the packets. ARP is a fixed header protocol; thus, the size of the ARPpackets can be easily determined and can be used to identify them evenwithinencryptedtraffic.Wewillrunaireplay-ngwiththeoptionsthatarediscussednext.The-3optionisforARPreplay,-bspecifiestheBSSIDofournetwork,and-hspecifiestheclientMACaddressthatwearespoofing.Weneedtodothis,asreplayattackswillonlyworkforauthenticatedandassociatedclientMACaddresses:
15. Verysoonyoushouldseethataireplay-ngwasabletosniffARPpacketsand started replaying them into the network. If you encounter channel-relatederrorsasIdid,append–ignore-negative-onetoyourcommand,asshowninthefollowingscreenshot:
16. Atthispoint,airodump-ngwillalsostartregisteringalotofdatapackets.All these sniffedpacketsarebeing stored in theWEPCrackingDemo-* filesthatwesawpreviously:
17. Nowlet'sstartwiththeactualcrackingpart!Wefireupaircrack-ngwiththeoptionWEPCRackingDemo-0*.cap inanewwindow.Thiswill start theaircrack-ngsoftwareanditwillbeginworkingoncrackingtheWEPkeyusing the data packets in the file. Note that it is a good idea to haveAirodump-ngcollect theWEPpackets,aireplay-ngdo the replayattack,and aircrack-ng attempt to crack the WEP key based on the captured
packets, all at the same time. In this experiment, all of them are open inseparatewindows.
18. Yourscreenshouldlooklikethefollowingscreenshotwhenaircrack-ngisworkingonthepacketstocracktheWEPkey:
19. Thenumberofdatapackets required tocrack thekey isnondeterministic,
butgenerallyintheorderofahundredthousandormore.Onafastnetwork(or using aireplay-ng), this should take 5-10 minutes at most. If thenumberofdatapacketscurrentlyinthefileisnotsufficient,thenaircrack-ng will pause, as shown in the following screenshot, and wait for morepacketstobecaptured;itwillthenrestartthecrackingprocess:
20. Onceenoughdatapacketshavebeencapturedandprocessed,aircrack-ngshouldbeabletobreakthekey.Onceitdoes, itproudlydisplaysit intheterminalandexits,asshowninthefollowingscreenshot:
21. It is important to note thatWEP is totally flawed and anyWEP key (nomatter how complex) will be cracked by Aircrack-ng. The only
requirementisthatalargeenoughnumberofdatapackets,encryptedwiththiskey,aremadeavailabletoaircrack-ng.
Whatjusthappened?
WesetupWEPinourlabandsuccessfullycrackedtheWEPkey.Inordertodothis,wefirstwaitedforalegitimateclientofthenetworktoconnecttotheaccesspoint.After this,we used the aireplay-ng tool to replayARP packets into thenetwork. This caused the network to send ARP replay packets, thus greatlyincreasing the number of data packets sent over the air. We then used theaircrack-ngtooltocracktheWEPkeybyanalyzingcryptographicweaknessesinthesedatapackets.
NotethatwecanalsofakeanauthenticationtotheaccesspointusingtheSharedKey Authentication bypass technique we learnt in the last chapter. This cancomeinhandyif thelegitimateclient leavesthenetwork.Thiswillensurethatwe can spoof an authentication and association and continue to send ourreplayedpacketsintothenetwork.
Haveagohero–fakeauthenticationwithWEPcracking
In the previous exercise, if the legitimate client had suddenly logged off thenetwork,wewouldnothavebeenabletoreplaythepacketsastheaccesspointwillrefusetoacceptpacketsfromun-associatedclients.
Your challenge will be to fake an authentication and association using theShared Key Authentication bypass we learnt in the last chapter, while WEPcrackingisgoingon.Logoff thelegitimateclientfromthenetworkandverifythatyouarestillabletoinjectpacketsintothenetworkandwhethertheaccesspointacceptsandrespondstothem.
WPA/WPA2WPA (or WPA v1 as it is referred to sometimes) primarily uses the TKIPencryption algorithm. TKIP was aimed at improvingWEP, without requiringcompletelynewhardwaretorunit.WPA2incontrastmandatorilyusestheAES-CCMPalgorithmforencryption,whichismuchmorepowerfulandrobustthanTKIP.
BothWPAandWPA2alloweitherEAP-based authentication, usingRADIUSservers (Enterprise)or aPre-Sharedkey (PSK) (personal)-basedauthenticationschema.
WPA/WPA2PSK is vulnerable to a dictionary attack.The inputs required forthis attack are the four-wayWPAhandshake between client and access point,and a wordlist that contains common passphrases. Then, using tools such asAircrack-ng,wecantrytocracktheWPA/WPA2PSKpassphrase.
Anillustrationofthefour-wayhandshakeisshowninthefollowingscreenshot:
ThewayWPA/WPA2PSKworks is that itderives theper-sessionkey, calledthe Pairwise Transient Key (PTK), using the Pre-Shared Key and five otherparameters—SSID of Network, Authenticator Nounce (ANounce), SupplicantNounce (SNounce), Authenticator MAC address (Access Point MAC), andSuppliantMACaddress(Wi-FiClientMAC).Thiskey is thenused toencryptalldatabetweentheaccesspointandclient.
Anattackerwhoiseavesdroppingonthisentireconversationbysniffingtheaircangetallfiveparametersmentionedinthepreviousparagraph.TheonlythinghedoesnothaveisthePre-SharedKey.So,howisthePre-SharedKeycreated?ItisderivedbyusingtheWPA-PSKpassphrasesuppliedbytheuser,alongwiththeSSID.ThecombinationofbothoftheseissentthroughthePassword-BasedKeyDerivationFunction(PBKDF2),whichoutputsthe256-bitsharedkey.
Ina typicalWPA/WPA2PSKdictionaryattack, theattackerwouldusea largedictionaryofpossiblepassphraseswiththeattacktool.Thetoolwouldderivethe256-bitPre-Sharedkey fromeachof thepassphrases anduse itwith theotherparameters,describedearlier,tocreatethePTK.ThePTKwillbeusedtoverifythe Message Integrity Check (MIC) in one of the handshake packets. If itmatches,thentheguessedpassphrasefromthedictionarywascorrect; ifnot, itwasincorrect.
Eventually,iftheauthorizednetworkpassphraseexistsinthedictionary,itwillbe identified. This is exactly how WPA/WPA2 PSK cracking works! Thefollowingfigureillustratesthestepsinvolved:
Inthenextexercise,wewill takealookathowtocrackaWPAPSKwirelessnetwork. The exact same steps will be involved in cracking a WPA2-PSKnetworkusingCCMP(AES)aswell.
Time for action – cracking WPA-PSK weakpassphrasesFollowthegiveninstructionstogetstarted:
1. Let'sfirstconnecttoouraccesspointWirelessLabandsettheaccesspointto useWPA-PSK.Wewill set theWPA-PSKpassphrase toabcdefgh sothatitisvulnerabletoadictionaryattack:
2. We start airodump-ng with the following command so that it startscapturingandstoringallpacketsforournetwork:
airodump-ng–bssid00:21:91:D2:8E:25–channel11–write
WPACrackingDemomon0"
Thefollowingscreenshotshowstheoutput:
3. Nowwecanwaitforanewclienttoconnecttotheaccesspointsothatwecan capture the four-way WPA handshake, or we can send a broadcastdeauthentication packet to force clients to reconnect.We do the latter tospeed things up. The same thing can happen again with the unknownchannel error. Again, use –-ignore-negative-one. This can also requiremorethanoneattempt:
4. As soon as we capture a WPA handshake, the airodump-ng tool willindicate it in the top-right corner of the screen with a WPA handshakefollowedbytheaccesspoint'sBSSID.Ifyouareusing–ignore-negative-one, the tool may replace the WPA handshake with a fixed channelmessage.JustkeepaneyeoutforaquickflashofaWPAhandshake.
5. We can stop the airodump-ng utility now. Let's open up the cap file in
Wireshark and view the four-way handshake. Your Wireshark terminalshouldlooklikethefollowingscreenshot.Ihaveselectedthefirstpacketofthe four-wayhandshake in the trace file in thescreenshot.ThehandshakepacketsaretheonewhoseprotocolisEAPOL:
6. Nowwe will start the actual key cracking exercise! For this, we need a
dictionaryofcommonwords.Kali shipswithmanydictionary files in themetasploit folder located as shown in the following screenshot. It isimportant to note that, in WPA cracking, you are just as good as yourdictionary. BackTrack ships with some dictionaries, but these may beinsufficient.Passwords thatpeoplechoosedependona lotof things.Thisincludes things such as which country users live in, common names andphrases in that region the, security awareness of the users, and a host ofother things. It may be a good idea to aggregate country- and region-specificwordlists,whenundertakingapenetrationtest:
7. Wewillnowinvoketheaircrack-ngutilitywiththepcapfileastheinputand a link to the dictionary file, as shown in the following screenshot. Ihaveusednmap.lst,asshownintheterminal:
8. aircrack-ng uses the dictionary file to try various combinations ofpassphrases and tries to crack the key. If the passphrase is present in thedictionaryfile,itwilleventuallycrackitandyourscreenwilllooksimilartotheoneinthescreenshot:
9. Please note that, as this is a dictionary attack, the prerequisite is that thepassphrase must be present in the dictionary file you are supplying toaircrack-ng. If thepassphrase isnotpresent in thedictionary, theattackwillfail!
Whatjusthappened?
WesetupWPA-PSKonouraccesspointwithacommonpassphrase:abcdefgh.Wethenuseadeauthenticationattacktohavelegitimateclientsreconnecttotheaccess point. When we reconnect, we capture the four-way WPA handshakebetweentheaccesspointandtheclient.
AsWPA-PSKisvulnerabletoadictionaryattack,wefeedthecapturefilethatcontainstheWPAfour-wayhandshakeandalistofcommonpassphrases(intheformofawordlist)toAircrack-ng.Asthepassphraseabcdefghispresentinthewordlist, Aircrack-ng is able to crack theWPA-PSK shared passphrase. It isvery important to note again that, inWPA dictionary-based cracking, you arejustasgoodasthedictionaryyouhave.Thus,itisimportanttocompilealargeandelaboratedictionarybeforeyoubegin.ThoughBackTrackshipswithitsowndictionary,itmaybeinsufficientattimesandmightneedmorewords,especiallytakingintoaccountthelocalizationfactor.
Have a go hero – trying WPA-PSK cracking withCowpatty
CowpattyisatoolthatcanalsocrackaWPA-PSKpassphraseusingadictionaryattack.ThistoolisincludedwithBackTrack.IleaveitasanexerciseforyoutouseCowpattytocracktheWPA-PSKpassphrase.
Also,setanuncommonpassphrase that isnotpresent in thedictionaryand trytheattackagain.YouwillnowbeunsuccessfulincrackingthepassphrasewithbothAircrack-ngandCowpatty.
It is important to note that the same attack applies even to a WPA2 PSKnetwork.Iencourageyoutoverifythisindependently.
SpeedingupWPA/WPA2PSKcrackingAs we have already seen in the previous section, if we have the correctpassphraseinourdictionary,crackingWPA-Personalwillworkeverytimelikeacharm.So,whydon'twe justcreatea largeelaboratedictionaryofmillionsofcommonpasswordsandphrasespeopleuse?Thiswouldhelpusalotandmostofthetime,wewouldendupcrackingthepassphrase.Itallsoundsgreatbutwearemissingonekeycomponenthere—thetimetaken.OneofthemoreCPUandtime-consuming calculations is that of the Pre-Shared key using the PSKpassphrase and the SSID through the PBKDF2. This function hashes thecombinationofbothover4,096 timesbeforeoutputting the256-bitPre-Sharedkey.Thenextstepincrackinginvolvesusingthiskeyalongwithparametersinthe four-wayhandshake andverifying against theMIC in thehandshake.Thisstep is computationally inexpensive. Also, the parameters will vary in thehandshake every time and hence, this step cannot be precomputed. Thus, tospeed up the cracking process, we need to make the calculation of the Pre-Sharedkeyfromthepassphraseasfastaspossible.
We can speed this up by precalculating the Pre-Shared Key, also called thePairwiseMasterKey(PMK)in802.11standardparlance.Itisimportanttonotethat, as theSSID isalsoused tocalculate thePMK,with the samepassphraseandwithadifferentSSID,wewillendupwithadifferentPMK.Thus,thePMKdependsonboththepassphraseandtheSSID.
Inthenextexercise,wewilltakealookathowtoprecalculatethePMKanduseitforWPA/WPA2PSKcracking.
Timeforaction–speedingupthecrackingprocessWecanproceedwiththefollowingsteps:
1. We can precalculate the PMK for a given SSID and wordlist using thegenpmktoolwiththefollowingcommand:
genpmk –f <chosen wordlist>–d PMK-Wireless-Lab –s
"WirelessLab
ThiscreatesthePMK-Wireless-LabfilecontainingthepregeneratedPMK:
2. WenowcreateaWPA-PSKnetworkwiththepassphraseabcdefgh(presentinthedictionaryweused)andcaptureaWPA-handshakeforthatnetwork.We now use Cowpatty to crack the WPA passphrase, as shown in thefollowingscreenshot:
It takes approximately7.18 seconds forCowpatty to crack thekey, usingtheprecalculatedPMKs.
3. Wenowuseaircrack-ngwith the samedictionary file, and thecrackingprocess takes over 22 minutes. This shows how much we are gainingbecauseoftheprecalculation.
4. InordertousethesePMKswithaircrack-ng,weneedtouseatoolcalledairolib-ng. We will give it the options airolib-ng, PMK-Aircrack --import,and cowpatty PMK-Wireless-Lab, where PMK-Aircrack is theaircrack-ngcompatibledatabase tobecreatedandPMK-Wireless-LabisthegenpmkcompliantPMKdatabasethatwecreatedpreviously.
5. Wenowfeedthisdatabasetoaircrack-ngandthecrackingprocessspeedsupremarkably.Weusethefollowingcommand:
aircrack-ng–rPMK-AircrackWPACrackingDemo2-01.cap
6. There are additional tools available on BackTrack such as Pyrit that canleverage multi CPU systems to speed up cracking. We give the pcapfilenamewiththe-roptionandthegenpmkcompliantPMKfilewiththe-ioption.Evenonthesamesystemusedwith theprevious tools,Pyrit takesaround3secondstocrackthekey,usingthesamePMKfilecreatedusinggenpmk.
Whatjusthappened?
We lookedatvariousdifferent tools and techniques to speedupWPA/WPA2-PSKcracking.Thewholeideaistopre-calculatethePMKforagivenSSIDandalistofpassphrasesinourdictionary.
DecryptingWEPandWPApacketsInalltheexerciseswehavedonetillnow,wecrackedtheWEPandWPAkeysusingvarioustechniques.Whatdowedowiththisinformation?Thefirststepistodecryptdatapacketswehavecapturedusingthesekeys.
In the next exercise,wewill decrypt theWEP andWPApackets in the sametracefilethatwecapturedovertheair,usingthekeyswecracked.
Timeforaction–decryptingWEPandWPApacketsWecanproceedwiththefollowingsteps:
1. We will decrypt packets from the WEP capture file we created earlier:WEPCrackingDemo-01.cap. For this, we will use another tool in theAircrack-ngsuitecalledairdecap-ng.Wewillrunthefollowingcommand,as shown in the following screenshot, using the WEP key we crackedpreviously:
airdecap-ng -w abcdefabcdefabcdefabcdef12
WEPCrackingDemo-02.cap
2. The decrypted files are stored in a file named WEPCrackingDemo-02-dec.cap.Weusethetsharkutilitytoviewthefirsttenpacketsinthefile.Please note that you may see something different based on what youcaptured:
3. WPA/WPA2PSKwillworkinexactly thesamewayaswithWEP,usingthe airdecap-ng utility, as shown in the following screenshot, with thefollowingcommand:
airdecap-ng –p abdefg WPACrackingDemo-02.cap –e
"WirelessLab"
Whatjusthappened?
WejustsawhowwecandecryptWEPandWPA/WPA2-PSKencryptedpacketsusing Airdecap-ng. It is interesting to note that we can do the same usingWireshark. We would encourage you to explore how this can be done byconsultingtheWiresharkdocumentation.
ConnectingtoWEPandWPAnetworksWe can also connect to the authorized network after we have cracked thenetworkkey.Thiscancomeinhandyduringpenetration testing.Loggingontothe authorized network with the cracked key is the ultimate proof you canprovidetoyourclientthathisnetworkisinsecure.
Timeforaction–connectingtoaWEPnetworkWecanproceedwiththefollowingsteps:
1. UsetheiwconfigutilitytoconnecttoaWEPnetwork,onceyouhavethekey. In a past exercise, we broke the WEP key—abcdefabcdefabcdefabcdef12:
Timeforaction–connectingtoaWPAnetworkWecanproceedwiththefollowingsteps:
1. In the case ofWPA, thematter is a bitmore complicated.TheiwconfigutilitycannotbeusedwithWPA/WPA2PersonalandEnterprise,asitdoesnotsupportit.WewilluseanewtoolcalledWPA_supplicantforthislab.To use WPA_supplicant for a network, we will need to create aconfigurationfile,asshowninthefollowingscreenshot.Wewillnamethisfilewpa-supp.conf:
2. WewilltheninvoketheWPA_supplicantutilitywiththefollowingoptions:-Dwext-iwlan0–cwpa-supp.conftoconnecttotheWPAnetworkwejustcracked.Oncetheconnectionissuccessful,WPA_supplicantwillgiveyouthemessage:ConnectiontoXXXXcompleted.
3. ForboththeWEPandWPAnetworks,onceyouareconnected,youcanusedhcpclienttograbaDHCPaddressfromthenetworkbytypingdhclient3
wlan0.
Whatjusthappened?
The defaultWi-Fi utilityiwconfig cannot be used to connect toWPA/WPA2networks.Thede-factotoolforthisisWPA_Supplicant.Inthislab,wesawhowwecanuseittoconnecttoaWPAnetwork.
Popquiz–WLANencryptionflaws
Q1.WhatpacketsareusedforPacketReplay?
1. Deauthenticationpacket.2. Associatedpacket.3. EncryptedARPpacket.4. Noneoftheabove.
Q2.WhencanWEPbecracked?
1. Always.2. Onlyifaweakkey/passphraseischosen.3. Underspecialcircumstancesonly.4. Onlyiftheaccesspointrunsoldsoftware.
Q3.WhencanWPAbecracked?
1. Always.2. Onlyifaweakkey/passphraseischosen.3. Iftheclientcontainsoldfirmware.4. Evenwithnoclientconnectedtothewirelessnetwork.
SummaryInthischapter,welearntaboutWLANencryption.WEPisflawedandnomatterwhattheWEPkeyis,withenoughdatapacketsamples:itisalwayspossibletocrackWEP.WPA/WPA2iscryptographicallyun-crackablecurrently;however,under special circumstances, such as when a weak passphrase is chosen inWPA/WPA2-PSK, it is possible to retrieve the passphrase using dictionaryattacks.
In the next chapter, we will take a look at different attacks on the WLANinfrastructure,suchasrogueaccesspoints,eviltwins,bit-flippingattacks,andsoon.
Chapter5.AttacksontheWLANInfrastructure
"Thus,whatisofsupremeimportanceinwaristoattacktheenemy'sstrategy" --SunTzu,ArtofWar
Inthischapter,wewillattacktheWLANinfrastructure'score!Wewillfocusonhow we can penetrate into the authorized network using various new attackvectorsandlureauthorizedclientstoconnecttous,asanattacker.
TheWLAN infrastructure iswhatprovideswireless services to all theWLANclientsinasystem.Inthischapter,wewilltakealookatthevariousattacksthatcanbeconductedagainsttheinfrastructure:
DefaultaccountsandcredentialsontheaccesspointDenialofserviceattacksEviltwinandaccesspointMACspoofingRogueaccesspoints
DefaultaccountsandcredentialsontheaccesspointWLAN access points are the core building blocks of the infrastructure. Eventhoughtheyplaysuchanimportantrole,theyaresometimesthemostneglectedin terms of security. In this exercise, we will check whether the defaultpasswordshavebeenchangedontheaccesspointornot.Then,wewillgoontoverifythat,evenifthepasswordshavebeenchanged,theyarestilleasytoguessandcrackusingadictionary-basedattack.
Itisimportanttonotethat,aswemoveontomoreadvancedchapters,itwillbeassumedthatyouhavegonethroughthepreviouschaptersandarenowfamiliarwiththeuseofallthetoolsdiscussedthere.Thiswillallowustobuildonthatknowledgeandtrymorecomplicatedattacks!
Time for action – cracking default accounts on theaccesspointsFollowtheseinstructionstogetstarted:
1. Let'sfirstconnecttoouraccesspointWirelessLabandattempttonavigatetotheHTTPmanagementinterface.WeseethattheaccesspointmodelisTP-LinkWR841N,asshowninthefollowingscreenshot:
2. Fromthemanufacturer'swebsite,wefindthedefaultaccountcredentialsforadminareadmin.Wetrythisontheloginpageandwesucceedinloggingin.Thisshowshoweasyitistobreakintoaccountswithdefaultcredentials.We highly encourage you to obtain the router's usermanual online. Thiswill allow you to understand what you are dealing with during thepenetrationtestandgivesyouaninsightintootherconfigurationflawsyoucouldcheckfor:
Whatjusthappened?
Weverifiedthatthedefaultcredentialswereneverchangedonthisaccesspoint,and this could lead to a full network compromise. Also, even if the default
credentialsarechanged,theresultshouldnotbesomethingthatiseasytoguessorrunasimpledictionary-basedattackon.
Have a go hero – cracking accounts using brute-forceattacks
Inthepreviousexercise,changethepasswordtosomethingthatishardtoguessor find in a dictionary and see whether you can crack it using a brute-forceapproach. Limit the length and characters in the password so that you cansucceed at some point. One of the most common tools used to crack HTTPauthenticationiscalledHydraandisavailableonKali.
DenialofserviceattacksWLANsarepronetoDenialofService(DoS)attacksusingvarioustechniques,includingbutnotlimitedto:
deauthenticationattackDisassociationattackCTS-RTSattackSignalinterferenceorspectrumjammingattack
In the scope of this book, we will discuss deauthentication attacks on theWirelessLANinfrastructureusingthefollowingexperiment:
Timeforaction–deauthenticationDoSattacksFollowtheseinstructionstogetstarted:
1. Let'sconfigure theWirelessLabnetwork touseOpenAuthenticationandnoencryption.ThiswillallowustoseethepacketsusingWiresharkeasily:
2. Let's connect a Windows client to the access point. We will see theconnectionintheairodump-ngscreen:
4. Note how the client gets disconnected from the access point completely.Wecanverifythisontheairodump-ngscreenaswell:
5. If we use Wireshark to see the traffic, you will notice a lot ofdeauthenticationpacketsovertheairthatwejustsent:
6. WecandothesameattackbysendingaBroadcastdeauthenticationpacketonbehalfoftheaccesspointtotheentirewirelessnetwork.Thiswillhavetheeffectofdisconnectingallconnectedclients:
Whatjusthappened?
We successfully sent deauthentication frames to both the access point and theclient. This resulted in them getting disconnected and a full loss ofcommunicationbetweenthem.
WealsosentoutBroadcastdeauthenticationpackets,whichwillensurethatnoclientinthevicinitycansuccessfullyconnecttoouraccesspoint.
It is important tonote that, as soon as the client is disconnected, itwill try toconnectbackonceagaintotheaccesspoint,andthusthedeauthenticationattackhastobecarriedoutinasustainedwaytohaveafulldenialofserviceeffect.
This is one of the easiest attacks to orchestrate but has the most devastatingeffect.Thiscaneasilybeusedintherealworldtobringawirelessnetworkdownonitsknees.
Haveagohero–disassociationattacks
Try to check how you can conduct Dis-Association attacks against theinfrastructure using tools available on Kali. Can you do a broadcastdisassociationattack?
EviltwinandaccesspointMACspoofingOneof themostpotent attacksonWLAN infrastructures is the evil twin.Theideaistobasicallyintroduceanattacker-controlledaccesspointinthevicinityoftheWLANnetwork.ThisaccesspointwilladvertisetheexactsameSSIDastheauthorizedWLANnetwork.
Many wireless users may accidently connect to this malicious access point,thinking it ispartof theauthorizednetwork.Onceaconnection isestablished,the attacker canorchestrate aman-in-the-middle attack and transparently relaytrafficwhileeavesdroppingontheentirecommunication.Wewilltakealookathowaman-in-the-middleattackisdoneinalaterchapter.Intherealworld,anattackerwouldideallyusethisattackclosetotheauthorizednetworksothattheusergetsconfusedandaccidentlyconnectstotheattacker'snetwork.
AneviltwinhavingthesameMACaddressasanauthorizedaccesspointisevenmore difficult to detect and deter. This is where access pointMAC Spoofingcomes in! In thenextexperiment,wewill takea lookathowtocreateaneviltwin,coupledwithaccesspointMACspoofing.
Timeforaction–eviltwinsandMACspoofingFollowtheseinstructionstogetstarted:
1. Useairodump-ngtolocatetheaccesspoint'sBSSIDandESSID,whichwewouldliketoemulateintheeviltwin:
3. Usingthisinformation,wecreateanewaccesspointwiththesameESSIDbutadifferentBSSIDandMACaddressusingtheairbase-ngcommand.Minorerrorsmayoccurwithnewerreleases:
4. This new access point also shows up in the airodump-ng screen.. It isimportanttonotethatyouwillneedtorunairodump-nginanewwindowwiththefollowingcommand:
airodump-ng--channel11wlan0
Let'sseethisnewaccesspoint:
5. Nowwesendadeauthenticationframeto theclient,so itdisconnectsandimmediatelytriestoreconnect:
6. Asweareclosertothisclient,oursignalstrengthishigher,anditconnectstooureviltwinaccesspoint.
7. Wecanalsospoof theBSSDandMACaddressof theaccesspointusingthefollowingcommand:
airbase-ng–a<routermac>--essid"WirelessLab"–c11
mon0
8. Now if we look at through airodump-ng, it is almost impossible todifferentiatebetweenbothvisually:
9. Evenairodump-ngisunabletodiscernthatthereareactuallytwodifferentphysicalaccesspointsonthesamechannel.Thisisthemostpotentformof
theeviltwin.
Whatjusthappened?
Wecreatedaneviltwinfortheauthorizednetworkandusedadeauthenticationattacktohavethelegitimateclientconnectbacktous,insteadoftheauthorizednetworkaccesspoint.
It is important to note that, in the case of the authorized access point usingencryptionsuchasWEP/WPA,itmightbemoredifficulttoconductanattackinwhichtrafficeavesdroppingispossible.WewilltakealookathowtobreaktheWEPkeywithjustaclientusingtheCaffeLatteattackinalaterchapter.
Haveagohero–eviltwinsandchannelhopping
Inthepreviousexercise,runtheeviltwinondifferentchannelsandobservehowtheclient,oncedisconnected,hopschannelstoconnecttotheaccesspoint.Whatis thedeciding factor basedonwhich the client decideswhich accesspoint toconnectto?Isitsignalstrength?Experimentandvalidate.
ArogueaccesspointArogueaccesspointisanunauthorizedaccesspointconnectedtotheauthorizednetwork. Typically, this access point can be used as a backdoor entry by anattacker,thusenablinghimtobypassallsecuritycontrolsonthenetwork.Thiswouldmean that the firewalls, intrusionprevention systems, and soon,whichguard the border of a network, would be able to do little to stop him fromaccessingthenetwork.
Inthemostcommoncase,arogueaccesspointissettoOpenAuthenticationandnoencryption.Therogueaccesspointcanbecreatedinthefollowingtwoways:
Installing an actual physical device on the authorized network as a rogueaccesspoint.(ThisissomethingIleaveasanexercisetoyou.)Also,morethanwirelesssecurity,thishastodowithbreachingthephysicalsecurityoftheauthorizednetwork.Creating a rogue access point in software and bridging it with the localauthorizednetworkEthernetnetwork.Thiswillallowpracticallyanylaptoprunningontheauthorizednetworktofunctionasarogueaccesspoint.Wewilllookatthisinthenextexperiment.
Timeforaction–crackingWEPFollowtheseinstructionstogetstarted:
1. Let'sfirstbringupourrogueaccesspointusingairbase-ngandgiveittheESSIDRogue:
2. Wenowwant to create a bridgebetween theEthernet interface,which ispartoftheauthorizednetwork,andourrogueaccesspointinterface.Todothis,wewillfirst installbridge-utils files,createabridgeinterface,andname it Wifi-Bridge. The following screenshot shows the requiredcommandsinaction:
apt-getinstallbridge-utils
brctladdbrWifi-Bridge
Let'sseethefollowingoutputofthecommand:
3. WewillthenaddboththeEthernetandtheAt0virtualinterfacecreatedbyAirbase-ngtothisbridge:
brctladdifWifi-Bridgeeth0
brctladdifWifi-Bridgeath0
Thescreenshotofthecommandasfollows:
4. Wewillthenbringwiththeseinterfacesuptobringthebridgeupwiththe
5. WewillthenenableIPforwardinginthekerneltoensurethatpacketsareforwarded:
echo1>/proc/sys/net/ipv4/ip_forward
Thescreenshotofthecommandasfollows:
6. Brilliant!We are done.Now, anywireless client connecting to our rogueaccess point will have full access to the authorized network using thewireless-to-wired Wifi-Bridge we just built. We can verify this byconnecting a client to the rogue access point.Once connected, if you areusingVista,yourscreenmightlooklikethefollowing:
8. Wecannowaccessanyhostonthewirednetworkfromthiswirelessclientusingthisrogueaccesspoint.Next,wewillpingthegatewayonthewirednetwork:
Whatjusthappened?
WecreatedarogueaccesspointandusedittobridgealltheauthorizednetworkLANtrafficover thewirelessnetwork.Asyoucansee, this isa really serioussecuritythreatasanyonecanbreakintothewirednetworkusingthisbridge.
Haveagohero–rogueaccesspointchallenge
CheckwhetheryoucancreatearogueaccesspointthatusesWPA/WPA2-basedencryptiontolookmorelegitimateonthewirelessnetwork.
Popquiz–attacksontheWLANinfrastructure
Q1.Whatencryptiondoesarogueaccesspointuseinmostcases?
1. None.2. WEP.3. WPA.4. WPA2.
Q2.What is theadvantageofhaving thesameMACaddressas theauthorized
accesspointinaneviltwin?
1. Itmakesdetectingtheeviltwinmoredifficult.2. Itforcestheclienttoconnecttoit.3. Itincreasesthesignalstrengthofthenetwork.4. Noneoftheabove.
Q3.WhatdoDoSattacksdo?
1. Theybringdowntheoverallthroughputofthenetwork.2. Theydonottargettheclients.3. They can only be done if we know the network WEP/WPA/WPA2
credentials.4. Alloftheabove.
Q4.Whatdorogueaccesspointsdoandhowcantheybecreated?
1. Theyallowbackdoorentryintotheauthorizednetwork.2. TheyuseWPA2encryptiononly.3. They can be created as software-based access points or can be actual
devices.4. Both1and3.
SummaryIn this chapter,we explored differentways to compromise the security of theWirelessLANinfrastructure:
CompromisingdefaultaccountsandcredentialsonaccesspointsDenialofserviceattacksEviltwinsandMACSpoofingRogueaccesspointsintheenterprisenetwork
Inthenextchapter,wewilltakealookatdifferentattacksonthewirelessLANclient. Interestingly, most administrators feel that the client has no securityproblems toworryabout.Wewill seehownothingcouldbe furthers from thetruth.
Chapter6.AttackingtheClient
"Securityisjustasstrongastheweakestlink." --FamousQuoteinInformationSecurityDomain
Most penetration testers seem to give all their attention to the WLANinfrastructureanddon'tgivethewirelessclientevenafractionofthat.However,itisinterestingtonotethatahackercangainaccesstotheauthorizednetworkbycompromisingawirelessclientaswell.
In this chapter, we will shift our focus from the WLAN infrastructure to thewireless client. The client can be either a connected or isolated unassociatedclient.Wewill takealookatthevariousattacksthatcanbeusedtotargettheclient.
Wewillcoverthefollowingtopics:
HoneypotandMis-AssociationattacksTheCaffeLatteattackDeauthenticationanddisassociationattacksTheHirteattackAP-lessWPA-Personalcracking
HoneypotandMis-AssociationattacksNormally,whenawirelessclientsuchasalaptopisturnedon,itwillprobefornetworks it has previously connected to. These networks are stored in a listcalled the Preferred Network List (PNL) on Windows-based systems. Also,alongwiththislist,thewirelessclientwilldisplayanynetworksavailableinitsrange.
Ahackermaydooneormoreofthefollowingthings:
Silentlymonitortheprobesandbringupafakeaccesspointwiththesame
ESSID theclient is searching for.Thiswill cause theclient toconnect tothehackermachine,thinkingitisthelegitimatenetwork.Create fake access points with the same ESSID as neighboring ones topersuadetheusertoconnecttohim.SuchattacksareveryeasytoconductincoffeeshopsandairportswhereausermightbelookingtoconnecttoaWi-Ficonnection.Userecordedinformationtolearnaboutthevictim'smovementsandhabits,asweshowindetailinalaterchapter.
TheseattacksarecalledHoneypotattacks,because thehacker'saccesspoint ismis-associatedwiththelegitimateone.
Inthenextexercise,wewillcarryoutboththeseattacksinourlab.
Time for action – orchestrating a Mis-AssociationattackFollowtheseinstructionstogetstarted:
1. In the previous labs,we used a client that had connected to theWirelessLabaccesspoint.Let'sswitchontheclientbutnottheactualWirelessLabaccesspoint.Let'snowrunairodump-ngmon0andchecktheoutput.Youwill very soon find the client to be in the not associated mode andprobingforWirelessLabandotherSSIDsinitsstoredprofile:
2. Tounderstandwhatishappening,let'srunWiresharkandstartsniffingon
themon0interface.Asexpected,youmightseealotofpacketsthatarenotrelevant to our analysis. Apply a Wireshark filter to only display ProbeRequestpacketsfromtheclientMACyouareusing:
3. In my case, the filter would be wlan.fc.type_subtype == 0x04 &&
wlan.sa==<mymac>.You should now seeProbeRequest packets only
fromtheclientforthepreviouslyidentifiedSSIDs.4. Let's now start a fake access point for the networkWireless Lab on the
hackermachineusingthefollowingcommand:
airbase-ng–c3–e"WirelessLab"mon0
5. Withinaminuteorso, theclientshouldconnect tousautomatically.Thisshowshoweasyitistohaveun-associatedclients:
6. Nowwewilltryitincompetitionwithanotherrouter.WewillcreateafakeaccesspointWirelessLabinthepresenceof thelegitimateone.Let's turnour access point on to ensure thatWirelessLab is available to the client.
Forthisexperiment,wehavesettheaccesspointchannelto3.Lettheclientconnecttotheaccesspoint.Wecanverifythisfromairodump-ng,asshowninthefollowingscreenshot:
7. Nowlet'sbringupourfakeaccesspointwiththeSSIDWirelessLab:
8. Notice that the client is still connected to Wireless Lab, the legitimateaccesspoint:
9. We will now send broadcast deauthentication messages to the client onbehalfofthelegitimateaccesspointtobreaktheirconnection:
10. Assuming the signal strength of our fake access point Wireless Lab isstrongerthanthelegitimateonetotheclient,itconnectstoourfakeaccesspointinsteadofthelegitimateaccesspoint:
11. We can verify this by looking at the airodump-ng output to see the newassociationoftheclientwithourfakeaccesspoint:
Whatjusthappened?
WejustcreatedaHoneypotusingtheprobedlistfromtheclientandalsousingthesameESSIDasthatofneighboringaccesspoints.Inthefirstcase,theclientautomaticallyconnectedtous,asitwassearchingforthenetwork.Inthelattercase, as we were closer to the client than the real access point, our signalstrengthwashigher,andtheclientconnectedtous.
Have a go hero – forcing a client to connect to theHoneypot
In the previous exercise, what do we do if the client does not automaticallyconnect to us?Wewould have to send a deauthentication packet to break thelegitimate client-access point connection and then, if our signal strength ishigher, the client will connect to our spoofed access point. Try this out byconnectingaclienttoalegitimateaccesspoint,andthenforcingittoconnecttoyourHoneypot.
TheCaffeLatteattackIn the Honeypot attack, we noticed that clients will continuously probe forSSIDs they have connected to previously. If the client had connected to anaccesspointusingWEP,operatingsystemssuchasWindowscacheandstoretheWEP key. The next time the client connects to the same access point, theWindowswirelessconfigurationmanagerautomaticallyusesthestoredkey.
TheCaffeLatteattackwasinventedbyVivek,oneoftheauthorsofthisbook,andwasdemonstratedinToorcon9,SanDiego,USA.TheCaffeLatteattackisaWEP attack that allows a hacker to retrieve theWEP key of the authorizednetwork, using just the client. The attack does not require the client to beanywhereclosetotheauthorizedWEPnetwork.ItcancracktheWEPkeyusingjusttheisolatedclient.
In thenext exercise,wewill retrieve theWEPkeyof anetwork fromaclientusingtheCaffeLatteattack.
Timeforaction–conductingaCaffeLatteattackFollowtheseinstructionstogetstarted:
1. Let's first set up our legitimate access point with WEP for the networkWirelessLabwiththeABCDEFABCDEFABCDEF12keyinHex:
2. Let's connect our client to it and verify that the connection is successfulusingairodump-ng,asshowninthefollowingscreenshot:
3. Let's unplug the access point and ensure that the client is in the un-associatedstageandsearchesfortheWEPnetworkWirelessLab.
4. Nowweuseairbase-ngtobringupanaccesspointwithWirelessLabastheSSID,withtheparametersasshownhere:
5. As soon as the client connects to this access point,airbase-ng starts theCaffeLatteattack,asshownhere:
6. Wenowstartairodump-ngtocollectthedatapacketsfromthisaccesspointonly,aswedidbeforeintheWEPcrackingscenario:
7. Wealsostartaircrack-ngasintheWEP-crackingexercisewedidbeforeto begin the cracking process. The command line will be aircrack-ngfilename,wherethefilenameisthenameofthefilecreatedbyairodump-ng.
Whatjusthappened?
We were successful in retrieving the WEP key from just the wireless clientwithout requiring an actual access point to be used or present in the vicinity.ThisisthepoweroftheCaffeLatteattack.
Inbasicterms,aWEPaccesspointdoesn'tneedtoprovetoaclientthatitknowstheWEPkeyinordertoreceiveencryptedtraffic.Thefirstpieceoftrafficthat
willalwaysbesenttoarouteruponconnectingtoanewnetworkwillbeanARPrequesttoaskforanIP.
TheattackworksbybitflippingandreplayingARPpacketssentbythewirelessclientpostassociationwiththefakeaccesspointcreatedbyus.ThesebitflippedARP Request packets cause more ARP response packets to be sent by thewirelessclient.
Bit-flippingtakesanencryptedvalueandaltersittocreateadifferentencryptedvalue.Inthiscircumstance,wecantakeanencryptedARPrequestandcreateanARPresponsewithahighdegreeofaccuracy.OncewesendbackavalidARPresponse,wecanreplaythisvalueoverandoveragaintogeneratethetrafficweneedtodecrypttheWEPkey.
NotethatallthesepacketsareencryptedusingtheWEPkeystoredontheclient.Onceweareabletogatheralargenumberofthesedatapackets,aircrack-NGisabletorecovertheWEPkeyeasily.
Haveagohero–practisemakesperfect!
Trychanging theWEPkeyandrepeat theattack.This isadifficultattackandrequiressomepracticetoorchestratesuccessfully.ItwouldalsobeagoodideatouseWiresharkandexaminethetrafficonthewirelessnetwork.
DeauthenticationanddisassociationattacksWehaveseendeauthenticationattacksinpreviouschaptersaswellinthecontextoftheaccesspoint.Inthischapter,wewillexplorethisattackinthecontextoftheclient.
Inthenextlab,wewillsenddeauthenticationpacketstojusttheclientandbreakanestablishedconnectionbetweentheaccesspointandtheclient.
Timeforaction–deauthenticatingtheclientFollowtheseinstructionstogetstarted:
1. Let's first bring our access pointWirelessLab online again. Let's keep itrunningonWEPtoprovethat,evenwithencryptionenabled,itispossibletoattacktheaccesspointandclientconnection.Let'sverifythattheaccesspointisupusingairodump-ng:
2. Let'sconnectourclienttothisaccesspointandverifyitwithairodump-ng:
3. Wewillnowrunaireplay-ngtotargettheaccesspointconnection:
4. Theclientgetsdisconnectedandtriestoreconnecttotheaccesspoint.WecanverifythisusingWiresharkjustaswedidearlier:
5. We have now seen that, even in the presence of WEP encryption, it ispossibletodeauthenticateaclientanddisconnectit.Thesameisvalidevenin the presence ofWPA/WPA2. Let's now set our access point toWPAencryptionandverifyit:
7. Let'snowrunaireplay-ngtodisconnecttheclientfromtheaccesspoint:
Whatjusthappened?
We just learnt how to disconnect a wireless client selectively from an accesspointusingdeauthenticationframeseveninthepresenceofencryptionschemassuchasWEP/WPA/WPA2.Thiswasdonebysendingadeauthenticationpacketto just the access point—client pair, instead of sending a broadcastdeauthenticationtotheentirenetwork.
Haveagohero–disassociationattackontheclient
In the previous exercise, we used a deauthentication attack to break theconnection.Tryusingadisassociationpackettobreaktheestablishedconnectionbetweenaclientandanaccesspoint.
TheHirteattackWe've already seen how to conduct the Caffe Latte attack. The Hirte attackextendstheCaffeLatteattackusingfragmentationtechniquesandallowsalmostanypackettobeused.
MoreinformationontheHirteattackisavailableontheAircrack-ngwebsiteathttp://www.aircrack-ng.org/doku.php?id=hirte.
Wewillnowuseaircrack-ngtoconductaHirteattackonthesameclient.
Timeforaction–crackingWEPwiththeHirteattackFollowtheseinstructionstogetstarted:
1. Create aWEP access point exactly as in theCaffeLatte attack using theairbase-ngtool.Theonlyadditionaloptionisthe-Noptioninsteadofthe-LoptiontolaunchtheHirteattack:
2. Startairodump-nginaseparatewindowtocapturepacketsfortheWirelessLabHoneypot:
3. Now, airodump-ng will start monitoring this network and storing thepacketsintheHirte-01.capfile:
4. Once the roamingclientconnects toourHoneypotAP, theHirteattack isautomaticallylaunchedbyairbase-ng:
5. We start aircrack-ng as in the case of the Caffe Latte attack andeventually,thekeywillbecracked.
Whatjusthappened?
Welaunched theHirteattackagainstaWEPclient thatwas isolatedandawayfromtheauthorizednetwork.WecrackedthekeyexactlythesamewayasintheCaffeLatteattackcase.
Haveagohero–practise,practise,practise
WerecommendsettingdifferentWEPkeysontheclientandtryingthisexerciseacoupleoftimestogainconfidence.Youmaynoticemanytimesthatyoumayhavetoreconnecttheclienttogetittowork.
AP-lessWPA-PersonalcrackingInChapter4,wesawhowtocrackWPA/WPA2PSKusingaircrack-ng.Thebasic idea was to capture a four-way WPA handshake and then launch adictionaryattack.
Themilliondollarquestionis:WoulditbepossibletocrackWPA-Personalwithjusttheclient?Noaccesspoint!
Let'srevisittheWPAcrackingexercisetojogourmemory:
To crack WPA, we need the following four parameters from the four-wayhandshake—Authenticator Nounce, Supplicant Nounce, Authenticator MAC,andSupplicantMAC.Now,theinterestingthingisthatwedonotneedallofthefour packets in the handshake to extract this information. We can get thisinformationwithfourpackets;packets1and2orjustpackets2and3.
InordertocrackWPA-PSK,wewillbringupaWPA-PSKHoneypotand,whentheclientconnectstous,onlyMessage1andMessage2willcomethrough.As
wedonotknowthepassphrase,wecannotsendMessage3.However,Message1andMessage2containalltheinformationrequiredtobeginthekeycrackingprocess:
Timeforaction–AP-lessWPAcracking
1. WewillsetupaWPA-PSKHoneypotwiththeESSIDWirelessLab.The-z2optioncreatesaWPA-PSKaccesspoint,whichusesTKIP:
2. Let'salsostartairodump-ngtocapturepacketsfromthisnetwork:
3. Nowwhen our roaming client connects to this access point, it starts thehandshakebutfailstocompleteitafterMessage2,asdiscussedpreviously;however,thedatarequiredtocrackthehandshakehasbeencaptured.
4. Werun theairodump-ng capture file throughaircrack-ngwith thesamedictionaryfileasbefore;eventually,thepassphraseiscrackedasbefore.
Whatjusthappened?
We were able to crack theWPA key with just the client. This was possiblebecause, even with just the first two packets, we have all the informationrequiredtolaunchadictionaryattackonthehandshake.
Haveagohero–AP-lessWPAcracking
WerecommendsettingdifferentWEPkeysontheclientandtryingthisexerciseacoupleoftimestogainconfidence.Youmaynoticemanytimesthatyouhavetoreconnecttheclienttogetittowork.
Popquiz–attackingtheclient
Q1.WhatencryptionkeycantheCaffeLatteattackrecover?
1. None2. WEP3. WPA4. WPA2
Q2.WhatwouldaHoneypotaccesspointtypicallyuse?
1. NoEncryption,OpenAuthentication2. NoEncryption,SharedAuthentication3. WEPEncryption,OpenAuthentication4. Noneoftheabove
Q3.WhichoneofthefollowingisaDoSAttack?
1. Mis-Associationattacks2. Deauthenticationattacks3. Disassociationattacks4. Both2and3
Q4.WhatdoestheCaffeLatteattackrequire?
1. Thatthewirelessclientbeinradiorangeoftheaccesspoint2. ThattheclientcontainsacachedandstoredWEPkey3. WEPencryptionwithatleast128bitencryption4. Both1and3
SummaryInthischapter,welearnedthateventhewirelessclientissusceptibletoattacks.These include the Honeypot and other Mis-Association attacks; Caffe Latteattack to retrieve the key from the wireless client; deauthentication anddisassociationattackscausingaDenialofservice,HirteattackasanalternativetoretrievetheWEPkeyfromaroamingclient;and,finally,crackingtheWPA-Personalpassphrasewithjusttheclient.
In the next chapter,wewill usewhatwe've learned so far to conduct variousadvancedwirelessattacksonboththeclientandinfrastructureside.So,quicklyflipthepagetothenextchapter!
Chapter7.AdvancedWLANAttacks
"Toknowyourenemy,youmustbecomeyourenemy." --SunTzu,ArtofWar
Asapenetration tester, it is important to know theadvancedattacksahackercando,even ifyoumightnotcheckordemonstrate themduringapenetrationtest.Thischapter isdedicatedtoshowinghowahackercanconductadvancedattacksusingwirelessaccessasthestartingpoint.
In this chapter, wewill take a look at howwe can conduct advanced attacksusingwhatwehavelearnedsofar.Wewillprimarilyfocusontheman-in-the-middleattack(MITM),whichrequiresacertainamountofskillandpracticetoconductsuccessfully.Oncewehavedonethis,wewillusethisMITMattackasabase fromwhich to conductmore sophisticatedattacks suchasEavesdroppingandsessionhijacking.
Inthischapter,wewillcoverthefollowingtopics:
MITMattackWirelessEavesdroppingusingMITMSessionhijackingusingMITM
Aman-in-the-middleattackMITMattacksareprobablyoneofthemostpotentattacksonaWLANsystem.Therearedifferentconfigurationsthatcanbeusedtoconducttheattack.Wewilluse the most common one—the attacker is connected to the Internet using awiredLANand is creating a fake access point on his client card.This accesspointbroadcastsanSSIDsimilar toa localhotspot in thevicinity.Ausermayaccidently get connected to this fake access point (or can be forced to via thehigher signal strength theory we discussed in the previous chapters) andmaycontinuetobelievethatheisconnectedtothelegitimateaccesspoint.
Theattackercannowtransparentlyforwardalltheuser'strafficovertheInternetusingthebridgehehascreatedbetweenthewiredandwirelessinterfaces.
Inthefollowinglabexercise,wewillsimulatethisattack.
Timeforaction–man-in-the-middleattackFollowtheseinstructionstogetstarted:
1. To create the man-in-the-middle attack setup, we will first create a softaccesspointcalledmitmonthehackerlaptopusingairbase-ng.Werunthefollowingcommand:
airbase-ng--essidmitm–c11mon0
Theoutputofthecommandisasfollows:
2. Itisimportanttonotethatairbase-ng,whenrun,createsaninterfaceat0(atapinterface).Thinkofthisasthewired-sideinterfaceofoursoftware-basedaccesspointmitm:
3. Let's now create a bridge on the hacker's laptop, consisting of the wired(eth0)andwirelessinterface(at0).Thesuccessionofcommandsusedforthisisasfollows:
brctladdbrmitm-bridge
brctladdifmitm-bridgeeth0
brctladdifmitm-bridgeat0
ifconfigeth00.0.0.0up
ifconfigat00.0.0.0up
4. WecanassignanIPaddresstothisbridgeandchecktheconnectivitywiththegateway.PleasenotethatwecandothisusingDHCPaswell.WecanassignanIPaddresstothebridgeinterfacewiththefollowingcommand:
ifconfigmitm-bridge192.168.0.199up
We can then try pinging the gateway 192.168.0.1 to ensure thatwe areconnectedtotherestofthenetwork.
5. Let's now turnon IP forwarding in thekernel, so that routing andpacketforwardingcanhappencorrectly,usingthefollowingcommand:
echo1>/proc/sys/net/ipv4/ip_forward
Theoutputofthecommandisasfollows:
6. Now let's connect a wireless client to our access point mitm. It willautomatically get an IP address over DHCP (the server running on thewired-sidegateway).TheclientmachineinthiscasereceivestheIPaddress
192.168.0.197.Wecanpingthewired-sidegateway192.168.0.1toverifyconnectivity:
7. Wecanseethatthehostrespondstothepingrequests,asshownhere:
8. Wecanalsoverifythattheclientisconnectedbylookingattheairbase-ngterminalonthehacker'smachine:
9. It is interesting to note here that, because all the traffic is being relayedfromthewirelessinterfacetothewired-side,wehavefullcontroloverthetraffic.We can verify this by startingWireshark and sniffing on the at0interface:
10. Let'snowpingthegateway192.168.0.1fromtheclientmachine.WecanseethepacketsinWireshark(applyadisplayfilterforICMP),eventhoughthepacketsarenotdestinedforus.Thisisthepowerofman-in-the-middleattacks:
Whatjusthappened?
WesuccessfullycreatedthesetupforawirelessMan-in-the-Middleattack.Wedid this by creating a fake access point and bridging it with our Ethernetinterface. This ensured that any wireless client connecting to the fake accesspointwillperceivethatitisconnectedtotheInternetviathewiredLAN.
Haveagohero–man-in-the-middleoverpurewireless
Inthepreviousexercise,webridgedthewirelessinterfacewithawiredone.As
we noted earlier, this is one of the possible connection architectures for anMITM.Thereareothercombinationspossibleaswell.Aninterestingonewouldbetohavetwowirelessinterfaces,onethatcreatesthefakeaccesspointandtheother interface that is connected to the authorized access point. Both theseinterfaces are bridged. So,when awireless client connects to our fake accesspoint, it gets connected to the authorized access point through the attacker'smachine.
Pleasenotethatthisconfigurationwouldrequiretheuseoftwowirelesscardsontheattacker'slaptop.
Checkwhetheryoucanconductthisattackusingthein-builtcardonyourlaptopalongwiththeexternalone—bearinmind,youmaynothavetheinjectiondrivesrequiredforthisactivity.Thisshouldbeagoodchallenge!
WirelessEavesdroppingusingMITMInthepreviouslab,welearnedhowtocreateasetupforMITM.Now,wewilltakealookathowtodoWirelessEavesdroppingwiththissetup.
Thewhole lab revolvesaround theprinciple thatall thevictim's traffic isnowroutedthroughtheattacker'scomputer.Thus, theattackercaneavesdroponallthetrafficsenttoandfromthevictim'smachinewirelessly.
Timeforaction–WirelessEavesdroppingFollowtheseinstructionstogetstarted:
1. Replicate the entire setup as in the previous lab. Fire up Wireshark.Interestingly,eventheMITM-bridgeshowsup.Thisinterfacewouldallowustopeerintothebridgetraffic,ifwewantedto:
3. On the wireless client, open up any web page. In my case, the wirelessaccesspoint is alsoconnected toLANand Iwill open it upbyusing theaddresshttp://192.168.0.1:
4. Signinwithyourpasswordandenterthemanagementinterface.5. InWireshark,weshouldbeseeingalotofactivity:
7. We can easily locate the HTTP post request that was used to send thepasswordtothewirelessaccesspoint:
9. ExpandingontheHTTPheader,allowsustoseethatactuallythepasswordweenteredinplaintextwasnotsentasis;instead,ahashhasbeensent.Ifwe takea lookat thepacket, labeledasnumber64 inascreenshoton theprevious page, we can see that a request was made for /md5.js, whichmakesussuspectthatit isamd5hashofthepassword.It isinterestingtonote here that this technique may be prone to a replay attack if acryptographicsalt isnotusedonapersessionbasis in thecreationof thehash.Weleaveitasanexercisefortheusertofindoutthedetails,asthisisnotpartofwirelesssecurityandhencebeyondthescopeofthisbook:
10. Thisshowshoweasyit is tomonitorandeavesdropontrafficsentbytheclientduringaman-in-the-middleattack.
Whatjusthappened?
TheMITMsetupwecreatednowallowsustoeavesdroponthevictim'swirelesstrafficwithoutthevictimknowing.Thisispossiblebecause,inanMITM,allthetrafficisrelayedviatheattacker'smachine.Thus,allofthevictim'sunencryptedtrafficisavailableforeavesdroppingfortheattacker.
Haveagohero–findingGooglesearches
In today's world, all of us would like to keepwhat we search for onGoogleprivate.ThetrafficonGooglesearchisunfortunatelyoverHTTPandplaintextbydefault.
Canyou thinkof an intelligent display filter you could usewithWireshark toviewallGooglesearchesmadebythevictim?
SessionhijackingoverwirelessOneoftheotherinterestingattackswecanbuildontopofMITMisapplicationsessionhijacking.DuringanMITMattack, thevictim'spacketsare sent to theattacker. It is now the attacker's responsibility to relay this to the legitimatedestination and relay the responses from the destination to the victim. Aninterestingthingtonoteisthat,duringthisprocess,theattackercanmodifythedatainthepackets(ifunencryptedandunprotectedfromtampering).Thismeanshecanmodify,mangle,andevensilentlydroppackets.
Inthisnextexample,wewilltakealookatDNShijackingoverwirelessusingtheMITMsetup.Then,usingDNShijacking,wewillhijackthebrowsersessiontohttps://www.google.com.
Timeforaction–sessionhijackingoverwireless
1. Setupthetestexactlyasintheman-in-the-middleattacklab.Onthevictim,let's fire up the browser and type in https://www.google.com. Let's useWireshark to monitor this traffic. Your screen should resemble thefollowing:
2. ApplyaWiresharkfilterforDNSand,aswecansee,thevictimismakingDNSrequestsforhttps://www.google.com:
3. In order to hijack the browser session, we will need to send fake DNSresponsesthatwillresolvetheIPaddressofhttps://www.google.comtothehackermachine'sIPaddress192.168.0.199.Thetoolthatwewilluseforthisiscalleddnsspoofandthesyntaxisasfollows:
dnspoof–imitm-bridge
Theoutputofthecommandisasfollows:
4. Refreshthebrowserwindowsandnow,aswecanseethroughWireshark,as soon as the victim makes a DNS request for any host (includinggoogle.com),Dnsspoofrepliesback:
is because we made the IP address for google.com as 192.168.0.199,which is thehackermachine's IP,but there isnoservice listeningonport80:
6. Let'srunApacheonKaliusingthefollowingcommand:
apachet2ctlstart
Theoutputofthecommandisasfollows:
7. Now,oncewerefreshthebrowseronthevictim,wearegreetedwiththeItWorks!defaultpageofApache:
8. This demonstration shows how it is possible to intercept data and sendspoofedresponsestohijacksessionsonthevictim.
Whatjusthappened?
WedidanapplicationhijackingattackusingaWirelessMITMasthebase.Sowhathappenedbehindthescenes?TheMITMsetupensuredthatwewereableto see all the packets sent by the victim. As soon as we saw a DNS requestpacketcomingfromthevictim,theDnsspoofprogramrunningontheattacker'slaptopsentaDNSresponsetothevictimwiththeattackermachine'sIPaddressthatofgoogle.com.Thevictim'slaptopacceptedthisresponseandthebrowsersentanHTTPrequesttotheattacker'sIPaddressonport80.
Inthefirstpartoftheexperiment, therewasnolisteningprocessonport80oftheattacker'smachineandthus,Firefoxrespondedwithanerror.Then,oncewestartedtheApacheserverontheattacker'smachineonport80(thedefaultport),thebrowser'srequestedreceivedaresponsefromtheattacker'smachinewiththedefaultItWorks!page.
Thislabshowsusthat,oncewehavefullcontrolofthelowerlayers(Layer2in
thiscase),itiseasytohijackapplicationsrunningonhigherlayerssuchasDNSclientsandwebbrowsers.
Haveagohero–applicationhijackingchallenge
ThenextstepinsessionhijackingusingawirelessMITMwillbetomodifythedatabeing transmittedby the client.Explore software availableonKali calledEttercap.Thiswillhelpyoucreatesearchandreplacefiltersfornetworktraffic.
Inthischallenge,writeasimplefiltertoreplacealloccurrencesofsecurityinthenetwork traffic to insecurity. Try searching Google for security and checkwhethertheresultsshowupforinsecurityinstead.
FindingsecurityconfigurationsontheclientIn previous chapters, we have seen how to create Honeypots for open accesspoints,WEP-protectedandWPA,but,whenweare in the field and seeProbeRequests from the client, how do we know which network the probed SSIDbelongto?
Thoughthisseemstrickyatfirst,thesolutiontothisproblemissimple.Weneedto create access points advertising the same SSID but with different securityconfigurationssimultaneously.Whenaroamingclientsearchesforanetwork,itwill automatically connect to oneof these access points basedon the networkconfigurationstoredonit.
So,letthegamesbegin!
Time for action – deauthentication attacks on theclient
1. We will assume that the wireless client has a network Wireless Labconfigured on it, and it actively sends Probe Requests for this network,when it isnotconnected toanyaccesspoint. Inorder to find thesecurityconfigurationofthisnetwork,wewillneedtocreatemultipleaccesspoints.For our discussion, we will assume that the client profile is an opennetwork,WEPprotected,WPA-PSK,orWPA2-PSK.Thismeanswewillhavetocreatefouraccesspoints.Todothis,wewillfirstcreatefourvirtualinterfaces—mon0 to mon3, using the airmon-ng start wlan0 commandmultipletimes:
2. You can view all these newly created interfaces using the ifconfig –acommand:
3. NowwewillcreatetheopenAPonmon0:
4. Let'screatetheWEPprotectedAPonmon1:
5. TheWPA-PSKAPwillbeonmon2:
6. WPA2-PSKAPwillbeonmon3:
7. Wecanrunairodump-ngonthesamechanneltoensurethatallfouraccesspointsareupandrunning,asshowninthefollowingscreenshot:
8. Nowlet'sswitchtheWi-Fionontheroamingclient.DependingonwhichWirelessLabnetworkyouconnectedittopreviously,itwillconnecttothatsecurityconfiguration.Inmycase,itconnectstotheWPA-PSKnetwork,asshowninthefollowingscreenshot:
Whatjusthappened?
We created multiple Honeypots with the same SSID but different securityconfigurations.Dependingonwhichconfiguration theclienthadstored for the"WirelessLab"network,itconnectedtotheappropriateone.
This technique can come in handy as, if you are doing a penetration test, youwon't know which security configurations the client has on its laptop. Thisallows you to find the appropriate one by setting a bait for the client. ThistechniqueisalsocalledWiFishing.
Haveagohero–baitingclients
Create different security configurations on the client for the same SSID, andcheckwhetheryoursetofHoneypotsisabletodetectthem.
It is important to note that many Wi-Fi clients might not actively probe fornetworkstheyhavestoredintheirprofile.Itmightnotbepossibletodetectthesenetworksusingthetechniquewediscussedhere.
Popquiz–advancedWLANattacks
Q1.InanMITMattack,whoisinthemiddle?
1. Theaccesspoint.2. Theattacker.3. Thevictim.4. Noneoftheabove.
Q2.Dnsspoof:
1. SpoofsDNSrequests.2. SpoofsDNSresponses.3. NeedstorunontheDNSserver.4. Needstorunontheaccesspoint.
Q3.AwirelessMITMattackcanbeorchestrated:
1. Onallwirelessclientsatthesametime.2. Onlyonechannelatatime.3. OnanySSID.4. Both3and4.
Q4.WhichistheinterfaceclosesttothevictiminourMITMsetup?
1. At0.2. Eth0.3. Br0.4. En0.
SummaryIn this chapter,we learnedhow to conduct advancedattacksusingwireless asthebase.WecreatedasetupforaMITMattackoverwirelessandthenusedittoeavesdrop on the victim's traffic. We then used the same setup to hijack theapplication layer of the victim (web traffic, to be specific) using a DNSpoisoningattack.
Inthenextchapter,wewilllearnhowtoconductawirelesspenetrationtestrightfrom the planning, discovery, and attack to the reporting stage.We will alsotouchuponthebestpracticestosecureWLANs.
Chapter8.AttackingWPA-EnterpriseandRADIUS
"Thebiggertheyare,thehardertheyFall." --PopularSaying
WPA-Enterprisehasalwayshadanauraofunbreakableabilityaroundit.Mostnetwork administrators think of it as a panacea for all theirwireless securityproblems. In this chapter, we will see that nothing could be further from thetruth.
Inthischapter,wewilllearnhowtoattackWPA-EnterpriseusingdifferenttoolsandtechniquesavailableonKali.
Inthischapter,wewillcoverthefollowingtopics:
SettingupFreeRADIUS-WPEAttackingPEAPonWindowsclientsSecuritybestpracticesforEnterprises
SettingupFreeRADIUS-WPEWewillneedaRADIUSserverfororchestratingWPA-Enterpriseattacks.Themost widely used open source RADIUS server is FreeRADIUS. However,settingitupisdifficultandconfiguringitforeachattackcanbetedious.
Joshua Wright, a well-known security researcher, created a patch forFreeRADIUSthatmakesiteasiertosetupandconductattacks.Thispatchwasreleased as the FreeRADIUS-WPE (Wireless Pwnage Edition). Kali doesn'tnaturallycomewithFreeRADIUS-WPE,soyouneedtoperformthefollowingstepstosetupFreeRADIUS-WPE:
1. Navigatetohttps://github.com/brad-anton/freeradius-wpeandyouwillfindthe downloaded link at https://github.com/brad-anton/freeradius-wpe/raw/master/freeradius-server-wpe_2.1.12-1_i386.deb:
Once it is downloaded, install it with dpkg –i freeradius-server-
wpe_2.1.12-1_i386.debfollowedbyldconfig:
Let'snowquicklysetuptheRADIUSserveronKali.
Time for action – setting up the AP withFreeRADIUS-WPEFollowtheseinstructionstogetstarted:
1. Connectoneof theLANportsof theaccesspoint to theEthernetportonyourmachinerunningKali.Inourcase,theinterfaceiseth0.Bringuptheinterface and get an IP address by running DHCP, as shown in thefollowingscreenshot:
2. Login to the access point and set the security mode to WPA/WPA2-Enterprise, setVersion toWPA2,Encryption toAES.Then, under theEAP(802.1x)section,entertheRadiusServerIPaddressasyourKalibuild'sIPaddress. The Radius Password will be test, as shown in the followingscreenshot:
3. Let's now open a new terminal and go to the directory
/usr/local/etc/raddb. This is where all the FreeRADIUS-WPEconfigurationfilesare:
4. Let'sopeneap.conf.Youwillfindthatthedefault_eap_typecommandissettoMD5.Let'schangethistopeap:
5. Let'sopenclients.conf.ThisiswherewedefinetheallowedlistofclientsthatcanconnecttoourRadiusserver.Interestingly,ifyoubrowserighttothebottom,ignoringtheexamplesettings,thesecretforclientsintherange192.168.0.0/16defaultstotest.Thisisexactlywhatweusedinstep2:
6. We are now all set to start theRADIUS serverwith theradiusd–s–Xcommand:
7. Onceyourunthis,youwillseealotofdebugmessagesonthescreen,buteventuallytheserverwillsettledowntolistenforrequests.Awesome!Weareallsetnowtostartourlabsessionsinthischapter:
Whatjusthappened?
WehavesuccessfullysetupFreeRADIUS-WPE.Wewillusethisintherestoftheexperimentsthatwewilldointhischapter.
Haveagohero–playingwithRADIUS
FreeRADIUS-WPE has tons of options. It may be a good idea to familiarizeyourself with them. Most importantly, take time to check out the differentconfigurationfilesandhowtheyallworktogether.
AttackingPEAPProtected Extensible Authentication Protocol (PEAP) is the most popularversion of EAP in use. This is the EAP mechanism shipped natively withWindows.
PEAPhastwoversions:
PEAPv0 with EAP-MSCHAPv2 (the most popular as this has nativesupportonWindows)PEAPv1withEAP-GTC
PEAPusesserver-sidecertificatesforvalidationoftheRADIUSserver.AlmostallattacksonPEAPleveragemisconfigurationsincertificatevalidation.
In the next lab, we will take look at how to crack PEAP when certificatevalidationisturnedoffontheclient.
Timeforaction–crackingPEAPFollowthegiveninstructionstogetstarted:
1. Wedouble-checktheeap.conffiletoensurethatPEAPisenabled:
2. WethenrestarttheRADIUSserverwithradiusd–s–X:
3. WemonitorthelogfilecreatedbyFreeRADIUS-WPE:
4. Windows has native support for PEAP. Let's ensure that certificateverificationhasbeenturnedoff:
5. WeneedtoclickontheConfiguretabthatisnexttoSecuredpasswordandtell Windows not to automatically use our Windows logon name andpassword:
6. WewillalsohavetoforceittoselectUserauthenticationintheAdvanced
Settingsdialogbox:
7. Once the client connects to the access point, the client is prompted for ausernameandpassword.WeuseMonsterastheusernameandabcdefghiasthepassword:
8. As soon as we do this, we are able to see the MSCHAP-v2 challengeresponseappearinthelogfile:
9. Wenowuseasleaptocrackthisusingapasswordlistfilethatcontainsthepassword abcdefghi, and we are able to crack the password! (For thepurposesofthisdemonstration,wesimplycreatedaone-linefilecalledlistwiththepasswordinit):
Whatjusthappened?
We set up our Honeypot using FreeRADIUS-WPE. The enterprise client ismisconfigured to not use certificate validation with PEAP. This allows us topresentourownfakecertificatetotheclient,whichitgladlyaccepts.Oncethishappens,MSCHAP-v2,theinnerauthenticationprotocol,kicksin.Astheclientuses our fake certificate to encrypt the data,we are easily able to recover theusername,challenge,andresponsetuples.
MSCHAP-v2 is prone to dictionary attacks. We use asleap to crack thechallengeandresponsepair,asitseemstobebasedonadictionaryword.
Haveagohero–attackvariationsonPEAP
PEAPcanbemisconfigured inmultipleways.Evenwith certificatevalidationenabled,iftheadministratordoesnotmentiontheauthenticserversinconnecttothese servers list, the attacker can obtain a real certificate for another domainfrom any of the listed certifying authorities. Thiswill still be accepted by theclient.Othervariationsofthisattackarepossibleaswell.
Wewillencourageyoutoexplorethedifferentpossibilitiesinthissection.
SecuritybestpracticesforEnterprisesWe have seen a ton of attacks against WPA/WPA2, both Personal andEnterprise.Basedonourexperience,werecommendthefollowing:
For SOHOs andmedium-sized businesses, useWPA2-PSKwith a strongpassphrase. You have up to 63 characters at your disposal.Make use ofthem.Forlargeenterprises,useWPA2-EnterprisewithEAP-TLS.Thisusesboththe client- and server-side certificates for authentication, and currently isunbreakable.IfyouhavetousePEAPorEAP-TTLSwithWPA2-Enterprise,thenensurethat certificate validation is turned on, the right certifying authorities arechosen,RADIUSserversthatareauthorizedareused,andfinally,thatanysetting that allows users to accept new RADIUS servers, certificates, orcertifyingauthoritiesisturnedoff.
Popquiz–attackingWPA-EnterpriseandRADIUS
Q1.WhichofthefollowingisFreeRADIUS-WPE?
1. ARADIUSserverwrittenfromscratch.2. ApatchtotheFreeRADIUSserver.3. ShipsbydefaultonallLinuxes.4. Noneoftheabove.
Q2.WhichofthefollowingcanbeusedtoattackPEAP?
1. Fakecredentials.2. Fakecertificates.3. UsingWPA-PSK.4. Alloftheabove.
Q3.WhatdoesEAP-TLSuse?
1. Client-sideCertificates.2. Server-sidecertificates.3. Either1or2.4. Both1and2.
Q4.WhatdoesEAP-TTLSuse?
1. Client-sidecertificatesonly.2. Server-sidecertificates.3. Password-basedauthentication.4. LEAP.
SummaryIn this chapter, we saw how we could compromise the security of a WPA-Enterprise network running PEAP or EAP-TTLS, the two most commonauthenticationmechanismsusedinEnterprises.
In thenextchapter,wewill takea lookathowtoputall thatwehave learnedintouseduringanactualpenetrationtest.
Chapter9.WLANPenetrationTestingMethodology
"Theproofisinthepudding." --Popularsaying
Thischapterwill layout thestepsthatgointotakingthetechniquestaughtinthepreviouschaptersandturningthemintoafullwirelesspenetrationtest.
WirelesspenetrationtestingTo perform a wireless penetration test, it is important to follow a definedmethodology.Simplyfiringup theairbaseorairodumpcommandandhopingfor thebestwillnot satisfy thegoalsofa test.Whenworkingasapenetrationtester, you must ensure that you adhere to the standards of the organizationyou'reworkingfor,andiftheydon'thaveany,thenyoushouldholdyourselftothehigheststandards.
Broadly, we can break up a wireless penetration testing exercise into thefollowingphases:
1. Planningphase.2. Discoveryphase.3. Attackphase.4. Reportingphase.
Wewillnowlookateachofthesephasesseparately.
PlanningInthisphase,wemustunderstandthefollowing:
Scopeoftheassessment:Thepenetrationtestershouldworkwiththeclientto define a scope that is achievable and will also provide the greatestamountof insight into the securityof anetwork.Typically, the followinginformationisgathered:
LocationofthepenetrationtestTotalcoverageareaofthepremisesApproximatenumberofaccesspointsandwirelessclientsdeployedWhichwirelessnetworksareincludedintheassessment?Isexploitationinscope?Areattacksagainstusersinscope?Isdenialofserviceinscope?
Effortestimation:Basedon thescopedefined, the testerwill thenhave toestimatehowmuchtimeisrequired.Bearinmindthatrescopingmayoccurfollowing this estimate, as organizations may have limited resourcesavailableintermsofbothtimeandmoney.Legality: Prior to performing a test, the client must give consent. Thisshould explain the testing to be covered and clearly define the level ofindemnity, insurance, and the limitations of the scope. If you are unsure,youwillneedtospeaktoaprofessionalintheseareas.Mostorganizationswill have their own versions that will likely also incorporate an Non-DisclosureAgreement(NDA).
Oncealloftheprecedingrequirementsareinplace,wearereadytogo!
DiscoveryIn this phase, the aim is to identify and apply characteristics to the wirelessdevicesandwirelessnetworkswithinthescope.
Allthetechniquestoperformthesehavebeenlaidoutinthepreviouschaptersbut,inbrief,theaimisto:
EnumeratevisibleandhiddenwirelessnetworksintheareaEnumeratedevices in thearea,alongwith thoseconnected to the targetednetworksMaptherangeofthenetworks,wheretheyarereachablefromandwhetherthere are places amalicious individual could operate from to perform anattack,forexample,acafe.
All of this information should be recorded. If the test is limited to theperformance of reconnaissance only, the testwill end here, and the testerwillattempt to draw conclusions based on this information. Some statements thatwouldbeusefultoaclientarebeasfollows:
Thenumberofdevices thathaveassociationswithopennetworksandthecorporatenetworkThenumberofdevices thathavenetworks thatcanbe linked to locationsthroughsolutionssuchasWiGLETheexistenceofweakencryptionThenetworkssetuparetoostrong
AttackOnce reconnaissance has been performed, exploitationmust be performed forproofofconcept.Iftheattackisbeingperformedaspartofaredteamorwiderassessment,thenexploitationshouldbeperformedtogainaccesstothenetworkassurreptitiouslyaspossible.
Inourattackingphase,wewillexplorethefollowing:
CrackingtheencryptionAttackingtheinfrastructureCompromisingclientsFindingvulnerableclientsFindingunauthorizedclients
Crackingtheencryption
The first step is to retrieve the keys for any vulnerable networks identified. Ifnetworks with WEP exist, perform the WEP-cracking methods explained inChapter4,WLANEncryptionFlaws.IfWPA2-securedsystemsarepresent,youhave two choices. If aiming to be stealthy, arrive on-site at times whenindividualsare likely tobeauthenticatingor re-authenticating.These timesarelikelytobe:
StartofthedayLunchtimeEndoftheday
Atthistime,setupyourWPAkeyretrievalsetupasshowninChapter4,WLANEncryptionFlaws.Alternatively,performthedeauthenticationattack,asshowninChapter6,AttackingtheClient.
Thisisnoisierandmorelikelytobedetectedinamatureorganization.
IfWPA-Enterpriseisinplace,bearinmindyouwillhavetousetheinformationgatheredfromthereconnaissance to target thecorrectnetworkandsetupyour
dummyEnterprisesetupasshownintheAttackingPEAPsectioninChapter8,AttackingWPA-EnterpriseandRADIUS.
You can attempt to break all passphrases but bear inmind that somewill beunbreakable. Following the performance of the test, check with the wirelessadministrator for the passphrase in use. Check to see whether it is a securepassphrase and that you, as a tester, did not experience a tool failure orweremerelyunlucky.
Attackinginfrastructure
Ifnetworkaccessisgainedthroughcrackingtheencryption,performastandardnetworkpenetrationtestifallowedinscope.Thefollowingshouldbeperformedasaminimum:
AportscanIdentifyingwhichservicesarerunningEnumerating any open services, such as unauthenticated FTP, SMB, orHTTPExploitinganyvulnerableservicesidentified
Compromisingclients
After enumerating and testing all wireless systems, there are various types ofengagementsthatwouldsuitperformingattacksagainstclients.
If necessary, after establishingwhich clients are vulnerable to Karma attacks,create a Honeypot to force them to connect with the methods laid out in theAttackingPEAPsectioninChapter8,AttackingWPA-EnterpriseandRADIUS.Therearevarioususefulpiecesofinformationthatcanbegatheredthroughthismethod, but ensure that the collected data serves a purpose and is stored,transmitted,andusedinanethicalandsafemanner.
ReportingFinally,attheendoftesting,itisnecessarytoreportyourfindingstotheclient.It'simportanttoensurethatthereportmatchesthequalityofyourtesting.Astheclientwillonlyseethereport,youhavetogiveitasmuchloveandattentionasyoudotoyourtesting.Thefollowingisaguidelinetothelayoutofthereport:
1. Managementsummary.2. Technicalsummary.3. Findings:
VulnerabilitydescriptionSeverityAffecteddevicesVulnerabilitytype—software/hardware/configurationRemediation
4. Appendices.
Themanagementsummaryshouldbeaimedat talking toaseniornontechnicalaudiencewith a focus on the effects andmitigations required at a high level.Avoidlanguagethatistootechnicalandensurethattherootcausesarecovered.
Thetechnicalsummaryshouldbeamidpointbetweenthemanagementsummaryand findings list. It should be aimed at a developer or a technical leadwith afocusonhowtofixtheissuesandbroadsolutionsthatcouldbeimplemented.
Thefindingslistshoulddescribeeachvulnerabilityatalowlevel,explainingthemethodstoidentify,andreplicate,andvulnerabilities.
Appendices should contain any extra information that would be too long todescribeinashortdescription.Thisiswhereanyscreenshots,proof-of-conceptcode,orstolendatashouldbepresented.
SummaryInthischapter,wediscussedamethodologyforperformingarangeofwirelesstestsandreferredtotherelevantchaptersforeachstep.Wealsolistedmethodsfor reporting vulnerabilities and techniques for making technical datapresentable. In the next and final chapter, we will cover new techniquesdevelopedsincetheinitialpublicationofthisbook,WPS,andprobemonitoringforsurveillance.
Chapter10.WPSandProbes
"Nothingisnewunderthesun." --PopularSaying
This chapter incorporates the new techniques related to attacking WPS andprobe monitoring and also covers the pineapple tool that makes much ofwireless testing a lot easier. These attacks and tools have appeared since thepublicationoftheoriginalbook,andwe'llbemakingsurewe'rebeingasholisticaspossible.
WPSattacksWirelessProtectedSetup (WPS)was introduced in2006 tohelpuserswithoutwireless knowledge to have secure networks. The idea was that their Wi-Fidevicewouldhaveasinglehiddenhardcodedvaluethatwouldallowaccesswithkeymemorization.NewdeviceswouldbeauthenticatedthroughabuttonpressontheWi-Firouter. Individualsoutsidethehousewithoutaccess to thedevicewould not be able to have access, thus reducing the issues surroundingrememberingWPAkeysorsettingshortones.
Inlate2011,asecurityvulnerabilitywasdisclosedenablingbruteforceattackson the WPS authentication system. The traffic required to negotiate a WPSexchangewasspoofable,andtheWPSpinitselfisonlyeightcharactersbetween0-9. To start with, this provides only 100,000,000 possibilities in comparisonwith an eight character azAZ09 password having 218,340,105,584,896combinations.
However,therearefurthervulnerabilities:
OftheeightcharactersoftheWPSpin,thelastcharacterisachecksumofthe previous seven and therefore predictable, leaving a maximum of10,000,000optionsIn addition, the first four and the following three of the remaining
characters are checked separately, which means that there are 104 + 103optionsor11,000
Throughthetwodecisionsmadeintheauthenticationmechanism,wehavegonefrom100,000,000possiblecombinationsto11,000.Thisequatestoasix-hoursdifference when brute-forcing the algorithm. It is these decisions that makeattacksagainstWPSviable.
Inthenextlabexercise,wewillgothroughidentifyingandattackingvulnerableWPSsetupswithWashandReaver.
Timeforaction–WPSattackFollowthegiveninstructionstogetstarted:
1. BeforeweattackaWPS-enabledaccesspoint,weneedtocreateone.TheTP-Linkweusehasthisfeatureturnedonbydefault,whichisworryingbuthandy.Todouble-checkthis,wecanlogontoourrouterandclickonWPS.Itshouldlooklikethefollowing:
2. Nowwe'veconfirmedthatit'sready.Weneedtosetupourtarget.Weneedto set upour testing environment.We'regoing touse theWash tool, andWash requiresamonitoring interface to function.Aswehavedonemanytimesbefore,weneedtosetuponewiththefollowingcommand:
airmon-ngstartwlan0
Theoutputwillbeasfollows:
3. Wehaveamonitoringinterfacesetupasmon0,andwecancallWashwiththefollowingcommand:
wash--ignore-fcs-imon0
The ignore fcs option is due to an issue with an expected format forrequeststhatwashcauses:
4. Wash will display all the nearby devices that support WPS as well aswhethertheyhaveWPSactiveorunlockedandwhatversionisrunning:
5. WecanseetheWirelessLabnetworksupportsWPS.ItusesVersion1andit'snot locked.Fantastic.Wetakenoteof theMACaddress,whichinmycase is E8:94:F6:62:1E:8E, as this will be used to target our next tool:reaver.
6. Reaverattemptstobrute-forcetheWPSpinforagivenMACaddress.Thesyntaxforstartingthisisasfollows:
reaver-imon0-b<mac>-vv
Theoutputwillbeasfollows:
7. Onceitisstarted,thetoolrunsthroughallthepossiblecombinationsfortheWPSandattemptstoauthenticate.Onceitdoesthis,itwillreturntheWPScodeandthepassword,asshowninthefollowingscreenshot:
8. With WPA-PSK in hand, we can authenticate normally now. I left mydevicewiththedefaultWPA-PSKthatmatchestheWPSpin.If,however,youwanttoauthenticatewiththeWPSpin,youcandothisbyspecifyingthepininreaverwiththefollowingcommand:
reaver-imon0-b<mac>-vv-p88404148
Replacemypinwithyourown.
Whatjusthappened?
WesuccessfullyidentifiedawirelessnetworkwithavulnerableinstanceofWPSactivewithWash.WethenusedReavertorecovertheWPAkeyandtheWPSpin. With this information, we could then authenticate with the network andcontinueanetworkpenetrationtest.
Haveagohero–ratelimiting
In thepreviousexercise,weattackedanentirelyunprotectedWPSinstallation.There are multiple methods that can be used to further secure installationswithoutremovingWPSaltogether.
Makeanattempt toset theWPSpintoanarbitraryvalueandtryagain, toseewhetherReaverisaseffectiveatcrackingit.
Acquireawirelessrouterthatallowsyoutorate-limittheWPSattempts.Tryandconfigureyourattacktoavoidtriggeringlockouts.
ProbesniffingWehavespokenaboutprobespreviously,andhowtheycanbeusedtoidentifyhiddennetworksandperformeffectiverogueaccesspointattacks.Theycanalsobe used to identify individuals as targets or track them on a mass scale withminimalequipment.
When a device wishes to connect to a network, it sends a probe request thatcontainsitsownMACaddressandthenameofthenetworkitwishestoconnectto.Wecanusetoolssuchasairodump-ngtotrackthese.However,ifwewishtoidentify whether an individual was present at a specific location at a specifictimeorlookfortrendsinWi-Fiusage,wewillneedtouseadifferentapproach.
Inthissection,wewillutilizetsharkandPythontocollectdata.Youwillreceivethecodeandanexplanationofwhatisbeingdone.
Timeforaction–collectingdataFollowthegiveninstructionstogetstarted:
1. First of all, we need a device that's looking for multiple networks.Generally,anormalsmartphonesuchasanAndroiddeviceoriPhonewilldo the trick. Desktops don't generallymake good targets as they tend toremain in one location. Newer iPhones and Android devices may haveproberequestsdisabledorobfuscated,sodocheckbeforeyougiveup.
2. Onceyouhaveyourdevice,makesuretheWi-Fiisturnedon.3. Thensetupyourmonitoringinterfaceaswehavedonemanytimesbefore:
4. Thenextthingtobedoneistolookforproberequestswithtsharkviathefollowingcommand:
tshark-n-imon0subtypeprobereq
Thescreenshotofthefollowingcommandisasfollows:
5. Youroutputatthispointisalittlerough,asthedefaultoutputfromtsharkis not designed to be readable, just to have asmuch information in it aspossible.Itshouldlooklikethefollowing:
6. You can clearly see the MAC address and SSID of the probe request;however,thisoutputcanbeimproved.Wecanusethefollowingcommandtomakeitmorereadable:
tshark –n –i mon0 subtype probereq –T fields –e
separator=-ewlan.sa–ewlan_mgt.ssid
Thescreenshotofthefollowingcommandisasfollows:
7. Theoutputhereismuchmorereadable:
8. So,nowwehavetheoutputinareadableformat,whatnext?WhatwedoiscreateaPythonscriptthatwillrunthecommandandrecordtheoutputforlater analysis. Before running the code, youwill need to ensure that youhaveyourmonitoringinterfacereadyandthatafilecalledresults.txtiscreatedinthedirectoryyouarein.ThePythonscriptisasfollows:
importsubprocess
importdatetime
results=open("results.txt","a")
while1:
blah = subprocess.check_output(["tshark –n –i mon0
subtypeprobereq–Tfields–eseparator=-ewlan.sa–e
wlan_mgt.ssid–c100"],shell=True)
splitblah=blah.split("\n")
forvalueinsplitblah[:-1]:
splitvalue=value.split("\t")
MAC=str(splitvalue[1])
SSID=str(splitvalue[2])
time=str(datetime.datetime.now())
Results.write(MAC+""+SSID+""+time+"\r\n")
Let'sgetbriefedonthepythonscript:
import subprocess library and datetime library: This allow us torefertothesubprocessanddatetimelibraries.ThesubprocesslibraryallowsustomonitortheinterfacefromtheLinuxcommandline,anddatetimeallowsustogettheaccuratetimeanddatereadings.while1:Thislinemeansrununtilstopped.results = open("results.txt", "a"): This opens a file with theappend rights and assigns it to results.The append rights only allowthe script to add to the contents of the file. This stops the file fromconstantlybeingoverwritten.blah=subprocess.check_output(["tshark–n–Imon0subtype
probereq –T fields –e separator= -e wlan.sa –e
wlan_mgt.ssid –c 100"], shell=True): This opens a shell toperformourpreviously testedtshark command.Theonlydifferencethistimeis—c100.Whatthisflagdoesisitlimitthecommandto100
queries.Thisallowsustoreturntheresultstoourselveswithouthavingtostoptheprogram.Sincewesaidrunforeverafterwritingtheresults,thescriptwillrestartagain.Thislinetakestheoutputfromtheshellandassignsittothevariableblah.splitblah = blah.split("\n"): This takes the variable blah andsplitsitbyline.forvalueinsplitblah[:-1]:Thisrepeatsthefollowingactionforeachlineintheoutput,ignoringthefirstlinethatcontainsheaders.splitvalue=value.split("\t"):Thisbreakseachlineintofurthersmallerchunksusingthetabcharacterasthedelimiter.The following three lines take each chunk of text and assign it to avariable.
MAC=str(splitvalue[1])
SSID=str(splitvalue[2])
time=str(datetime.datetime.now())
results.write(MAC+""+SSID+""+time+"\r\n"):This takesall thevalues, writes them to a file separated by spaces, and ends with areturnandanewlineforneatness.
Theoutputwillbeneatlinesoftextwrittentothefile.
Whatjusthappened?
WetooktheinputfromproberequestsandoutputthemtoafileusingPython.
You may ask yourself what the purpose of this is. This can be achieved bysimplyperformingtheoriginaltsharkcommandandaddinga>>results.txtcommandtotheend.Youwouldbecorrect;however,whatwehavecreatedisaframework for integration with other tools, visualization platforms, databases,andservices.
Forexample,usingtheWiGLEdatabasethatmapsSSIDstolocations,youcanadd a few lines of code to take the SSID variable and query the WiGLEdatabase.
Alternatively,youcouldsetupaMySQLdatabaseandoutputtheresultsthereto
performtheSQLcommandsonit.
This section has provided you with the first steps to create your own probe-monitoring tools. Through experimentation and using this simple code as thefirststep,amultitudeofusefultoolscanbecreated.
Haveagohero–extensionideas
ResearchwhichtoolsareavailablethatallowvisualizationordataanalyticsandareeasilyintegratedwithPython.ToolssuchasMaltegohavefreeversionsthatcanbeusedtoplotinformation.
Set yourself up a MySQL database to record the data and reconfigure theprecedingPythonscripttooutputtheresultstothedatabase.Then,buildanotherscript(ordoitinthesameone)toretrievethedataandoutputittoMaltego.
Reconfigure thescript toqueryWiGLE,andcollectgeolocationdataforproberequests.OutputthisdatathroughMaltego.
Makeanattempttosetupaweb-basedfrontendthroughFlask,Django,orPHPtodisplayyourresults.Investigatecurrentlyexistingsolutionsforpresentingthedataandattemptingtoemulateorimprovethemthroughadiscussionwiththeircreators.
SummaryInthischapter,wediscussedtheattacksagainstWPSthathavecomeaboutsincethe release of the original book and also performed an initial foray intointegratingwirelesstoolswithPython.Alas,wehavecometoendofthebook,Ihopeit'sbeeninformativeandinteresting.Seeyouinanothersevenyearsforthethirdedition.
Chapter1,WirelessLabSetup
Popquiz–understandingthebasics
Q1 Runthecommandifconfigwlan0.Intheoutput,youshouldseeaflag"UP",thisindicatesthatthecardisfunctional.
Q2 Youwillonlyneedaharddriveifyouwouldliketostoreanythingacrossrebootslikeconfigurationsettingsorscripts.
Q3 ItshowstheARPtableonthelocalmachine.
Q4 WewoulduseWPA_Supplicant.
Chapter8,AttackingWPA-EnterpriseandRADIUS
Popquiz–attackingWPA-EnterpriseandRADIUS
Q1 2
Q2 2
Q3 4
Q4 2
Index
A
accesspoint
settingup/Settinguptheaccesspointconfiguring/Timeforaction–configuringtheaccesspoint,Whatjusthappened?configuring, to useWEP /Have a go hero – configuring the accesspointtouseWEPandWPAconfiguring, to useWPA /Have a go hero – configuring the accesspointtouseWEPandWPAconnectingto/Connectingtotheaccesspointconnectingto,wirelesscardused/Timeforaction–configuringyourwirelesscard,Whatjusthappened?tables,filling/Haveagohero–fillinguptheaccesspoint'stables
accesspoints
defaultaccounts,crackingon/Defaultaccountsandcredentialsontheaccesspoint,Timeforaction–crackingdefaultaccountsontheaccesspoints,Whatjusthappened?
accounts
cracking, Brute-force attacks used / Have a go hero – crackingaccountsusingbrute-forceattacks
adapter
about/Timeforaction–experimentingwithyouradapter,Whatjusthappened?
aircrack-NGsuite
URL/Haveagohero–selectingdeauthentication
airodump-NGutility
URL/Whatjusthappened?
AP
settingup,FreeRADIUS-WPEused/Timeforaction–settinguptheAPwithFreeRADIUS-WPE,Whatjusthappened?
AP-lessWPA-Personalcracking
about/AP-lessWPA-Personalcracking
AP-lessWPAcracking
about/Timeforaction–AP-lessWPAcracking,Whatjusthappened?
applicationhijacking
challenge/Haveagohero–applicationhijackingchallenge
B
Brute-forceattacks
used,forcrackingaccounts/Haveagohero–crackingaccountsusingbrute-forceattacks
C
CaffeLatteattack
about/TheCaffeLatteattackconducting/Timeforaction–conductingaCaffeLatteattack,Whatjusthappened?
client
deauthenticating/Timeforaction–deauthenticatingtheclientsecurity configurations, finding / Finding security configurations ontheclientDe-Authenticationattack /Timeforaction–deauthenticationattacksontheclient
clients
baiting/Haveagohero–baitingclients
control
viewing / Time for action – viewingmanagement, control, and dataframes,Whatjusthappened?
controlframes
about/RevisitingWLANframes
Cowpatty
used, for crackingWPA-PSK / Have a go hero – tryingWPA-PSKcrackingwithCowpatty
D
data
collecting/Timeforaction–collectingdata
dataframes
about/RevisitingWLANframesviewing / Time for action – viewingmanagement, control, and dataframes,Whatjusthappened?
datapackets
sniffing,fornetwork/Timeforaction–sniffingdatapacketsforournetworkanalyzing/Haveagohero–analyzingdatapacketsinjecting/Timeforaction–packetinjection
De-Authenticationattack
onclient/Timeforaction–deauthenticationattacksontheclient
deauthenticationattack
about/Deauthenticationanddisassociationattacks
defaultaccounts
cracking, on access points / Default accounts and credentials on theaccesspoint,Timeforaction–crackingdefaultaccountsontheaccesspoints
Denial of Service (DoS) attack / Have a go hero – filling up the accesspoint'stablesDenialofService(DoS)attacks
about/DenialofserviceattacksDe-Authentication attack / Time for action – deauthentication DoSattacks,Whatjusthappened?Dis-Associationattack/Haveagohero–disassociationattacks
disassociationattack
about/Deauthenticationanddisassociationattacksonclient/Haveagohero–disassociationattackontheclient
discoveryphase,wirelesspenetrationtesting/Discovery
E
EAP-TTLS
about/EAP-TTLS
EAPoLKey/Timeforaction–crackingWPA-PSKweakpassphrasesEnterprises
security,bestpractices/SecuritybestpracticesforEnterprises
Ettercap/Haveagohero–applicationhijackingchallengeeviltwin
about/EviltwinandaccesspointMACspoofingand channel hopping / Have a go hero – evil twins and channelhopping
eviltwin,withMACspoofing
about/Timeforaction–eviltwinsandMACspoofing
F
filters
playingwith/Haveagohero–playingwithfilters
FreeRADIUS-WPE
settingup/SettingupFreeRADIUS-WPEURL/SettingupFreeRADIUS-WPEused, for setting up AP / Time for action – setting up the AP withFreeRADIUS-WPE,Whatjusthappened?RADIUS,playingwith/Haveagohero–playingwithRADIUS
H
hacker
tasks/HoneypotandMis-Associationattacks
Hirteattack
URL/TheHirteattackWEP,crackingwith/Timeforaction–crackingWEPwiththeHirteattack,Whatjusthappened?
Honeypotattacks
about / Honeypot and Mis-Association attacks, Have a go hero –forcingaclienttoconnecttotheHoneypot
Hydra/Haveagohero–crackingaccountsusingbrute-forceattacks
K
Kali
URL/Softwarerequirementsinstalling/InstallingKali,Timeforaction–installingKali,Whatjusthappened?installing, on Virtual Box / Have a go hero – installing Kali onVirtualBox,Haveagohero–installingKalionVirtualBox
M
MACfilters
about/MACfiltersinstructions / Time for action – beating MAC filters, What justhappened?
man-in-the-middleattack
about / A man-in-the-middle attack, Time for action – man-in-the-
middleattack,Whatjusthappened?over pure wireless / Have a go hero –man-in-the-middle over purewirelessused, for Wireless Eavesdropping / Wireless Eavesdropping usingMITM, Time for action – Wireless Eavesdropping, What justhappened?
management
viewing / Time for action – viewingmanagement, control, and dataframes
managementframes
about/RevisitingWLANframes
MessageIntegrityCheck(MIC)/WPA/WPA2Mis-Associationattack
orchestrating / Time for action – orchestrating a Mis-Associationattack,Whatjusthappened?
monitormodeinterface
creating /Timeforaction–creatingamonitormode interface,Whatjusthappened?multiplemonitormodeinterfaces,reating/Haveagohero–creatingmultiplemonitormodeinterfaces
MSCHAP-v2/Whatjusthappened?
O
OpenAuthentication
about/OpenAuthenticationbypassing/Timeforaction–bypassingOpenAuthentication
P
PairwiseMasterKey(PMK)/SpeedingupWPA/WPA2PSKcrackingPairwiseTransientKey(PTK)/WPA/WPA2Password-BasedKeyDerivationFunction(PBKDF2)/WPA/WPA2PEAP
attacking/AttackingPEAPversions/AttackingPEAPcracking/Timeforaction–crackingPEAP,Whatjusthappened?attack,variations/Haveagohero–attackvariationsonPEAPEAP-TTLS/EAP-TTLS
planningphase,wirelesspenetrationtesting/PlanningPre-Sharedkey(PSK)/WPA/WPA2PreferredNetworkList(PNL)
about/HoneypotandMis-Associationattacks
probe
sniffing/Probesniffingdata, collecting / Time for action – collecting data, What justhappened?rate,limiting/Haveagohero–extensionideas
promiscousmode/RevisitingWLANframes
R
RadioFrequency(RF)/Whatjusthappened?RADIUS
receiving/Popquiz–attackingWPA-EnterpriseandRADIUS
regulatorydomains
role/Theroleofregulatorydomainsinwirelessadapter, experimenting with / Time for action – experimenting withyouradapterexploring/Haveagohero–exploringregulatorydomains
reportingphase,wirelesspenetrationtesting/Reportingrogueaccesspoint
about/ArogueaccesspointWEP, cracking / Time for action – cracking WEP, What justhappened?challenge/Haveagohero–rogueaccesspointchallenge
S
sessionhijacking
over wireless / Session hijacking over wireless, Time for action –sessionhijackingoverwireless,Whatjusthappened?
SharedKeyAuthentication
about/SharedKeyAuthenticationbypassing/Timeforaction–bypassingSharedAuthentication
SSIDs
hidden SSIDs, uncovering / Hidden SSIDs, Time for action –uncoveringhiddenSSIDs,Whatjusthappened?deauthentication, selecting / Have a go hero – selectingdeauthentication
V
VirtualBox
Kali,installingon/Haveagohero–installingKalionVirtualBox
W
WEP
protocol/WEPencryptioncracking / Time for action – cracking WEP, What just happened?,Timeforaction–crackingWEP,Whatjusthappened?cracking,withHirteattack/Timeforaction–crackingWEPwiththeHirteattack,Whatjusthappened?
WEPconfiguration
connection / Have a go hero – establishing a connection in aWEPconfiguration
WEPnetwork
connecting to / Connecting to WEP and WPA networks, Time foraction–connectingtoaWEPnetwork
WEPpackets
decrypting / DecryptingWEP andWPA packets, Time for action –decryptingWEPandWPApackets,Whatjusthappened?
Wi-FiProtectionAccessv2(WPAv2)/WLANencryptionWiFishing/Whatjusthappened?wirelesscard
settingup/Settingupthewirelesscardconfiguring/Timeforaction–configuringyourwirelesscardused,foraccesspointconnection/Timeforaction–configuringyourwirelesscard,Whatjusthappened?
WirelessEavesdropping
MITMused/WirelessEavesdroppingusingMITM,Timeforaction–WirelessEavesdropping,Whatjusthappened?
wirelesslab
hardware,requisites/Hardwarerequirementssoftware,requisites/Softwarerequirements
wirelesspackets
sniffing/Timeforaction–sniffingwirelesspackets
wirelesspenetrationtesting
about/Wirelesspenetrationtestingplanningphase/Planningdiscoveryphase/Discoveryattackingphase/Attack,Attackinginfrastructurereportingphase/Reporting
wirelesspenetrationtesting,attackingphase
encryption,cracking/Crackingtheencryptioninfrastructure,cracking/Attackinginfrastructureclients,compromising/Compromisingclients
Wiresharktraces
about/Haveagohero–findingdifferentdevices
WLAN
authentication/Popquiz–WLANauthenticationencryption,flaws/Popquiz–WLANencryptionflaws
WLANaccesspoints
about/Defaultaccountsandcredentialsontheaccesspoint
WLANattacks/Popquiz–advancedWLANattacks
WLANencryption
about/WLANencryption
WLANframes
about/RevisitingWLANframesmanagementframes/RevisitingWLANframescontrolframes/RevisitingWLANframesdataframes/RevisitingWLANframes
WLANPacketSniffing
andInjection/Popquiz–WLANpacketsniffingandinjection
WLANSniffing
about/ImportantnoteonWLANsniffingandinjection
WPA
about/WPA/WPA2
WPA-Enterprise
receiving/Popquiz–attackingWPA-EnterpriseandRADIUS
WPA-PSK
weak passphrase, cracking / Time for action – cracking WPA-PSKweakpassphrasescracking,Cowpattyused/Haveagohero–tryingWPA-PSKcrackingwithCowpatty
WPA/WPA2PSK
cracking,speedingup/SpeedingupWPA/WPA2PSKcracking,Timeforaction–speedingupthecrackingprocess
WPA2
about/WPA/WPA2
WPAnetwork
connecting to / Connecting to WEP and WPA networks, Time foraction–connectingtoaWPAnetwork,Whatjusthappened?
WPApackets
decrypting / DecryptingWEP andWPA packets, Time for action –decryptingWEPandWPApackets,Whatjusthappened?
WPS
attacks/WPSattacks,Timeforaction–WPSattackrate,limiting/Haveagohero–ratelimiting
TableofContentsKaliLinuxWirelessPenetrationTestingBeginner'sGuide
TableofContentsKaliLinuxWirelessPenetrationTestingBeginner'sGuideCreditsAbouttheAuthorsAbouttheReviewerwww.PacktPub.com
Supportfiles,eBooks,discountoffers,andmoreWhysubscribe?FreeaccessforPacktaccountholders
DisclaimerPreface
WhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupport
ErrataPiracyQuestions
1.WirelessLabSetupHardwarerequirementsSoftwarerequirementsInstallingKaliTimeforaction–installingKali
Whatjusthappened?Haveagohero–installingKalionVirtualBox
SettinguptheaccesspointTimeforaction–configuringtheaccesspoint
Whatjusthappened?Have a go hero – configuring the access point to useWEPandWPA
Settingupthewirelesscard
Timeforaction–configuringyourwirelesscardWhatjusthappened?
ConnectingtotheaccesspointTimeforaction–configuringyourwirelesscard
Whatjusthappened?Have agohero– establishing a connection in aWEPconfigurationPopquiz–understandingthebasics
Summary2.WLANanditsInherentInsecurities
RevisitingWLANframesTimeforaction–creatingamonitormodeinterface
Whatjusthappened?Have a go hero – creating multiple monitor modeinterfaces
Timeforaction–sniffingwirelesspacketsWhatjusthappened?Haveagohero–findingdifferentdevices
Timeforaction–viewingmanagement,control,anddataframesWhatjusthappened?Haveagohero–playingwithfilters
Timeforaction–sniffingdatapacketsforournetworkWhatjusthappened?Haveagohero–analyzingdatapackets
Timeforaction–packetinjectionWhatjusthappened?Haveagohero–installingKalionVirtualBox
ImportantnoteonWLANsniffingandinjectionTimeforaction–experimentingwithyouradapter
Whatjusthappened?Haveagohero–sniffingmultiplechannels
TheroleofregulatorydomainsinwirelessTimeforaction–experimentingwithyouradapter
Whatjusthappened?Haveagohero–exploringregulatorydomainsPopquiz–WLANpacketsniffingandinjection
Summary
3.BypassingWLANAuthenticationHiddenSSIDsTimeforaction–uncoveringhiddenSSIDs
Whatjusthappened?Haveagohero–selectingdeauthentication
MACfiltersTimeforaction–beatingMACfilters
Whatjusthappened?OpenAuthenticationTimeforaction–bypassingOpenAuthentication
Whatjusthappened?SharedKeyAuthenticationTimeforaction–bypassingSharedAuthentication
Whatjusthappened?Haveagohero–fillinguptheaccesspoint'stablesPopquiz–WLANauthentication
Summary4.WLANEncryptionFlaws
WLANencryptionWEPencryptionTimeforaction–crackingWEP
Whatjusthappened?Have a go hero – fake authentication with WEPcracking
WPA/WPA2Timeforaction–crackingWPA-PSKweakpassphrases
Whatjusthappened?Have a go hero – trying WPA-PSK cracking withCowpatty
SpeedingupWPA/WPA2PSKcrackingTimeforaction–speedingupthecrackingprocess
Whatjusthappened?DecryptingWEPandWPApacketsTimeforaction–decryptingWEPandWPApackets
Whatjusthappened?ConnectingtoWEPandWPAnetworksTimeforaction–connectingtoaWEPnetwork
Whatjusthappened?Timeforaction–connectingtoaWPAnetwork
Whatjusthappened?Popquiz–WLANencryptionflaws
Summary5.AttacksontheWLANInfrastructure
DefaultaccountsandcredentialsontheaccesspointTimeforaction–crackingdefaultaccountsontheaccesspoints
Whatjusthappened?Have a go hero – cracking accounts using brute-forceattacks
DenialofserviceattacksTimeforaction–deauthenticationDoSattacks
Whatjusthappened?Haveagohero–disassociationattacks
EviltwinandaccesspointMACspoofingTimeforaction–eviltwinsandMACspoofing
Whatjusthappened?Haveagohero–eviltwinsandchannelhopping
ArogueaccesspointTimeforaction–crackingWEP
Whatjusthappened?Haveagohero–rogueaccesspointchallengePopquiz–attacksontheWLANinfrastructure
Summary6.AttackingtheClient
HoneypotandMis-AssociationattacksTimeforaction–orchestratingaMis-Associationattack
Whatjusthappened?Have a go hero – forcing a client to connect to theHoneypot
TheCaffeLatteattackTimeforaction–conductingaCaffeLatteattack
Whatjusthappened?Haveagohero–practisemakesperfect!
DeauthenticationanddisassociationattacksTimeforaction–deauthenticatingtheclient
Whatjusthappened?Haveagohero–disassociationattackontheclient
TheHirteattackTimeforaction–crackingWEPwiththeHirteattack
Whatjusthappened?Haveagohero–practise,practise,practise
AP-lessWPA-PersonalcrackingTimeforaction–AP-lessWPAcracking
Whatjusthappened?Haveagohero–AP-lessWPAcrackingPopquiz–attackingtheclient
Summary7.AdvancedWLANAttacks
Aman-in-the-middleattackTimeforaction–man-in-the-middleattack
Whatjusthappened?Haveagohero–man-in-the-middleoverpurewireless
WirelessEavesdroppingusingMITMTimeforaction–WirelessEavesdropping
Whatjusthappened?Haveagohero–findingGooglesearches
SessionhijackingoverwirelessTimeforaction–sessionhijackingoverwireless
Whatjusthappened?Haveagohero–applicationhijackingchallenge
FindingsecurityconfigurationsontheclientTimeforaction–deauthenticationattacksontheclient
Whatjusthappened?Haveagohero–baitingclientsPopquiz–advancedWLANattacks
Summary8.AttackingWPA-EnterpriseandRADIUS
SettingupFreeRADIUS-WPETimeforaction–settinguptheAPwithFreeRADIUS-WPE
Whatjusthappened?Haveagohero–playingwithRADIUS
AttackingPEAP
Timeforaction–crackingPEAPWhatjusthappened?Haveagohero–attackvariationsonPEAP
EAP-TTLSSecuritybestpracticesforEnterprises
Popquiz–attackingWPA-EnterpriseandRADIUSSummary
9.WLANPenetrationTestingMethodologyWirelesspenetrationtestingPlanningDiscoveryAttack
CrackingtheencryptionAttackinginfrastructureCompromisingclients
ReportingSummary
10.WPSandProbesWPSattacksTimeforaction–WPSattack
Whatjusthappened?Haveagohero–ratelimiting
ProbesniffingTimeforaction–collectingdata
Whatjusthappened?Haveagohero–extensionideas
SummaryA.PopQuizAnswers
Chapter1,WirelessLabSetupPopquiz–understandingthebasics
Chapter2,WLANanditsInherentInsecuritiesPopquiz–understandingthebasics
Chapter3,BypassingWLANAuthenticationPopquiz–WLANauthentication
Chapter4,WLANEncryptionFlawsPopquiz–WLANencryptionflaws
Chapter5,AttacksontheWLANInfrastructure