hacking wireless networksdocshare01.docshare.tips/files/24310/243100564.pdf · 2016. 6. 4. ·...

CEH Lab Manual

Hacking WirelessNetworks

Module 15

Module 15 - Hacking Wireless Networks

Hacking Wireless NetworksIVi-Fi is developed on IE E E 802.11 stand a ids and is widely used in wireless communication. I t provides wireless access to applications and data across a radio network.

Lab ScenarioWireless network teclinology is becoming increasingly popular but, at the same tune, it has many security issues. A wireless local area network (WLAN) allows workers to access digital resources without being tediered to their desks. However, the convenience o f WLANs also introduces security concerns that do not exist in a wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone widi ability to intercept and decode them. Several reports have explained weaknesses 111 the Wired Equivalent Pnvacy (WEP) algorithm by 802.1 lx standard to encrvpt wireless data.

To be an expert ethical hacker and penetration tester, you must have sound knowledge o f wireless concepts, wireless encryption, and their related threats. As a security administrator o f your company, you must protect the wireless network from hacking.

Lab ObjectivesThe objective o f this lab is to protect the wireless network from attackers.

111 this lab, you will learn how to:

■ Crack WEP using various tools

■ Capture network traffic

■ Analyze and detect wireless traffic

Lab Environment111 the lab you will need a web browser with an Internet connection.

■ Tins lab requires AirPcap adapter installed on your machine for all labs

Lab DurationTime: 30 Minutes

Overview of Wireless NetworkA wireless network refers to any type o f computer network that is w ireless and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use o f wires. Wireless telecommunications networks are generally implemented with some type o f remote information transmission system that uses electromagnetic w aves such as

I C O N KE Y

[£Z7 Valuableinformation

Test rouiknowledge

= Web exercise

m Workbook review

C 7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 15 Hacking Wireless Networks

C E H Lab M anual Page 819 E th ical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


radio waves for die carrier. The implementation usually takes place at the physical level or layer o f die network.

Lab TasksPick an organization diat you feel is worthy o f vour attention. Tins could be an educational institution, a commercial company, 01־ perhaps a nonprofit chanty.

Recommended labs to assist you m Wireless Networks:

■ W1F1 Packet Sniffing Using AirPcap with Wireshark

■ Cracknig a \\”EP Network with Aircrack-ng for Windows

■ Sniffing die Network Using the OmniPeek Network Analyzer

Lab AnalysisAnalyze and document the results related to the lab exercise. Give your opinion 011

your target’s security posture and exposure.

^ T A S K 1

Overview

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

E th ical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual Page 820


WiFi Packet Sniffing Using AirPcap with WiresharkThe AirPcap adapter is a USB device that, when used in tangent with the AirPcap drivers and WinPcap libraries, allows a pen tester to monitor 802.11b/g traffic in monitor mode.

■ con key Lab ScenarioWireless networks can be open to active and also passive attacks. These types o f attacks include DoS, M11M, spoofing, jamming, war driving, network liijacking, packet sniffing, and many more. Passive attacks that take place on wireless networks are common and are difficult to detect since die attacker usually just collects information. Active attacks happen when a hacker has gathered information about the network after a successful passive attack. Sniffing is die act o f monitoring die network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die wireless networks. These tools allow hackers to find an unprotected network diat they can hack. Your wireless network can be protected against tins type o f attack by using strong encryption and authentication methods.

111 tins lab we discuss the Wireshark tool, which can sniff the network using a wireless adapter. Since you are the etlucal hacker and penetration tester o f an organization, you need to check the wireless security, exploit the flaws 111 WEP, and evaluate weaknesses present 111WEP for your organization.

Lab ObjectivesThe objective o f tins lab is to help smdents learn and understand how to:

■ Discover WEP packets

[£Z7 Valuableinformation

y 5 Test yourknowledge

— Web exercise

m Workbook review




Lab EnvironmentTo execute the kb, you need:

■ Install AirPcap adapter dnvers; to install navigate to D:\CEH-Tools\CEHv8 Module 15 Hacking Wireless NetworksVAirPcap -Enabled Open Source tools, and double-click setup_airpcap_4_1_1.exe to install

■ When you are installing the AirPcap adapter drivers, 11 any installation error occurs, install die AirPcap adapter dnvers 111 compatibility mode (right-click the AirPcap adapter driver exe hie, select Properties־^ Compatibility, 111

compatibility mode, and select Windows7)

" Wireshark located at D:\CEH-Tools\CEHv8 Module 15 Hacking Wireless Networks\AirPcap -Enabled Open Source tools\wireshark-win64- 1.4.4.exe

■ Run diis lab 111 Windows Server 2012 (host machine)

■ A11 access point configured widi WEP on die host machine

■ This lab requires the AirPcap adapter installed on your machine. Ifyou don’t have this adapter, please do not proceed with this lab

■ A standard AirPcap adapter widi its dnvers installed on your host machine

■ WinPcap libraries, Wireshark, and Cain & Abel installed on your host machine

■ Administrative privileges to run AirPcap and other tools


Overview of WEP (Wired Equivalent Privacy)Several serious w eaknesses 111 the protocol have been identified by cryptanalysts with die result diat, today, a WEP connection can be easily cracked. Once entered

£ 7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 15 Hacking Wireless Networks

E th ical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited



onto a network, a skilled hacker can modify software, network settings, and other security settings.

Wired Equivalent Privacy (WEP) is a deprecated security algorithm for IEEE 802.11 wireless networks.

Lab TasksDownload AirPcap drivers Ironi the site and lollow die wizard-driven installation steps to install AirPcap drivers.

1. Launch the Start menu by hovering the mouse cursor on the lower-left corner o f the desktop.

FIGURE 1.1: Windows Server 2012—Desktop view

2. Click the AirPcap Control Panel app to open the AirPcap ControlPanel window.

FIGURE 1.2: Windows Server 2012—Apps

3. The AirPcap Control Panel window appears.

Configure AirPcap

ca You can download AirPcap drivers from http:// www.a1rdemon.net/ riverbed.html

m Tlie AirPcap adapters can work in monitor mode. In tliis mode, the AirPcap adapter captures all of the frames that are transferred on a channel, not just frames that are addressed to it.

E th ical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.a1rdemon.net/


AirPcap Control Panel

Settings Keys

Interface

AirPcap USB wireless capture adapter nr. 00 V Blink Led

Model: AirPcap Nx Transmit: yes Media: 802.11 a/b/g/n

@ Include 802.11 FCS in Frames2437 MHz [BG 6]

Basic Configuration

Channel

Extension Channel

Capture Type 802.11 + Radio v FCS Filter All Frames

Help

CancelReset Configuration Ok Apply

FIGURE 1.3: AirPcap Control Panel window

4. On tlie Settings tab, click die Interface drop-down list and select AirPcap USB w ireless capture adapter.

5. 111 the Basic Configuration section, select suitable Channel, Capture Type, and FCS Filter and check the Include 802.11 FCS in Frames check box.

* AirPcap Control Panel_ ם

Settings Keys

Interface

AirPcap USB wireless capture adapter nr. 00 V Blink Led

Model: AirPcap Nx Transmit: yes Media: 802.11 a/b/g/n

Basic Configuration

✓]Include 802.11 FCS in Frames

v FCS Filter All Frames

Channel 2412 MHz [BG 1]

Extension Channel 0 v

Capture Type 802.11 Only v

Help

CancelReset Configuration Ok Apply


6. Now, click die Keys tab. Check die Enable WEP Decryption check box. Tins enables die WEP decryption algoridnn. You can Add New Key, Remove Key, Edit Key, and Move Key UP and Down.

c a Tlie Multi-Channel Aggregator can be configured like any real AirPcap device, and therefore can have its own decryption, FCS checking and packet filtering settings.

Q=& In BasicConfiguration bos settings: Channel: The channels available in the Channel list box depend upon the selected adapter. Since channel numbers 14 in the 2.4GHz and 5GHz bands overlap and there are center frequencies (channels) that do not have channel numbers., Each available channel is given by its center frequency.




7. After configuring settings and keys, click OK.

AirPcap Control Panel *

Settings Keys

WEP Configuration

[0 E n a b le WEP Decryption

Keys Add New Key

Remove Key

Edit Key

Move Key Up

Move Key Down

Help

CancelApplyOkReset Configuration


Launch Wireshark Network Analyzer. The Wireshark main window appears.

E l “ ! x ־'The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1.8)]l׳Ufile £dit View £0 Capture Analyze Statistics Telephony Iools Internals Help

I j W t f M t M B B K S A I * * m T ►י ± [B p ] ^ ^ 01 0 yt m

Filter | v | Expression... Clear Apply Save

W ebsiteVisit the project's website

User's GuideTh« User's Guid« (local version, if instaied

ft

The W orld 's M ost Popular N e tw o rk Protocol AnalyzerVersion 1.8.2 (SVN Rev 44520 from /tru n k -1.8)

Open

W I R E S H A R K

, , In terface List

Security

Open a t>־ev*ousV captured fie

Open Recent:

^ Sam ple CapturesA rich assortment of example capare files on th* wiki

Work with Wireshark as secu!*ty as posstte

IEProfile: Default

M startChoose one or more nterfaces to capture from, then Start

" t" AirPcap US8 wireless capture adapter nr. 00: \\.\a i A

f f ] \Devke\NPF_{0A6DAE573־C5C4־CFE9־F4E־E8E8J s

J Microsoft Corporation: \Device\MPFJ82C13C97■‘' ' |־י£ o ru r.oc c . ^ k . r \ mdc v I

^ Capture O ptionsStart a capture with elcutfed opoons

Ready to load or capture

In Basic Configuration Settings: Extension Channel: For 802.1 In adapters, one can use the Extension Channel list to create a “wide” channel. The choices are -1 (the preceding 20MHz frequency band), 0 (no extension channel), or +1 (the succeeding 20MHz frequency band). The channel of the additional frequency band is called die extension channel.

T A S K 2D

Capturing the packets

m You can downloadWireshark fromhttp: / /www. wireshark.org.

FIGURE 1.6: Wireshark Network Analyzer main window


C E H Lab M anual 25


9. Configure AirPcap as ail interface to \ \ ark. Select Capture ->

Interface... (Ctrl +l). You can also click die icon on die toolbar.I - ז□ן x(/Tj The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i

File Edit View Go | Capture | Analyze Statistics Telephony Jools internals Help

? & [W P I 61 €1 D I * 0 ® ^Jv Expression... Clear Apply Save

l i ^ K i t I B interfaces...W Options...

W ebsiteVWt the project's websne

User's G uideThe User $ Guide (local verson, if mstaied',

b 0pen aOpen a previously captured f*e

Open Recent:

3^ Sam ple Captures

A rich assortmert of example capture files on tKe wild

In terface List

e interfaces to capture from, then Start

S tart

Work with Wireshark as securely as poss4>teךיי י AirPcap USB wireless capture adapter nr. 00: \\.\ai ^

® \Device\NPFJ0A6OAE57-3C5C4־CFE9־F4E־E8E83: =

Microsoft Corporation: \Devke\NPFJ82C18C97-'J® OT Po.Hair p r io c pc c3>«;r, r~r*,^11c- \ mpc —

C apture O ptionsStart a capture *ith detailed options

Profile: DefaultReady to load or capture

FIGURE 1.7: Wireshark Network A11aly2er widi interface option

10. The Wireshark: Capture Interfaces window appears. By default, die AirPcap adapter is not 111 running mode. Select die Airpcap USB w ireless capture adapter nr. 00 check box. Click Start

Hie following aresome of die many featuresWireshark providesavailable for UNIX andWindows.

* Capture live packet data from a network interface.

■ Display packets with very detailed protocol information.

י Open and Save packet data captured.

■ Import and Exportpacket data from and to a lot of other capture programs.

■ Filter packets on many criteria.

* Search for packets on many criteria.

■ Colorize packet display based on filters.

■ Create various statistics

Wireshark: Capture Interfaces

Description IP Packets Packets/s

10 | ,,t" AirPcap USB wireless capture adapter nr. 00 none 2154 15 Details

□ 0 none 0 0 Details

P I f f Microsoft Corporation fe80::3d78:efc3:c874:6f57 375 3 Details

1 ] Iff 1 Realtek PCIe GBE Family Controller none 375 3 Details

Help Start Stop Options Close

FIGURE 1.8: Wireshark Capture Interface

11. Automatically, die Capturing from AirPcap USB w ireless capture adaptor nr. 00 - Wireshark window appears, and it starts capUiring packets from AirPcap Adapter.

Note: Wireshark isn't an intrusion detection system. It does not warn you when someone does tilings on your network that he/ she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on.

E th ical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited



[/T| Capturing from Ai-Pcap USB wireless capture adapter nr. 00: \\.\airpcap00 [Wi׳eshark 1.8.2 (SVN Rev 44520 from/trunk-...1 ־ I ם xFile Edit View 60 Capture Analyze Statistics Telephony Tools internals Help

K <u a tt * 1 m h x a <a 1 a 4• ± ifsln eiasiH

F la g s ־F la g s ־

F la g s = . F la g s ־ F la g s ־

fram e, S N4 0 3 1 ־ , fram e, S N4 0 3 2 ,־f r a m e , S N 2 6 4 ־ , fram e, S N1 7 5 3 ־ , fram e, S N4 0 3 3 ־ ,

FN=0,FN=0,

FN=0,FN=0,FN=0,

fram e, SN=265, FN=0, F la g s ־ f?B lo ck A ck , Flags=0pm . r m ft fram e, 5n4034 f ,־ n =0 , F la g s ־ fram e, S N 2 6 6 ־ , FN=0, F la g s ־ Efram e, S N1 6 4 2 ־ , F N 0 ־ , F la g s ־ -fram e, 5N=1756, FN=0, F la g s ־ fram e, SN*4035, f n - 0 , F la g s - fram e, sn -267 , fn -0 , F la g s - ecdgcmcnt (No d a ta ) , SN-91S, FN-3, r la c fram e, SN-4036, FN-0, F la g s - fram e, SN-268, f n - 0, F la g s - Efram «, s n -4037, FN-0, F la g s - '

... Clear AppK Save

164 164 322 109 164 322

3707 164 322 132 109 164

91 3838 164 322 164

[ ,Expression י

InfoBeaconBeaconB eaconBeaconBeaconBeacon802.11B eaconBeaconBeaconD eaconBeaconBeaconA ckn o w lBeaconBeaconB oacon

Time Source Destination Protoccl278 12. 8113270 Netgear_80: ab : 3e B roadcast 802.11279 12. 9136860 N etgear_80 :ab : 3e B roadcast 802.11280 1 2 . 93 47 30 0 N e tg e a r_ 3 2 : 7c :0 6 B ro a d c a s t 8 0 2 .1 1281 12. 9844520 N e tgea r_ae :2 4 :cc B roadcast 802.11282 13.0160930 Net gea r_80 : ab : 3e B roadcast 802.11283 13.0370690 Netgear_32:7c :06 B roadcast 802.11284 13.0411940 e 2 :55 :e 5 :27 :b l: cO (e 4 :d 2 :6 c :4 0 : fe :2 7 (8 02 .11285 13.1184520 Netgear _80:ab :3e B roadcast 802.11286 13.1394870 Netgear_32:7c :06 B roadcast 802.11287 13.1836990 Conpex_68:b6 :f 5 B roadcast 802.11288 13.1891990 N e tgea r_ae :24 :cc B roadcast 802.11289 13.2208270 N etgear_80:ab : 3e B roadcast 802.11290 13. 2400780 N etgear_32:7c :06 B roadcast 802.11291 13. 2898380 2 c :d b :c f :c 6 :a a :6 4 4 5 :c 9 :« 7 :6 a :0 4 :09 802.11292 13. 3233130 N etgear_80:ab : 3e B roadcast 802.11293 13. 3443830Netgear_32:7c:06 B roadcast 802.11294 13.4257280 N«tg«ar_80: ab: 3q B roadcast 802.11

IS Frame 1 : 3247 b / te s on w ire (25976 b i t s ) , 3247 b y te s ca p tu re d (25976 b i t s ) on in te r fa c e 0 l±j IEEE 802.11 un recogn ized (Reserved fra m e ), F la g s : ------r . ft

.eq .H.. IT .k. ] . c . . ( + .z . ........__ר U. a_rd=.............. / N . . . n . . .. [ . z ...............b9]h .

48 8c f d ec 65 71 93 5e2b d9 5a l c 69 b2 8d f l91 75 15 5e 5 f 52 44 3d4e ac ca ab 6e 87 f a 1605 fO l e 62 39 5d 68 c7

06 Ob 16 8 f 49 54 c8 136b c3 5d 83 63 fO e6 28c9 c c 8a d f e f c3 aO 9891 86 aa b2 10 86 b4 2 fd5 5b be 5a cb 84 20 b3

OOOO 0010 0020 0030 004 0

Profile: Default0 AirPcap JSB wireless capture adapter nr. GO:... Packets: 489 Displayed: 489 Marked: 0

m Wireshark can capture traffic from many different network media types - and despite its name - including wireless LAN as well. Which media types are supported, depends on many things, such as the operating system you are using.

FIGURE 1.9: Wireshark Network Analyzer window with packets captured

12. Wait while Wireshark captures packets from AirPcap. II die Filter Toolbar option is not visible on die toolbar, select View -> Filter Toolbar. Tlie Filter Toolbar appears.

Note: Wireshark doesn't benefit much from Multiprocessor/Hypertliread systems as time-consuming tasks, like filtering packets, are single direaded. N o mle is widiout exception: During an “update list o f packets 111 real time” capture, capturing traffic mns 111 one process and dissecting and displaying packets runs 111 another process, which should benefit from two processors.

Capturing from AirPcap USB wireless capture adapter nr. 00: \V\airpcap00 [Wiresharlc 1.8.2 (SVN Rev 44520 from /trunk-... I ~ I ם r xinternals Help

4 0 . 0 . ax 4> ם ו m mr Expression.. Gear Apply Save

Protocol Length nfoBeacon fram e , s n4 025 ־ , f n ־ o , F la g s ־ Beacon fram e , s n1628־ , f n1 1 ־ , F la g s ־ Beacon fram e , s n4 026 ־ , F N 0 ־ , F la g s ־ Beacon fram e , sn^4027, f n ^O, F lags^ D e a u th e n t ic a t io n , sn -1780 , fn - 4 , F la g s • Beacon fram e , sn -4028 , f n - 0 , F la g s - Beacon fram e , SN-4029, FN -0 , F la g s - Beacon fram e , SN-4030, FN -0 , F la g s - Beacon fram e , SN-4031, FN -0 , F la g s - Beacon fram e , SN-4032, FN -0 , F la g s - Beacon fram e, SN -204, FN=0, F la g s - Beacon fram e , S N1 7 5 3 ־ , F N 0 ־ , F la g s ־ Beacon fram e , s n4 033 ־ , f n 0 ־ , F la g s ־ Beacon fram e , £N=26S, FN=0, F la g s ־ 802.11 B lo c k A ck , F la g s ־ opm.RMFT Beacon fram e , s n4 034 ־ , f n0 ־ , F la g s ־ Beacon fram e , S N 2 6 6 ־ , F N 0 ־ , F la g s ־

S t 802 11 164e :6 f 6b 18 802 11 109St 802 11 164St 802 11 164n_f2 45 0c 802 11 30St 802 11 104St 802 11 164St 802 11 164St 802 11 164S t 802 11 164St 802 11 322St 802 11 109S t 802 11 164St 802 11 322ou f e 27 (802 11 3707St 802 11 164St 802 11 322

3247 bytes cap tu red (25976 b i t s ) on in t e r fa c e 0 F la g s : . . . . s . F T

___ I T . . H. . .e q .Ak . ] . c . . ( t . z . i . . . ...................u . a_ rd=................/ M .. . n . . .. [ . Z ...............b9]h.

5 71 93 5e 9 b2 8d f l f 52 44 3d e 87 f a 16 9 5d 68 c7

Profile: Default)isplayed: 7211 Marked: 0

■/ Main Tco bar/י Filter Too bar

Wireless Toolbar

* Status Bar

✓ Packet List* Packet Qetails/י Packet Bytes

lime Display Format ►I Name Resolytion ►! */ Coloriz• P«ck«t List

Auto Scroll in Liye Capture

Q Zoom In Ctrl■*■■*■Q Zoom Qut Ctrl■*■־Q Normal Size Ctr1+ =

E Resize All Columns Shift■*■ Ctrl+RDisplayed Colcmns ►

Expand Subtrees Shift■*■ RightExpand Al Ctrl* RightCollapse All Ctrl■*■ Left

Colorize Conversation ►

Reset Coloring 1-10 Ctrl■*■ Space^ Coloring Rules...

Show Packet in New WindowCtrl+R

m u t

00000010002000300040

0 0 :100:100;loo100■

I®

Wireshark can open packets captured from a large number of other capture programs.

FIGURE 1.10: Wireshark Network Analyzer window with interface option




13. N ow select View -> W ireless Toolbar. The wireless toolbar appears 111 die window.

kD Capturing from AirPcap USB wireless capture adapter nr. 00: \\.\airpcap00 [Wireshark 1.8.2 {SVN Rev 44520 from /trunk ... I — ’ ם P x

File Edit | View | Go Capture Analyze

tg Wain Todbar

Statist cs Telephony Jools Internals Help

► * 5 ik [M]S Q 0 ט • I & 0 %' Expression״ Clear Apply Save

m * i >/ Wain Todbar Flter Toolbar

* Wireless Toolbar

| v [ D r i v e r [ v] Wireless Secings.. Decryption Keys...־ [

Protocol Length Info8 0 2 .1 1 164 Beacon f ra m e , SN -4025 , F N -0 , F la g s - .............

109 Beacon fra m e , 5N -1 6 2 8 , F N -1 1 , F la g s ־ ..........164 Beacon frame, 5n=4026, fn=o, Flags־.....164 Beacon fram e, SN-4027, FN-0, F la g s * ..........

30 D ea u the n tic a t io n , 5N-1780, fn - 4, F la g s - . .164 Beacon fram e. SN-4028, fn - 0, F la g s - ..........164 Beacon fram e. SN-4029, FN-0, F la g s - ..........164 Beacon f ra m e , s n - 4 0 3 0 , FN -0 , F la g s - ............164 Beacon f ra m e , S N -40 31 , rN - 0 , F la g s - ............164 Beacon f ra m e , s n - 4 0 3 2 , FN -0 , F la g s - ............322 Beacon frame, 5 N -20 4 , fn-0, Flags-......109 Beacon fram e, SN-1753, FN-0, F la g s - ..........164 Beacon fram e, SN-4033, fn - 0, F la g s - ..........322 Beacon fram e, SN-265, FN-0, F la g s - .............

3707 8 0 2 .1 1 B lo c k A ck , F lags-opm .R M FT164 Beacon f ra m e , SN=4 0 34 , FN=0, F la g s = .............322 Beacon f ra m e , SN -266, F N -0 , F la g s - ...............

ste : 6 f : 6 b :1 8 8 0 2 .1 1S t 8 0 2 .1 1S t 8 0 2 .1 1n _ f2 :4 5 :0 c 8 0 2 .1 1s t 8 0 2 .1 1s t 8 0 2 .1 1s t 8 0 2 . 1 1s t 8 0 2 . 1 1s t 8 0 2 .1 1.St 8 0 2 .1 1S t 8 0 2 .1 1S t 8 0 2 .1 1S t 8 0 2 .1 1c :4 0 : f e : 27 (8 0 2 .1 1s t 8 0 2 .1 1s t 8 0 2 .1 1

3247 b y te s c a p tu re d (2S 976 b i t s ) on i n t e r f a c e 0 F la g s : ____R .FT

Ctrl•*■*Ctrl■*■■

Ctrl•*■־

Shift■׳ Right Ctrl-Right

Ctrl•*־ Left

'

____I T . . H . . . eq . ak . ] . c . . ( + .Z . ו . . ..........................u . a_ r d -............... / N . . . n . . .. [ . z ................. b 9 ]h .

5 71 93 5e 9 b2 3d f l f 52 44 3d e 87 f a 16

CtrKR 9 5d 68 c7

£02.11 Chan ■׳ Status 3a 1

Packet List

P3cket Details

P*cket Bytes

J im • Display Format Name Resolution

Colori7e Packet lis t

Auto Scroll in Liye Capture

2 00m n

Zoom Qut

Normal S2 e

Resi:e All Columns

Ospla>ed Columns

Eipanc Subtrees

Expand A I Collapse All

Colori2e Conversation

R citl C u ljrh y 1-10

Coloring Rules...

Show Packet in New Window

OODO001000200030

Profile: Default£ AirPcap USB .vireless capture adapter nr. O): ... Packets: 12986 Displayed 12986 Marked: כ

Q Wireshark is a network packet analyzer that captures network packets and tries to display that packet data as detailed as possible.

FIGURE 1.11: Wireshark Network Analyzer window with wireless toolbar option

and destination o f the packet captured by14. You will see die source Wireshark.

r t3׳) Capturing from AiiPcdp USB wireless capture adapter nr. 00: \V\airpcapOO [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J ח r *

£ile £dit View (jo Cooture Analyze Statistics Telephony Tools Internals Help

m u * 9t * 6 ו |0א | י ו ^ ^ ^ ט : ו1א ^ ^ ^ » 3ו ט3 אFilter |~v | Expression... Clear Apply Save

j v ] Wireless Settings... Decryption Keys..None80211 Channel: v !Channel CHfset v FCS Filter All Frames

Protocol Length Info802.11 164 Beacon fra n e , SN=4033, FN=0, F la g s ־

322 Beacon fram e, SN=265, FN=0, F la g s ־ E3707 8 0 2 .1 1 B lo c k A c k , Flags=opm .RM FT

8 0 2 .1 1 164 Beacon f ra m e , S N -40 34 , F N -0 , F la g s - 8 0 2 .1 1 322 Beacon f r a n e , SN=266, FN=0, F la g s ־ C8 0 2 .1 1 132 Beacon f r a n e , s n1 6 4 2 ־ , f n =o , F la g s ־ 802.11 109 Beacon fra n e , S N1 7 5 6 ־ , fn=0, F la g s ־ 802.11 164 Beacon fra n e . SN=4035. FN=0, F la g s ־ 8 0 2 .1 1 91 Beacon f r a n e , SN=267, FN=0, F la g s = E8 0 2 .1 1 3838 A ckn ow led ge m ent (No d a ta ) , SN -915, F N -3 , F la c8 0 2 .1 1 164 Beacon f r a n e , SN -4036 , FN=0, F la g s - 802.11 322 Beacon frane, SN=2b8, fn-u , Flags-

Time Source Destination282 13.0160930 Netgear_80:ab:3e B roadcast283 13.0370690 Netgear_32:7c :06 Broadcast 802.11284 1 3 . 0411940 e 2 :5 5 :e 5 :27 :b l:cO ( e4 :d2 : 6 c : 4 0 : f e :2 7 C 8 0 2 . l l

B roadcastB roadcastBroadcastB roadcastB roadcastB ro a d c a s t4 5 :c 9 :e 7 :6 a :0 4 :e 9B ro a d c a s t

285 1 3 .1 1 8 4 5 2 0 N e tg e a r_ 8 0 : a b : 3e286 1 3 .1 3 9 4 8 7 0 N e tg e a r_ 3 2 :7 c :06287 13.1836990C0mpex_65:be:f5288 13.1891990 Netgear_ae: 24: cc289 13. 2208270 Netgear_80:ab:3e290 1 3 . 2400780 N e tg e a r_ 3 2 :7 c :06291 1 3 . 2898380 2 c : d b :e f :e 6 :a a :6 4292 1 3 . 3233130 N e tg e a r_ 8 0 : a b ; 3e

ou2.11 104 Beacon Trane, 5N-4U3/, f n - u , F la g s - ............... ..802.11 164 Beacon fra n e . SN-4038. FN-0. F la g s - ....................8 0 2 .1 1 322 Beacon f r a n e , SN -270, FN -0 , F la g s - ..................... B8 0 2 .1 1 164 Beacon f r a n c , 5N -4 0 3 9 , F N -0 , F la g s - .....................8 0 2 .1 1 322 Beacon f r a n e , SN -271, FN -0 , F la g s - .................. ... C

293 13. 3443830 Netgear_3z:7 c:06 B roadcast294 13.4257280 Netgear_80:ab:3e B roadcast295 13. 5282000 Netgear 80:ab:3e B roadcast?06 13. S4907?ONetgear_?2:7c:06 B roadcast297 13. 6304580 Netgear_80: a b : 3e B roadcast298 13. 6514500 Netgear _32:7c.OG B roadcast

jr___________________________________________♦ Fram e 2 9 3 : 322 b y te s on w ir e (2 5 7 6 b i t s ) , 322 b y te s c a p tu re d (2S76 b i t s ) on i n t e r f a c e 0+ ie e e 8 0 2 .1 1 Beacon f r a n e , F la g s : ..................S IEEE 8 0 2 .1 1 wireless lan management frame

.................... L • 2 |.L ' . 2 1. . . . 1 . d ____d ..........Kj sum WLR.... SOH 1......

f f f f 4C 60 de 32 7C 0696 31 8e 64 00 00 00 0073 75 Gd 20 57 4 c 52 016c 03 01 01 05 04 01 0230 18 01 00 00 O f ac 02

80 00 00 00 f f f f f f f f4 c 60 de 32 7 c 06 cO 1064 00 11 04 00 09 4b 7508 82 84 Ob 16 24 30 4800 00 2a 01 00 2 f 01 00m an nn r\A n n n f

0000 0010 0020 0030 004 0

Profile: Default© AirPcap USB wi'eless capture adapter nr. OO:... Packets: 32940 Displayed: 32040 Marked: 0

m One possible alternative is to ran tcpdump, or the dumpcap utility diat comes with Wireshark, with superaser privileges to capture packets into a file, and later analyze diese packets by running Wireshark with restricted privileges on the packet capture dump file

FIGURE 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets

15. After enough packet capUires, stop Wireshark




Capturing from AirPcap USB wireless capture adapter nr. 00 ־ Wireshark

£ile Edit View Go Capture Analyze Statistics Telephony Tools Help

m m a ® *Expression... Clear Apply

$02.11 Channel: 2412 [BG1] | v ] Channel Offset |0 | v | FCS Filter All Frames |v |N one Wireless Settings... Decryption Keys...

InfoFragnented i e e e S 0 2 . l l frameunrecogn ized (Reserved fram e), F la g s ־ . . . p . m . .Beacon frame, SN=2080, FN=0, Flags־ BI=100,unrecognized (Reserved frame), SN2851־, F N 0 o־Flags ,־Beacon frame, SM=2081, F N 0 ,־BI100 ־Flags ,־Beacon frame, SN-2085, FN-O, Flags- BI-100,Beacon frame, SN=3733, FN=7, Flags־ BI1]8896־Beacon frame, sn2087־, fn-0, Flags־ B1100־,Null function (no data), SN3864־, fn=15, Flags־...P.M Data, SN-2916, fn-0, Flags-.p F.Beacon fra m e . S N -20 88 , F N -0 , F la g s - B T -10 0 ,Beacon fra m e , & N -20 89 , FN^-O, F la g s - B I -1 0 0 ,Beacon fra m e , S N -11 51 , F N -2 , F la g s - B I-5 5 8 2 0N u l l f u n c t io n (n o d a t a ) , SN -2733 , F N -0 , F l 4 g * - . . . P . . . A c k n o w ledgenent, F la g s - Beacon fram e, SN-2093, fn - 0, F la g s - BI-100,Qos Data + CF-P011. 5N-1B31, FN-15, F la g s - .p .P R ..T L Beacon fram e. SN-2095, fn - 0. F la g s - BT-100,

Destination Protocol 13 :80 : C 7 IEEE 802.11 י0:

IEEE 802.11 Broadcast IEEE 802.11 f f :57:a6:9:1EEE 802.11 B ro a d c a s t IEEE 802.11 B ro a d c a s t IEEE 802.11 B ro a d c a s t IEEE 802.11 Broadcast ie ee 802.11 f9 : e a : f 9 : f IEEE 802.11 1 3 :e6 :61:a IEEE 802.11 Broadcast IEEE 802.11 B ro a d c a s t IEEE 802.11 f f : f f : f f :3 IEEE 802.11 2 c :bO: 5d : 8■ IEEE 802.11 horiHalpr_o.ieee 802.11 Broadcast IEEE 802.11 24 :4d: 22: e׳ IEEE 802.11 Broadcast IEEE 802.11

). Time Source4992 90. 58518* 2a :13:4C :a l:C C :la4993 90.8856774994 90.985558 Netgear_ae:24 :cc4995 91.049792 ab :76:13 :1c :e 6 : 3f4996 91.087908 Netgear_ae:24 :cc4997 91.497565 Netgear_ae:24 :cc4998 91.600033 98 :14: 34:f c :4 8 : cc4999 91.70239* D lg1 ta lG _02 :e8 :d55000 91.704757 f 8 : a f :e d :3d:6 c :62 500191.705380 b l: 7 c : 2 5 :4 6 : e l: d l5002 91. 804794 Netgear _ae:24 :cc5003 91.907138 Netgear_a«:24 :cc5004 92.112081 l c :12: 30:8b :24 : f 55005 92.246059 MonHaiPi _0a :72 :8a 5000 92.2462765007 92. 316789 Netgear_ae:24 :cc5008 92. 319258 9 1 :6c: 5c: 32:50:d25009 92. S2164S Netgear_ae:24 :cc

+ Frame 1: 14 bytes on w ire (112 b i t s ) , 14 bytes cap tu red (112 b i ts )S IEEE 802.11 Acknowledgement, F la g s : ...............

Type/Subtype: Acknowledgement (Oxld)ש Frame C o n tr o l : OxOODi (N orm al)

.... ].0000 d4 00 00 00 2c bO 5d 80 ab 3e 6a 3e 19 81

Piorile; Default.idp luie adajLei nr. 00:... Pdikel*; 5C09 DbpldycU: 3009 Marked: C0 AiP.dp LSBv

FIGURE 1.13: Stop wiieshaik packet capture

16. Go to File from menu bar, and select Save

AirPcap USB wireless capture adapter nr 00 ־ Wiresharkט* פ [d<t yicw 20 £cptjrc Analyze Statistics Telephony Tools tJelp

& cw.0 b a n| ן |n | <3. q ט 31! yt b & i bOpengecent ►Merge... kpressicn״ Clear Appf/

Clri^W 1rnc! Offset: [0 [ v j FCSFilter All Frames [v^None ["vj Wireless Settings... Decryption Keys...

InfoC o n tro l w rapper. F la g s - .pm.R.f .Beacon f r a n e , S N -35 3 , F N -0 , F la g s ־ Beacon f r a n e , SN-3 54 , FN-O , F la g s ־ . . . . Beacon fra n e [N a״ lfo rm e d P ack et]Beacon f r a n e , 5 n= 3 5 6 , fn=0 , F la g s ־ . . . . D a ta , S N 3 5 7 ־ , F N 1 ־ , F lags=opm P.. FT Beacon f r a n e , S N 3 5 8 ־ , F N 0 ־ , F la g s ־ Beacon f r a n e , sn36 1 ־ , f n0 ־ , F la g s ־ . . . . Beacon f r a n e , S N 3 6 4 ־ , FN=0, F la g s ־ . . . . Beacon fra m e , SN=335, FN=14, F la g 5 = . . . D a ta , 5 n30 3 7 ־ , f n3 ־ , F la g s = .p . . . . F. Beacon f r a n e , s n 3 6 9 ־ , f n0 ־ , F la g s ־ Beacon f r a n e , S N 3 7 0 ־ , f n0 ־ , F la g s ־ Beacon f r a n e , S N 3 7 2 ־ , f n0 ־ . F la g s ־ . . . . Beacon f r a n e , SN=375, FN=0, F la g s ־ . . . . N u ll fu n c t io n ( no d a t a ) , S N -36 , FN -0 , N u ll fu n c t io n ( no d a t a ) , 5 N -3 6 , fn -O , Beacon f r a n e , S N -37 46 , FN-O, F la g s - . . .

BI-100 , S61 = 1 2 5 3 0 ׳

B I5 ,1 0 0 ־

B I 1 0 0 ־ , S B I 1 0 0 ־ , S B I 1 0 0 ־ , S

, B I= 2 0 0 ,

B I 1 0 0 ־ , S I B I 1 0 0 ־ , S I B I 1 0 0 ־ , S I B I 1 0 0 ־ , S I F la g s - . . . PR. . T F la g s ־ . . . pr . . t [— I

BI-36936

Destination Protocol802.11 IEEE

802.11 Broadcast IEEE802.11 IEEE1י :9 3:f f : e e

802.11 f f : f6 :5 4 :d 'IE E E8 0 2 .1 1 b roadcast ie e e802.11 d 4 :fa :cb :c .lE E E802.11 Broadcast IEEE802.11 d4:aa:01:4 IEEE80 2 .1 1 B ro a d c a s t IEEE80 2 .1 1 B ro a d c a s t IEEE80 2 .1 1 IPv6m caSt_<IEEE802.11 Broadcast IEEE802.11 Broadcast IEEE802.11 Broadcast IEEE802.11 B ro a d c a s t IEEE802.11 2c:bO:5d:8 'IEEE802.11 2c:bO:5d:8 'IEEE802.11 f f : f f : lb : f - I E E E

£xport

£ £rint._

:24 :cc ► 1:02 : cd

b : 24 :e c 1:24: CC

Ctrl+P p :f8 :4 1 :24 :cc

E Quit Ctrl*Q f : b 8 : c l/ o t*xj zov . WSV31U wwctjwai _«iw . 24 : CC7641 267. 835429 N e tg e a r_ a e : 60: ce7642 267. 87 79 46 0 1 :5 4 :2 9 :0 1 :0 0 :4 47643 268.038309 Netgear_ae: 24: cc7644 268.143787 N e tge a r.ae :24:cc7645 268. 345546 Netgear_ae: 24: cc7646 268. 652782 N e tg e a r_ a e : 24 : cc7647 2 6 8 .6 6 1 6 5 1 H orH a i P r_ 0 a : 72 :8 a7648 268. 66 21 60 n o m a 1 p r_ 0 a : 72 :8 a7649 269.164812 4 8 :0 9 :39:1a:ce:d4

F י ra n e 1 : 14 b y te s on w i r e (11 2 b i t s ) , 14 b y te s c a p tu re d (11 2 b i t s )- ie e e 8 0 2 .1 1 A ckn ow l edge rne n t, F la g s : ..................

Type/Subtype: Acknowledgement (O x ld)00 Frame c o n t ro l: OxOOD4 (N orna l)

........j • •>!>■■00D0 d4 00 00 00 2c bo 50 80 ab Je 6a 4e 19 81

^ File: "C:\Oters\ADMN - '\AppO ata\local\T... Packets: 7649 Displayed: 6£9ל Marked: 0 Drcppec: C

U i Tlie latest version is faster and contains a lot of new features, like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man- in-the-Middle attacks.

FIGURE 1.14: Save the captured packets

17. Enter die File name, and click Save.




Wireshark: Save file as -

Save tn | j j . AirPcap -Enabled Open Source tools

Name - Date modified Type

* * aircrack-ng-0.9-airpcap 10/19/2012 2:44 PM File folder 1Recent places

KDesktop

SLbranes

' V

Computer

Network <1 III H i >

1File name: | Packet capture A Save |

Save as type cpdump ■ kfcpcap f pcap :* cap) _^J ו׳ . Wresh ark | Cancel

Help

(♦ Captured Displayed

♦ Vpackets 7649

Selected packet ו

(" Marked packets 0 0

(" First to last marked 0 0

c Range 1־ ־ 0r Remove Ignored packets 0 0

FIGURE 1.15: Save the Captured packet file

Lab AnalysisAnalyze and document die results related to die lab exercise. Give your opinion on your target’s security* posture and exposure.


T ool/U tility Information Collected/O bjectives Achieved

Wireshark

Used Adapter: AirPcap USB wireless capture adapter nr.00

Result: Number o l sniffed packets captured by Wireshark 111 network, which include:

Packet Number, Time, Source, Destination, Protocol, and Info




Questions1. Evaluate and determine the number o f wireless cards supported by die

wireless scanner.

2. Analyze and evaluate how AirPcap adapters operate.

0 N o

Internet Connection Required

0 Yes

Platform Supported

□ !Labs0 C lassroom




Lab

Cracking a WEP Network with Aircrack-ng for WindowsAircrack-ng is an 802.11 W E P and W PA-PSK keys cracking program that recovers keys once enough data packets have been captured. It implements the standard FA IS attack along with some optimisations like KoreK attacks, as )),ell as the all-new P T \V attack, thus making the attack much faster compared to other W E P cracking tools.

Lab ScenarioNetwork administrators can take steps to help protect their wireless network from outside tlireats and attacks. Most hackers will post details o f any loops or exploits online, and if they find a security hole, they will come 111 droves to test your wireless network with it. WEP is used for wireless networks. Always change your SSID from the default, before you actually connect the wireless router for the access point. If an SSID broadcast is not disabled on an access point, die use o f a DHCP server to automatically assign IP address to wireless clients should not be used because war dnving tools can easily detect your internal IP addressing it the SSID broadcasts are enabled and the DHCP is being used.

As an etlucal hacker and penetration tester o f an organization, your IT director will assign you the task o f testing wireless security, exploiting the flaws in \\”EP, and cracking the keys present 111 WEP o f an organization. 111 tliis kb we discuss how WPA key are cracked using standard attacks such as korek attacks and PTW attacks.

Lab ObjectivesThe objective o f tins lab is to protect wireless network from attackers.

111 tins lab, vou will learn how to:

■ Crack WEP using various tools

■ CapUire network traffic

■ Analyze and detect wireless traffic

I C O N KE Y

'/ Valuableinformation

>> Test yourknowledge

— Web exercise

c a Workbook review

& Tools demonstrated in this lab are available on D:\CEH- Tools\CEHv8 Module 15 Hacking Wireless Networks




Lab EnvironmentTo execute the kb, you need:

■ Aircrack-ng located at D:\CEH-Tools\CEHv8 Module 15 Hacking Wireless Networks'!WEP-WPA Cracking Tools\Aircrack-ng\bin

■ Tins tool requires Administrative pnvileges to ran

■ A client connected to a wireless access point

■ This lab requires AirPcap adapter installed on your machine. If you don’t have this adapter please do not proceed with the lab


Overview of Aircrack-ngA wireless network refers to any type o f computer network that is w ireless, and is commonly associated with a telecom m unications network whose interconnections between nodes are implemented without the use o f wires. Wireless telecommunications networks are generally implemented with some type o f rem ote information transmission system that uses electrom agnetic w aves, such as radio waves, for the carrier, and this implementation usually takes place at the physical level or layer o f the network.

Lab Task1. Launch Aircrack-ng GUI from D:\CEH-Tools\CEHv8 Module 15 Hacking

Wireless Networks\AirPcap -Enabled Open Source tools\aircrack-ng-0.9- airpcapbin by double-clicking Aircrack-ng GUI.exe.

2. Click the Airdump-ng tab.

m Visit Backtrack home sitehttp://w\v\v. backtrack- Ii1u1x.org for a complete list of compatible Wi-Fi adapters.

m Airplay filter options: -b bssid: MAC address, access point.

T A S K 1

Cracking a WEP Network

ט To start wlanO in monitor mode type: airmon-ng start wlanO.

m To stop wlanO type: airmon-ng stop wlanO.

FIGURE 2.1: Airodump-ng window



http://w/v/v


3. Click Launch. This will show the airodump window.

xairodump-ng 0.9 ם —

airodump-ng 0.9 — <C> 2006 Thomas d'OtreppeOriginal work: Christophe Devine

usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> [ivs only flag]

Known network adapters:1 AirPcap USB wireless capture adapter nr. 00 Network interface index number ->

FIGURE 2.2: Airodump-ng selecting adapter window

4. Type the Airpcap adapter index number as 0 and select all channels by typing 11. Press Enter

airodump-ng 0.9

airodump-ng 0.9 - <C> 2006 Thomas d'OtreppeOriginal work: Christophe Devine

usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag]

Known network adapters:1 AirPcap USB wireless capture adapter nr. 00Network interface index number -> 0 Channel<s>: 1 to 14. 0 = all -> 11(note: if you specify the sane output prefix, airodump will resume the capture session by appending data to the existing capture file)Output f ilename pref ix ->


5. It will prompt you for a file name. Enter Capture and press Enter.

m To confirm that die card is in monitor mode, run the command “iwconfig”. You can then confirm the mode is “monitor” and the interface name.

tewJ Aircrack-ng option: - b bssid Long version — bssid. Select the target network based on the access point's MAC address.

m For cracking WPA/WPA2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up WPA/WPA2 key processing.




~ airodump-ng 0.9 I כ I


usage: airodump-ng <nic index> <nic type> <channel<s>> <oatput prefix> Civs only flag]

Known network adapters:1 AirPcap USB wireless capture adapter nr. 00 Network interface index number -> 0 ChanneKs): 1 to 14, 0 - all 11 <־<note: if you specify the same output prefix, airodump will resume the capture session by appending data to the existing capture file>Output filename prefix ->|capture |<note: to save space and only store the captured MEP I Us, press y.The resulting capture file will only be useful for MEP cracking)Only write WEP I Us <y/n) —>

m Aircrack-ng completes determining die key; it is presented to you in hexadecimal format such as KEY FOUND! [BF:53:9E:DB:37],


6. Type y 111 Only write WEP IVs Press Enter

airodump-ng 0.9


usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag]

Known network adapters:1 AirPcap USB wireless capture adapter nr. 00 Network interface index number 0 <־ChanneKs): 1 to 14, 0 = all -> 11(note: if you specify the same output prefix, airodump will resume the capture session by appending data to the existing capture file)

-> captureOutput filename prefix<note: to save space and only store the captured WEP IUs, press y. The resulting capture file will only be useful for WEP cracking)

(Only write WEP IUs <y/n>־ ע

FIGURE 2.5: Airodump-ng dumping the captured packets window

7. After pressing y it will display Wi-Fi traffic; leave it running for few minutes.

m Airodump option: -f <msecs> : Time in ms between hopping channels.

m Airplay filter option: d dmac : MAC address, Destination.

8. Allow airodump-ng to capturea large number of packets (above 2,000,000).




11 Channel : 1 1 - airodump-ng 0.9.3 L - l ° l -

BSSID PUR B ea co ns It D a ta CH MB ENC ESSID r H

B 8 :A 3 : 8 6 :3 E :2 F :3 7 -7 8 5 0 1 48 WEP? SAACHI1 C :7 E :E 5 :5 3 :0 4 :4 8 - 8 0 5496 2146 11 48 UPA D־ L in k _ D IR - 5 2 44 C :6 0 :D E :3 2 :3 B :4 E - 8 0 181 1 6 48 UPA I t h e y I t h e y4 C :6 0 :D E :3 2 :7 C :0 6 -8 1 5 0 11 48 WEP? Kusum WLR8 0 :A 1 :D 7 :2 5 :6 3 :1 3 - 7 7 13 0 1 54 OPN8 0 :A 1 :D 7 :2 5 :6 3 :1 0 ־78 21 0 1 54 WEP? G0E8 0 : f l l : D 7 : 2 5 :6 3 :1 2 -8 0 12 0 1 54 OPN8 0 :A 1 :D 7 :2 5 :6 3 :1 1 ־78 18 0 1 54 OPN< J 4 : 4 4 ^ 9 : F 9 : 4 q : n n 1 q R n q 9 9 R H 4 11 4 R I JP f t n o N T F n|0e 9r z״ &z m 9c - 1 0 530 36 224 38 5 11 54 WEP NETGEAR

BSSID STATION PUR P a c k e ts ESSID

B 8 :A 3 :8 6 :3 E 2 F :3 7 0 0 : 2 4 :2 C :3 8 :3 9 :9 6 -7 5 1 SAACHI1 C :7 E :E 5 :5 3 A 4 :4 8 A C :7 2 : 8 9 :6 B :B D :B 3 -8 1 38 D־ L in k _ D IR - 5 2 41 C :7 E :E 5 :5 3 A 4 :4 8 3 0 : 6 9 :4 B :C 7 :F 9 :F 7 -8 4 29 D - L in k _ D IR -5 2 41 C :7 E :E 5 :5 3 0 4 :4 8 D 0 :B 3 :3 F :1 2 :A 1 :F F -7 9 7 D -L in k _ D IR -5 2 41 C :7 E :E 5 :5 3 0 4 :4 8 E 0 :F 8 : 4 7 : 9 5 : 0 5 : D6 -8 2 421 D - L in k _ D IR -5 2 49 4 :4 4 :5 2 :F 2 4 5 :0 C 4 C :E D :D E :A 2 :5 B :B F -8 0 2 GANTEC9 4 : 4 4 : 5 2 : F2 4 5 :0 C 4 C : ED: DE: 9 4 : CE: E l - 8 0 5 GANTEC9 4 :4 4 :5 2 :F 2 4 5 :0 C 0 0 : 2 6 : 8 2 :C F :0 9 :C 2 -8 0 162 56 GANTEC9 4 :4 4 :5 2 :F 2 4 5 :0 C 5 0 : 0 1 :B B :5 8 :0 5 :2 7 -7 6 1 GANTEC9 4 : 4 4 : 5 2 : F2 4 5 :0 C 0 0 : 2 3 : 1 5 : 7 3 : E 7 :E 4 -7 3 293 GANTEC0 0 : 0 9 :5 B :A E 2 4 :C C 1 C :6 6 : A 0 :7 C :F 0 :79 -8 1 213 NETGEAR0 0 : 0 9 :5 B :A E 24 :CC 0 4 :5 4 :5 3 :0 E :2 C :O B -3 3 1 2 5 9 2 0 NETGEAR

< | III >

FIGURE 2.6: Airodump-ng Channel listing window

9. N ow close the window.

10. Go to Aircrack-ng andclick Advanced Options

- xAircrack-ng GUI ם

Aircrack-ng Airodump-ng ] Airdecap-ng | WZCook | About

Choose.Filename (s)

Encryption (§) WEP Key size 1128 v | bits □ Use wordlist □ Use PTW attack

O WPA

Key search filter Baiteforce

l~ l Alphanumeric charactersLast keybytes ן I aJ bruteforce — LZj

1 1 BCD characters @ Multithreading bruteforce

1 1 Numeric (Fritz!BO)Q 1 1 Single Bruteforce attack

I□ 1 -□ 2

□ 3 =

□ 4□ 5□ 6

□ לU 8 V

□ Specify ESSID

I I Specify BSSID

Fudge factor

Disable KoreK attacks

Launch

FIGURE 2.7: Aircrack-ng options window

11. Click Choose and select the filename capture, ivs

Note: Tliis is a different file from the one you recorded; this file contains precaptured IVS keys. Tlie path is D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless Networks\AirPcap -Enabled Open Source tools\aircrack-ng-0.9-airpcap

m airmon-ng is a bash script designed to turn wireless cards into monitor mode. It auto-detects which card you have and run the right commands.

m Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng.




Note: To save time capturing the packets, for your reference, the capture.ivs file (tins capture.ivs tile contain more than 200000 packets) is at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless NetworksVAirPcap -Enabled Open Source tools\aircrack-ng-0.9- airpcap.

12. After selecting file, click Launch.

Aircrack-ng GUIQi-J

Aircrack-ng Airodump-ng j Airdecap-ng [ WZCook About

Choose 1Filename(s) "D:\CEH-T00ls\CEHv8 Module 15 Hacking Wireless Networics\AirPcap ■Enabled Open

Key size 128 v bits Q Usewordlist Q Use PTW attack

Key search filter Bruteforce

Q Alphanumeric charactersLast keybytes 1 1 * 1bruteforce — tZJ

□ BCD characters M Multithreading bruteforce

1 1 Numeric (FritzlBOX) 1 1 Single Bruteforce attack

Enctyption (§) WEP

O WPA

@ Advanced options

□ Specify ESSID

□ Specify BSSID

Fudge factor 2

m An 2□ 3 =

□ 4□ 5□ 6□ 7□ 8 V

Disable KoreK attacks

Launch

FIGURE 2.8: Aircrack-ng launch window

13. If you get the enough captured packets, you will be able to crack the packets.

14. Select your target network from BSSID and press Enter.

C:\W1ndows\System32\cmd.exe- "C:\Users\Adm1n1strator\Desktop\a1rcrack-ng "־”!!- ם * IO p e n in g D :\C E H -T 0 0 1 s \C E H v 8 M o d u le 15 H a c k in g W i r e le s s N e tw o rk s S H irP c a p -E n a b le d Open S o u rc e t o o l s \ a i r c r a c k - n g - 0 . 9 - a i r p c a p \ c a p t u r e . iu s Read 2 3 1 3 4 4 p a c k e t s .

WEP <2 3 12 33 IU s> WEP <111 IU s>

0 0 :0 9 :5 B :A E :2 4 :C C 9 4 : 4 4 : 5 2 : F 2 : 4 5 :0C

In d e x n u m b e r o f t a r g e t n e tw o r k ? 1

Iffll To put your wireless card into monitor mode: airmon-ng start rausbO.

m You may use this key without the in your wireless client connection prompt and specify that the key is in hexadecimal format to connect to the wireless network.

FIGURE 2.9: Select target network




m Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng.

A i r c r a c k - n g 0 . 9 . 3

[ 0 0 : 0 0 : 0 6 ] T e s te d 1 k e y s < g o t 1 6 4 4 9 2 IU s >

KB d e p th b y te < u o te >0 0 / 1 BF< 42 > B9< 15> 4B< 13> 41 < 12> FF< 9> F6< 4>1 0 / 3 53< 40 > C9< 32> 34< 20> flF< 19> B4< 19> 40< 16> S2 0 / 4 9E< 4 0 ) D8< 28> 64< 23> 88< 23> E4< 18> 82< 18>3 0 / 1 DB< 143> 9?< 46 > 33< 33> 43 < 29> 38< 27> 36< 26 >

KEV FOUND! t B F :S 3 :9 E :D B :3 ? J D e c r y p te d c o r r e c t l y : 100X

C : \ U s e r s \ f l d n i n i s t r a t o r \ D e s k t o p \ a i r c r a c k - n g - 0 . 9 . 3 - w i n \ a i r e r a c k - n g - 0 . 9 . 3 - w in \ b i n >

FIGURE 2.10: aircrack-ng with WEP crack key

Lab AnalysisDocument die BSSID o f the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.


Tool/U tility Information Collected/O bjectives Achieved

Aircrack-ng

N um ber of packet captured: 224385

Cracked wireless adaptor name: N ETG EAR

Output: Decrypted key

BF:53:9E:DB:37

Questions1. Analyze and evaluate how aircrack-ng operates.

2. Does die aircrack-ng suite support Airpcap Adapter?





□ Yes

Platform Supported

0 No

0 !Labs




3Sniffing the Network Using the OmniPeek Network AnalyzerOmniPeek is a standalone network analysis tool used to solve network problem.

Lab ScenarioPacket sniffing is a form o f wire-tapping applied to computer networks. It came into vogue widi Ethernet; tins mean that traffic 011 a segment passes by all hosts attached to that segment. Ediernet cards have a filter that prevents the host machine from seeing traffic address to other stations. Sniffing programs turn off the filter, and thus see everyone traffic. Most o f the hubs/switches allow the inducer to sniff remotely using SNMP, which has weak authentication. Using POP, IMAP, HTTP Basic, and talent authentication, an intruder reads the password o ff the wire in cleartext.

To be an expert ethical hacker and penetration tester, you must have sound knowledge o f sniffing network packets, performing ARP poisoning, spoofing die network, and D N S poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis o f wired and wireless networks. 111 tliis lab we discuss wireless packet analysis o f capuired packets.

Lab ObjectivesThe objective o f diis lab is to reinforce concepts o f network security policy, policy enforcement, and policy audits.

Lab Environment111 tins lab, you need:

Advanced OmniPeek Network Analyzer located at D:\CEH-T0 י 0 ls\CEHv8

Module 15 Hacking Wireless Networks\Wi-Fi Packet Sniffer\OmniPeek Network Analyzer

■ You can also download the latest version ot OmniPeek Network Analyzer from the link http: / / \v ~vv.w1ldpackets.com

I C O N KE Y

/ Valuableinformation

s Test yourknowledge

w W eb exercise

c a Workbook review

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 15 Hacking Wireless Networks




■ If you decide to download the latest version, then screenshots shown 111

die lab might differ

■ Run diis tool 111 Windows Server 2008

■ A web browser and Microsoft .NET Framework 2.0 or later

■ Double-click OmniPeek682demo.exe and follow the wizard-driven installation steps to install OmniPeek

■ Administrative privileges to mil tools

Lab DurationTune: 20 Minutes

Overview of OmniPeek Network AnalyzerYou can download

OmniPeek Network Analyzer from

OmniPeek Network Analyzer gives network engineers real-time visibility and expert analysis o f each and even7 part o f die network from a single interface, which

http://www.wi1dpackets.co uicludes Ediernet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11 a /b /g /n .

Lab Tasks1. Launch OmniPeek by selecting Start ־־ All Programs ־) Wildpackets

Omni packets Demo.

2. Click View sample files.

m. T A S K 1

Analyzing WEP Packets

- » י: =J< Ech View Capture Send Monitor Tools Window Help W ild P dcke t 6 m׳ n iP e ek

; & ■ i t , ; a a a j a f e 1 & . r ± ט ט י • B « ג , ,Start Page x j

O O a SI

New Capture Open Capture Filef $ HU

View Om niEngines S tart M on itor

Recent Files Location SummaryWsP.att C\Prog׳om =109 (x86)\WidPac*ate\OmPMk Denc\aanptoe\AEP pkl SSD ־ BlackSlate Kay - 123«5€785D Fao<«t Exa-noba.pxt CAProgrem Filoa (x8€)'V/JdPacfcaUVO■mP881 D«rx\aanpl8»VPacl>at

Example#, pktWPAfkt C.XProgrwn Filta (x8€)IWIdPac*at*Y0וזדP**l D«no\*anplM\APA.pkt SSD ־ BlickSlit* PS< = widpackatt

Recent Capture Tem plates I oration Summaryhe raeaat tenpUMK

Documentation Resource*► (flWWPWWT* ► LgIfStl!e2PUQ-lflS► \Aowr fra Cerwj Staled Go do► Vtevr DrUtf HUMBON nitruCtOI*► -i»ae me L**<׳ Sud*► ^ae CnrCrgire Oefcirg Started Ouide

► jvow aarapfe *ilea I► WkjRBCcmcttwsa Events d B► Vow Het.vo־k •rol^ais 6po *hite papers, and moro L iiiJ

Technical Support Training 8> Servicesca 1 euoso rt reaou •ce3 f 9 r Wild Packet 3 pro ducia G2D י vfevr :ech ►

WMFBCttts :ecfncaisuooort EZD יכ^13ג «► DrmPe3< Sjppcrted harcv/3rs L 'iiil

► wlcPa;«t8 Academy L iU► fine caac:ut 1•״cP3:tets oorsuitns Q D► l'vP6e< ט ס i

I 4 _rj

[Fd־ ic p, press FI

FIGURE 3.1: Omnipeek

Select WEP.pkt

main window

J } here



http://www.wi1dpackets.co


PFI. Edit v *w C*x״ e Send Monitor Tool! Window Help W lld P .. kt ! ׳S ^ n lP e e k

^ • t ! • m fe: a a j a t , * * B i ^ i t a ♦ 1 ש ב . E ^ © ^ , : o EStart Fac« x ׳

־) O Jd d4 י5WildPackets OmniPeek Sample Files

PasK.e! bampies .cM

Sancte Re wch a variety of wired traffic.

1־ >£ ד■כ

(J45675«i־ SBCkSlate Key 12 ־

2 •ncrypUd traffic. (SSlD י BlackSlilt 9SK « wldpacUtt)

A lPiO cS . nc154C Tied: Boulevard. S AotrU C eek. 2jlfoma

מ25)9כ*לנ2נ0

te p, press Pi- ב:

FIGURE 3.2: Omiiipeek Sample Files Window

4. It will open WEP.pkt in die window. Select Packets from die left pane.

^ O m n i P e e k

gives network engineers real- time visibility and Expert Analysis into every part of the network from a single interface, including Ethernet, Gigabit, 10 Gigabit,802.11a/b/g/n w ireless, VoIP, and Video to remote offices.

FIGURE 3.3: TELNET-U11 WEP packets Window

5. Double-click any o f die packets 111 die nglit pane.




£z~ Comprehensive network performance management and monitoring of entire enterprise networks, including network segm ents at remote offices

6. Click die right arrow to view the next packet.

^ O m n i P e e k

Connect manages an organization’s Omnipliance and TimeLine network recorders, and provides all the console capabilities of OmniPeek Enterprise with the exception of local capture and VoIP call playback

7. Close die tab from die top and select different options from the nglit pane; click Graphs.

Wild icketi Om niPeek

' li] & 1i i B: J 1le Edit View Capture Send Monitor Tools Window Help

- V • U * . : an J jJ 31 . * * a i i\TS ► E • !׳VVEP pl<t - Packet »3 x

0x000000000x0000000011514:29:38.441934700 C52 1.9 Mbps1 2412M31 602.11b1001

־45

0 :0 Haak oxc-3]*00 Managenens [0׳ Mask OxOC]%1000 Seacon [0 Mask OxFO]100000000 [1]

0 f lo n -s tr ic t c rcer.0 A'ca-Protected Fras9. .0 Wo Ncre Data. . . 0 . . . . Fcvcx Management - a c t i m rsa’a 0 . . . נ5 15;77 net a R~-Transvissioa 0 . . l e s t or I 'n fra g jc n ts d Franz 0. Kcc an E xit Trout tne D istrio izloa syszen

____Suit WEP.pkt

׳ &". 4 ■J2EB3HQDQ

: •# FackeC tJuafcer:*׳ Flag•:

9 PaeVat Larvgrh:9 Tiscrcasp:9 Eata Pare:

j־־# Channel:9 S icra l Laval:

f ic ״ c ! a s t :j- 9 Noise Level:

j * - • S e is e d2c:B T~ 802-21 m e Eeader | I - • version:

<§ Type:I- 9 Si&type:

! B ץ״“ J ra c Control Plag3: : •

! 1-9 j i - •

•

. 1 . . .31a:'<31atc............ * H I . . .2 ------.......... * .........P................... ’ . . .SC* .b

י: 06 י כ C CC CC CC FF FF FF FF FF FF 00 16 01 AL 82 31 00 16 Cl Al £2 31 10 23 14 33 34) ל 04 00 00 00 00 0:33: CC 31 C4 CC CA 42 6C €1 63 63 53 6C 61 ?4 65 01 08 e2 64 EE S6 12 24 48 K 33 31 01 32 04 8C 98 B0p:5S: iC CS C4 CC Cl 00 00 2A 01 00 DD 18 00 SO 72 02 01 01 CC CC C3 A4 00 00 27 A4 30 00 42 43 SC 00 620099: 32 2r CO DC 07 00 OC 43 00 00 00 00 00 00 00 00

FIGURE 3.5: TELNET-UnW’EP packets frame window

1 F i t Ed* View. Capture Send Monitor Tools Window Help

l i A l

Wild '.»( ki t 6 rnnlP»*ek׳

- l ־ 12 i i f נ 23!. a 9. 1 [ x — > - ^ Lij ״ u i «S:a1t Pi$4 WEP.pkt x

Enter 3 fiter e<pr33«10r h«re (1.09 F1 forhdp) iDashboards

*> 0 1 1 5 ]@ 1 H I -׳ 1 ר . ! - ו5 ׳> .

vott &voeo adce: Source Destination sSSID =lags Channel Signal Data Rate See Âadex 1 * B u ffa lo :Al: 32:31 ■JjjEtheraet Biceocart *3 a f fa l= :A l: 32 :31 *? 1 %1פפ 170 113 - IZyirosss 1 * B u ffa lo :Al: 82:31 ■9 Ethernet Broadcast * B arm s: Al: 52: :31 ?״ 1 %1פפ 1.3 113

Capture 100(dde3׳= ► ■j> Buffalo :Al: 32:31 ■Êthernet ־rcsbcaat *3 a f fa lo :A l:3 2 :31 *P 1וככ 1:. 11־

*°s S *B u ff a lo : A l:82:31 Ethernet Brcedcait *B u ffa lo s A l: B2 *? 103t 1.0 115Expert * 1 .teoniech: 5 5: C3:CC *3 a f fa l2 :A 1 :22

*B u ffa lo :Al: 32:31 i^ I •teon7e^:.c.e:c;-: *■fcrf;al?:A i:32 Wf 1001 13.9 74*b: 8 *B u ffa lo (A lt82: 31 liteoaTach:5S:C3:CC * 3 a f f a lo : i l : 32 1001 12.0 71

9 *B u ffa lo :Al: 32:31 Hpl1teo&7cch:SS:03:CC * 3 u f fa lo :A l: 32 100» 9.0 74Web 10 * B u f f a lo :A l:32:31 lj|)l.teon7ech:S5:C3:CC * 3 a f f a l : : A l : 22 'lit loot 6.0 74

Server* :: *B urra io :A 1:82:31 ■p1:teoal«cn:55:c2: *5 arra 15 :A i:5 2 Wf 100% 8.0 74Cterti 1: * B u f f a lo :A lt82!31 ■S>11t«oaT«ch:55:C3:C1* * f־: f al o: Al : 32: Wf loot 6.0 71**©e? 13 * 3 u f f a lo ! All 32131 ■i|L1tcoaTcch:SEsC3sC3* :־af f al o«Al «92 Wf loot 6.0 74

14 * B u ff a lo : A l:92:31 ■Bl.teoa7ech:33:C3:OC * 3 u f f a lo : A l: 52 Wf loot 6.0 74Vokc ft Video aurra10:A1:52:31* :צ ■pEinernet srcaocast *9urra19:A 1:s2: •p loot 1.0 113

Cab U *B u ffa lo : Al! 82! 3L ■*jEth#rn#t 816ז»*זג<נ * ■ i i f f a l ' r i l : 12 *p 1001 1.0 USיי*?ו* * ־1 B u ffa lo 1 A lt32131 ■JÊthernet Sreadcaat * 3 a f f a ls : A l : 22 *? loot 1.0 115

Vkuak 1: * B u f f a lo :A l:82;31 ■9E1hc!aet &:cedcaat * 3 a f f a l ; : A l : !2 *p loot 1.0 115f ?ttrMjp IÊiher&et SzceOcast *5 a f r3 1 3 :A l:52 loot 1.0 113

3’C tt 20 *.-*uSSalo:Al:32:3l ■•jEth#ra»t Bre15r*»r t p ■< : r r» l? r il: ■2 *p loot 1.0 115SLdlbUcs 21 * B u ffa lo :All 82131 ■Êthernet Srcadeaat * 3 a f fa lo :A l : 22 *p loot 1.0 115

SDdK 22 *B u ffa lo :Al: 32:31 ■QEtheraet Ezceocaat 3 i f f a l ; : A l: 12 *p loot 1.0 115toco 2 21 * B u ffa lo :Al: 32:31 ■SJEiheraei BiceOcast * 3 j f f a l 2 : A l : 52 *p loot 1.0 115

Sumvtry 2* *3urra10:A 1:32:31 Ethernet Brceocast * 5 jr r a io :A l: : 2 •p loot 1.0 115V/irdesi 2S * 3 u f f a lo : Al: 32: 31 *lite o a le c h :5 5 :0 3 :0 c *3 a ffa L 0 :A l: 32 loot 21.0 71| ALAN 2c * B u f f a lo :A l:82:31 *11teoaIech:55:C3:CC * 3 u f fa lo :A l: 32 1001 13.0 74

* ־2 B u f f a lo :A l:32:31 ■31-tcoaIcch:55:02:CC * 3 j f f a l= : A l : 52 Wf loot 12.0 74Signal 2: *Barra10:A1:82:31 3 Wf loot 9.0 74

<1 ................. ■ 1 _LPactrts: 2003 Duration OOC:4€

Fj -tep, piessFi ijM.c-re

FIGURE 3.4: TELNET-UnW’EP packets analyzer




F ־Edit View Capture Send Monitor Tools Window Help

• fcl • H : !3ft J _!j g) f : 4 fe S1; j! s « jStart WlEP.pkt x WEP.pkt - Packet *382

j5k| 53 *י0־ii !ב n><r / j» X 0 Ua <3>liL^

Packet Size DistributionAcd־e» Cbun; Conpersons Appicetion _ayer Protocols by 3ytes Appicstion Layer P־־oto:ols by 3ackets ARP An^\sse־oacosts COfTpgred to Total Brail PotDCQls E»ert EventsBoert VoP -H.323 Cal Erors E>oert V0P - RTP B׳rcrs Boert: Y0P - SIP Errors Ex>srt '׳•jireess Clent -^■ slcal Errors׳Doert N rebs ReossocioticnDeried G^cbfc =our Pert Ublirobor (bts/3] G^abfc =our Pert Uttli2attor (perc«1׳:) C-tgabtt TtvoPytLttuaton (bits/s) C-KXbt! Twopytutliraron Cpercent)

. Network lltlixeto! (bits/s)' f : ::•:■ ־ י.: ■: :c't:׳

«rc Reacts * n Reoies TCPAravs*TCP vsLCP \-0lP ^Votocos v/«b Protocoe v;#b Jftlcv/rdess: Access son3 bv TrustV/rdess. A.cess Points vs. Cients V/rdes* Asjccobons arc Ree3joaoto1׳: V/rdew 3׳ tes to/frorr Dutroubor Syote Wr#te«sr Cierts ay Trust v/rdess: Data 'vpes v/rdess: »acke: TreesV/rdess; 3adcts to'fron Dstnbubon Sys V/rdess: ^rcbe Req vs. ^rcbe Rso V/rdess: Metres

Dashboardst ‘tetvrort

vwoe & vceoAadex

Captureacte3׳=

*b:Web

Cterts»A0es

Vokc a VideoC9IS

StdlbULkMSflM

SurMnaryWindes*

Sgai

Packrts: zcXX) Duration 000:40 יrteip, press F1

FIGURE 3.6: WEP Graphs window

8. N ow traverse through all the options 111 die left pane o f the window.

Lab AnalysisDocument die BSSID o f the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.


T ool/U tility Information Collected/O bjectives Achieved

Om niPeekNetworkAnalyzer

Packet Information:

• Packet Number• Flags• Status• Packet Length• Timestamp• Data Rate• Channel• Signal level

£~O m niPeek Enterprise also provides advanced Voice and Video over IP functionality including signaling and Media analyses of voice and video, VoIP playback, voice and video Expert Analysis, Visual Expert, and more




• Signal dBm• Noise Level• Noise dBm• 802.11 MAC Header Details

Questions1. Analyze and evaluate the list o f captured packets.


0 Yes □ N o

Platform Supported

0 C lassroom □ !Labs



hacking wireless networksdocshare01.docshare.tips/files/24310/243100564.pdf · 2016. 6. 4. ·...

Documents