Wireless Hackingewewewee

TABLE OF CONTENTS
Preface 1
Introduction 2
What this book covers 3
What you need for this book 6
Who this book is for 7
Reader feedback 8
Errata 8
Chapter 1 : Wireless Lab Setup 9

Introduction 10
Hardware requirements 11
Software requirements 12
Installing BackTrack 12
Time for action – installing BackTrack 12
Setting up the access point 16
Time for action – configuring the access point 16
Setting up the wireless card 20
Time for action – configuring your wireless card 20
Connecting to the access point 22
Time for action – configuring your wireless card 22
Summary 27
Chapter 2 : WLAN and Its Inherent Insecurities 29
i
Introduction 30
Revisiting WLAN frames 31
Time for action – creating a monitor mode interface 34
Time for action – sniffing wireless packets 37
Time for action – viewing Management, Control, and Data frames 40
Time for action – sniffing data packets for our network 45
Time for action – packet injection 49
Important note on WLAN sniffing and injection 51
Time for action – experimenting with your Alfa card 52
Role of regulatory domains in wireless 55
Time for action – experimenting with your Alfa card 55
Summary 59
Chapter 3 : Bypassing WLAN Authentication 61

Introduction 62
Hidden SSIDs 62
Time for action – uncovering hidden SSIDs 63
MAC filters 69
Time for action – beating MAC filters 69
Open Authentication 74
Time for action – bypassing Open Authentication 74
Shared Key Authentication 75
Time for action – bypassing Shared Authentication 77
Summary 85
Chapter 4 : WLAN Encryption Flaws 87

Introduction 88
WLAN encryption 89
WEP encryption 89
Time for action – cracking WEP 90
ii
WPA /WPA2 99
Time for action – cracking WPA-PSK weak passphrase 102
Speeding up WPA/ WPA2 PSK cracking 107
Time for action – speeding up the cracking process 108
Decrypting WEP and WPA packets 112
Time for action – decrypting WEP an WPA packets 113
Connecting to WEP and WPA networks 115
Time for action – connecting to a WEP network 115
Time for action – connecting to a WPA network 116
Summary 118
Chapter 5 : Attacks on the WLAN Infrastructure 119

Introduction 120
Default accounts and credentials on the access point 121
Time for action – cracking default accounts on the access points 121
Denial of service attacks 124
Time for action – De-Authentication DoS attack 124
Evil twin and access point MAC spoofing 128
Time for action –evil twin with MAC spoofing 129
Rogue access point 134
Time for action – Rogue access point 135
Summary 139
Chapter 6 : Attacking the Client 141

Introduction 142
Honeypot and Mis-Association attacks 143
Time for action – orchestrating a Mis-Association attack 144
Caffe Latte attack 150
Time for action – conducting the Caffe Latte attack 151
De-Authentication and Dis-Association attacks 156
iii
Time for action – De-Authenticating the client 156
Hirte attack 161
Time for action –cracking WEP with the Hirte attack 161
AP-less WPA-Personal cracking 164
Time for action – AP-less WPA cracking 166
Summary 169
Chapter 7 : Advanced WLAN Attacks 171
Introduction 172
Man-in-the-Middle attack 173
Time for action – Man-in-the-Middle attack 173
Wireless Eavesdropping using MITM 180
Time for action – wireless eavesdropping 180
Session Hijecking over wireless 186
Time for action – session hijacking over wireless 186
Finding security configurations on the client 191
Time for action – enumerating wireless security profiles 192
Summary 196
Chapter 8 : Attacking WPA-Enterprise and RADIUS 197

Introduction 198
Setting up FreeRadius-WPE 198
Time for action – setting up the AP with FreeRadius-WPE 199
Attacking PEAP 205
Time for action – cracking PEAP 206
Attacking EAP-TTLS 211
Time for action – cracking EAP-TTLS 212
Security best practices for Enterprises 214
Summary 215
Chapter 9 : WLAN Penetration Testing Methodology 217
iv
Introduction 218
Wireless penetration testing 218
Planning 219
Discovery 220
Time for action – discovering wireless devices 220
Attack 223
Finding rogue access points 223
Finding unauthorized clients 226
Cracking the encryption 227
Compromising Clients 230
Reporting 232
Summary 233
Conclusion 235
Introduction 236
Wrapping up 236
Building an advanced Wi-Fi lab 237
Staying up-to-date 240
Conclusion 242
v
ရဲမင္းေအာင္(Ray-Electronic) WIFI HACKING (WIRELESS ထိုးေဖာက္ျခင္းစမ္းသပ္ခ်က္မ်ား)
Preface
1
Introduction
Wireless Network
Hotspot Internet Personal ( )

(Professional)
BackTrack 5 Wireless Penetration Testing
OS (Operting System) BackTrack 5

BackTrack 5 Back
Track5 Hacking OS
Tool
Tool
BackTrack 5


2
What this book covers

Chapter 1, Wireless Lab Setup
BackTrack
Hardware Software
Hardware Wireless Cards, Antenna
Access Point Wi-fi Operating System
Software
Wireless Configuration
Chapter 2, WLAN and its inherent insecuirties

Wireshark Network Analyzer 802.11
WLAN Protocol recap
Protocol
Client Packer Level
Management, Control Data frame Access Point
Packet Injection
Tool
Chapter 3, Bypassing WLAN Authentication WLAN Authentication
Open Shared Key

Network Wireless Packet Authentication
SSID ID
3
(Hidden SSID) Network

Network
Chapter 4, WLAN Encryption Flaws Wifi Encryption Schemas

WEP, WPA WPA2
Hacker Schemas Flaw

Tool WPA/ WPA2
Configure
Schemas
Chapter 5, Attacks on the WLAN Infrastructure WLAN infrastructure
Access point MAC spoofing, bit flipping replay attack

WLAN infra-
structure
Chapter 6, Attacking the Client Client ( )

WLAN
Client WLAN
Access Point Client
Client mis-
4
association, Caffe Latte, disassociation, ad-hoc connections, fuzzing, honeypots

Host Tool Attact
Chapter 7, Advanced WLAN Attacks infrastructure Client

Attack
wireless device fingerprinting, man-in-the-middle

over wireless, evading wireless instrusion detection Tool
Wireless Attacks
Chapter 8, Attacking WPA Enterprise and RADIUS

WPA-Enterprise
WPA-Enterprise RADIUS authentication
Enterprise
Wi-Fi Attacks
Chapter 9, Wireless Penetrating Testing Methodology
Planning, discovery,
attack reporting

5
What you need for this book

Wifi Card
Laptop Alfa AWUS036H USB Wireless
Wifi Adapter USB Wireless Wifi Adapter
BackTrack5 ( ) Hardware Software
၁, Wireless Lab Setup
Laptop Virtual Machine

BackTrack 5 Laptop
Laptop
Laptop
Wireless Network
802.11 Protocol Client Access Point Communication



6
Who this book is for

Network
Network

7
Reader feedback
[email protected]
Facebook http://www.facebook.com/Telecomtechnicaltraining
Errata
http://www.facebook
.com/telecomtechnicaltraining
Ray Marm Aung
BE (Electronic)
8
Chapter 1
Wireless Lab Setup
9
Introduction
(၁၆ )
“ d pd w , ’d p d x p my x .”
Abraham Lincoln, 16th US President
Wireless
Wireless Lab
Lab
Lab
 Hardware and Software requirements

 BackTrack 5 Installation
 Setting up an access point and configuring it
 Installing the wireless card
 Testing connectivity betwenn the latop and the access point
10
Hardware requirements
Wireless lab Hardware
Two latops with internal Wi-Fi Cards: Laptop Victim ( )
RAM 3GB
Memory Software
 One Alfa Wireless adapter : Packet injection packet sniffing BackTrack

USB Wifi Card
d
Packet Injection Packet Sniffing BackTrack

USB Wifi Adapter
 One Access Point : WEP/WPA/WPA2 encryption standard
Access Point - -
WEP/WPA/WPA2
Wireless Router
 An Internet Connection :
Software w d Internet
Connection
11
Software requirements
Wireless lab Software (OS)
 BackTrack 5 : BackTrack http://www.backtrack-

linux.org w d Software p
Web Site w d
 Windows XP/Vista/7 : Laptop
Windows XP, Windows Vista Windows 7
Window OS
Smart Phone Tablet Wifi
Installing BackTrack
BackTrack
Laptop BackTrack
Time for action – installing BackTrack

BackTrack Live DVD
BackTrack d Instal
12
၁ w d BackTrack ISO (BackTrack 5 KDE 32bit edition) Bootable

DVD ( )
၂ Laptop First Boot Boot

BackTrack Text - Default Boot Text Mode Boot
Menu Enter
၃ Boot
BackTrack Screen
13
Graphical Mode mm d mp
Startx p
Screen
၅ Install BackTrack Icon Click

BackTrack Installer
14
၆ Installer Linux System GUI Based Installer

Option
Installation Process Installation Computer
၇ Login Screen Login

root Password toor BackTrack
Log In
Tracing
BackTrack p p
15
Self-study- Installing BackTrack on Virtual Box

BackTrack Virtual Box Virtualization Software
BackTrack Installation Virtual Box

Virtual Box Virtual Box Software http://
www.virtualbox.org/ w d
BackTrack USB Drive

d
Install Script Tool
BackTrack
Setting up the access point

Access Point
D-LINK DIR-615 Wireless N Router
Access Point
Time for action – configuring the access point

Wireless Lab SSID Access Point
၁ Access Point (Router) Power Laptop Ethernet Cable (Network

)
16
၂ Mozilla Firefox w Access point Configuration

terminal IP Address DIR-615 IP Address
192.168.0.1 Access Point IP
Address Router Manual Manual
Command Prompt route -n Command
Gateway IP Address Access Point IP Address
၃ Router Log in User Name Password Manual

Internet (Website
Login Settings SSID
Setting
SSID Wireless Lab Access Point
17
၅ Authentication Setting Open Authen-

tication Router Security Mode
none Setting Authentication
၆ Access Point Data save

Access Point Wireless Lab SSID
Window Wireless Configuration utility Laptop

List Wireless Lab
18
Tracing
Wireless Lab Access Point
Wireless Network Windows Laptop
Radio Frequency w
Access Point p d
Router Internet Wireless

Device Internet

19
Self-study – configuring the access point to use WEP

and WPA
Access Point Configuration Option
Encryption Option WEP WPA/ WPA2
Encryption
Setting up the wireless card

Alfa Wireless Card Access Point
Access Point Wireless Lab SSID
Authentication
Time for action - Configurating your wireless card

Laptop Alfa Wireless Card
Wireless Card
၁ BackTrack Laptop USB Wireless Adapter
၂ BackTrak Login Terminal Console iwconfig
20
wlan0 Alfa Wireless Card Wireless

Interface Interface ifconfig wlan0
Command ifconfig wlan0 Command Interface
21
၃ dd 00: c0: ca: bd: 93 d

dd Interface
Tracing
BackTrack OS Alfa Card Driver
BackTrack OS d Wifi
Card Wlan0 Network Interface
BackTrack Network Interface
ifconfig Command
Alfa Card (Wifi USB Card)
Connecting to the access point

Alfa Wireless Card
Access Point SSID
Authentication
Time for action - Configuring your wireless card

Wireless Card Access Point
၁ Wireless Card
iwlist wlan0 scanning Command
Network
22
၂ Scroll Wireless Lab

Cell 5
ESSID Network Name
၃ Access Point SSID Address

MAC Address Access Point dd
23
MAC Address Access Point

MAC Address Web Configuration MAC
Address
w w d “ ” Command
iwconfig wlan0 Comma d
Access Point Access Point MAC
Address iwconfig Command
၅ Access Point m dd 192.168.0.1

Route –n Command
dd
Subnet IP Address ifconfig wlan0 192.168.0.2 netmask
255.255.255.0 up Command
ifconfig wlan0 Command Output
24
၆ ping 192.168.0.1 Command Access Point

Network Connection Access Point
p p Acess Point
arp –a Command
IP 192.168.0.1 MAC Address Access Point MAC Address
Access Point
p
Configuration Settings Out-of-the-box Access
Point Browser Web
Interface Configuration Page Connection
25
၇ Connection Log
Log Wireless Card dd
00:c0:ca:3a:bd:93
26
Tracing
Access Point BackTrack d
Wireless Device Connection Wireless
Client Access Point
Self-Study – Establishing connection in WEP confi-

guration
WEP configuration WEP Access Point
Wireless Adapter
iwconfig Command manual man iwconfig
m Card
Summary
Wireless Lab
 Hard Drive BackTrack WMWare

Tool BackTrack USB
 Web Interface Access Point
 Wireless Card Command
27
 Wireless Client Access Point
WLAN Inherent insecurity

w y Wireshark

28
Chapter 2
WLAN and Its

Inherent Insecurities
29
Introduction
“ d , d p d m d.”
Thomas Kempis, Writer
found
WLAN Packet spoofing, packet

injection, sniffing ( ) exploit
Exploit
 Revisiting WLAN frames

 Different frame types and sub-types
 Using Wireshark to sniff Management, Control, and Data frames
 Sniffing data packets for a given wireless network
 Injecting packets into a given wireless network
30
Revisiting WLAN frames

Wireless Network
Protocol Packet Header
WLAN
WLAN Frame Frame
Header Structure
Frame Control Structure
Type WLAN Frame
31
၁ Management frames: Management Frame Access Point Wireless Client

Management Frame
 Authentication
 De-authentication
 Association Request
 Association Response
 Reassociation Request
 Reassociation Response
 Disassociation
 Beacon
 Probe Request
 Probe Response
၂ Control Frames: Control Frame Access Point Wireless Client

Control Frame
 Request to Send (RTS)

 Clear to Send (CTS)
 Acknowledgement (ACK)
၃ Data Frames: Data Frames

Data Frame
Frame
32
Wireshark Frame
Tool Airo-
dump-NG, Tcpdump Tshark Wireshark
Tool
Monitor Mode Interface
Wireless Frame (
) Alfa Wifi USB Card Interface
promiscuous mode

33
Time for action - Creating a monitor mode interface

Alfa Card Monitor Mode
၁ Alfa Wifi Card BackTrack BackTrack

Console Wifi Card
iwconfig mm d
၂ Card ifconfig wlan0 up Command Wifi

Card ifconfig wlan0 Command
up Command Output
34
၃ Wifi Card Monitor Mode airmon-ng Command

Command (Utility) BackTrack
Card airmon-ng
Command Output wlan0 interface
w d Monitor mode interface

airmon-ng start wlan0 Command Monitor mode
interface mon0
35
airmon-ng argument
၅ ifconfig Command mon0 Inter

face
36
Tracing
mon0 monitor mode interface
interface Wireless Packet
Interface d Alfa Card
Self-study - Creating multiple monitor mode interfaces

Physical Card monitor mode interface
airmon-ng utility Console
Packet monitor mode interface
monitor mode interface (mon0)

Packet Wireshark
Time for action - Sniffing wireless packets

Packet
၁ ၁ Wireless Lab Access Point

Power
၂ Wireshark Console Wireshark& Wireshark

Capture Menu Interfaces
37
၃ mon0 interface Start Click

Packet Wireshark Packet
d w Packet
38
Alfa Wireless Card Packet

Packet Window
Window Packet
၅ IEEE 802.11
w m m m
၆ WLAN frame type type

Packet Header Field
Tracing
Packet
monitor mode interface mon0
39
Wireshark Wireshark footer

region region Packet
Packet
Self- study - Finding different devices

Wireshark Wireless Network
Wireshark Packet
Packet Wireshark Filter
Access Point Wireless Client
Wireless device Filter
Filter Filter
Time for action - Viewing Management, Control, and

Data frames
Management, Control Data frame Wireshark Filter
၁ Packet management frame

wlan.fc.type==0 filter window Apply Click
Mouse Scrolling
Packet
40
၂ Control Frame Filter expression wlan.fc.type==1
41
၃ Data Frame Filter expression wlan.fc.type==2
Sub-type wlan.fc.subtype filter

Management frame Beacon
Frames (wlan.fc.type==0) && (wlan.fc.
subtype==8) Filter
42
၅ Middle Window Header field Right Click

Menu Apply as Filter> Selected Filter
၆ Filter Field filter expression
43
Tracing
Wireshark filter expression packet filter
( ) Packet
Packet
Packet header management, control data frame plain text

encryption
Packet Header
Hacker Packet
Protocol
Self-study – Playng with filters

Wireshark manual filter expenssion
Filter
Packet Trace
data packet access point wireless

client

44
Time for action - Sniffing data packets for

our network
Wireless network Data packet
encryption Packet
၁ Wireless Lab Acess Point encryption
၂ Wireless Lab p Channel

Terminal airodump –ng –bssid 00:21:91:D2:8E:25 mon0
Command 00:21:91:D2:8E:25
mon0 Access Point dd
Access Point Program
Access Point Channel
၃ Wireless Lab Access Point

Channel 11
Channel
45
Access Point data packet Wireless Card

Channel Lock iwconfig
mon0 channel 11 Command iwconfig mon0
mm d Output Frequency : 2.462
၅ wireshark mon0 interface Wireshark

packet wlan.bssid==00:21:91:D2:8E:25
Access Point Filter filter area filter pp y
00:21:91:D2:8E:25 Access Point dd
Access Point MAC Address
46
၆ Access Point Data Packet

(wlan.bssid==00:21:91:d2:8e:25)&&(wlan.fc.type_subtype==0x20) filter
Client Laptop Browser Browser dd
Access Point Management Interface URL Access Point
Management Interface URL ၁ http://192.168.0.1
Wireshark Datat Packet
၇ Packet encrypt
Data Packet
Wireless yp

47
Tracing
Filter Wireshark Data
Packet Access Point
encryption Data Plain Text
Access Point RF range
Wireshark packet
Self-study - Analyzing data packets

Data packet Wireshark
DHCP Server Client DHCP Request
Address ARP
packet protocol packet w
y
Packet trace Wireless Host Application
Wireshark feature Follow a Stream

TCP Exchange Connection ၇
Packet
gmail.com Website Log In

Data Packet
Wireless Network Packet

48
Time for action - Packet injection

BackTrack aireplay-ng tool
၁ Injection Wireshark (wlan.bssid==

00:21:91:d2:8e:25) && !(wlan.fc.type_subtype==0x08) filter expression
Filter expression Beacon Packet Packet
၂ aireplay-ng -9 –e Wireless Lab –a 00:21:91:d2:8e:25 mon0

Command Terminal
MAC Address
၃ Wireshark Packet
Packet aireplay-ng Packet
p Wireless Lab Access Point
49
Tracing
Aireplay-ng Wireless Lab Packet d
Wireless Lab
Network Packet Wifi Card
Self-study – Packet Injection
packet aireplay-ng tool option

Wireshark inject
Monitor
50
“ ”
injection
Important note on WLAN sniffing and injection

WLAN Frequency Range
2.4GHz, 3.6GHz 4.9/5.0GHz Wifi Card
Range Band
Alfa Card IEEE 802.11 b/g
802.11a/n
Packet Sniff
Band Band Wifi
Card
Band Channel
Wifi Card Channel
Channel
Channel
Channel Channel
Access Point Channel 1 Wifi Card
Channel 1
51
WLAN sniffing ( )
) Channel
Card Channel
Channel WIFI Card Set
Time for action - Experimenting with your Alfa Card
၁ Card iwconfig wlan0 Command

Alfa Card b g band
၂ Wifi Card D-Link DWA-125

Command b, g n
band
52
၃ Channel Wifi Card iwconfig mon0

Channel X Command X
Channel
iwconfig Command Channel hopping Mode

Script
airodump-ng Command Option
airodump-ng Command Option
airodump-ng –help
53
Tracing
dw Wireless Sniffing Packet Injection
Wifi Card Band
Channel Wireless Card Radio
Channel Sniff
Channel
Self study - Sniffing multiple channels

Channel Wifi
Card Wifi Card
Channel

54
Role of regulatory domains in Wireless

Wifi Unlicensed
Spectrum Allocation policy Spectrum
Power Level
FFC WLAN
Regulatory Setting
Time for action - Experimenting with your Alfa Card
၁ Alfa Wifi Card
၂ BackTrack Log In Kernal Message tail

Command
၃ Alfa Wifi Card

Card Regulatory Setting
55
US Regulatory domain
Termianl iw reg set US Command
၅ Command
m
၆ Card Channel 11
Channel 12 Error
Channel 12
56
၇ Power Level
Power Level 27dBm (500 miliwatt) Alfa Card
Power Level 1 Watt
57
၈ Trasmit Power 1 Watt

Regulatory Domain Bolivia iw reg set BO
Card Power 20dBm (1 watt)
Channel
12
Tracing
Unlicensed Wireless Band
Regulatory domain
Channel Power Level Card
Regulatory Domain Channel Power Level

58
Self study - Exploring regulatory domains

Channeal, Power, regulatory domains Parameter
iw Command Command Wifi
Card Settings
Summary
WLAN protocol
Management, Control Data frame yp

Packet Data packet
yp
Wifi Card Monitor mode system packet

Sniff ( )
Management Control Frame packet

aireplay-ng Tool
Encrypt Packet
Packet yp packet replay protection
p p y
MAC Filtering, Shared Authentication Wifi

Authentication
59
60
Chapter 3
Bypassing WLAN Authentication
61
Introduction
“ y w ”
Anonymous
Authentication
Authentication
 Uncovering hidden SSIDs

 Beating MAC filters
 Bypassing Open Authentication
 Bypassing Shared Key Authentication
Hidden SSIDs
Default Configuration Mode
Access Point Beacon Frame SSIDs
Client ( )
dd SSID ) Beacon Frame
62
Access Point Configuration SSID Client
Network Administrator
Hidden SSID
Time for action - Uncovering hidden SSIDs
၁ Wireshark Wireless Lab Network Beacon Frames

Plain Text SSID
Beacon Frame
၂ Wireless Lab Access Point dd

Access Point dd Configuration
Visibility Status Invisible
Option Hidden SSID
63
၃ Wireshark trace Beacon Frames Wireless Lab

dd
64
Access Point Client

Passive Probe Request
SSID Probe Response packet
65
၅ aireplay-ng Command aireplay-ng -0 5 –a 00:21

:91:D2:8E:25 mon0 Wireless Lab
Station Deauthenticating packet -o option
Deauthenticating attack 5 Deauthenticating
packet -a Target Access Point
MAC Addess
၆ Deauthentication Packet Client

Deauthentication packet
Filter
66
၇ Access Point probe response SSID

packet
Client Probe Request Probe
Response Frame Hidden SSID Access Point
Beacon Packet Packet (wlan.bssid==00:21:91:
d2:8e:25)&&!(wlan.fc.type_subtype==0x08) filter filter
&& AND Operator !
NOT operator
67
Tracing
SSID Client
Probe Request Probe Response packet
packet Access Point SSID Packet yp
Packet SSID
Client Access Point

Wireshark trace Probe Request / Response Packet
Deauthentication Packet Client
Access Point Packet
SSID
68
Self-study - Selecting Deauthentication

Wireless Client Connection
Deauthentication packet aireplay-
ng Client Target
Wireshark
aircrack-ng
Tool aircrack-ng Suite
http://www.aircrack-ng.org
MAC filters
MAC filter authentication authorization
authentication
Client dd
MAC Address Network Administrator
Access Point MAC filter
Time for action - Beating MAC filters
၁ MAC filtering Access Point

Laptop MaC Address Access Point Access Point
69
၂ MAC filtering MAC address

Access Point Access
Point MAC Address
70
၃ Access Point Client

Message Packet trace
71
airodump-ng
Client airodump-ng –c
11 –a –bssid 00:21:91:D2:8E:25 mon0 Command
Bssid Access point -c 11
Access Point Channel ၁၁ -a airodump-
ng output Client section Client Access
Point Client
၅ Client MAC Address BackTrack

macchanger utility Client MAC address
macchanger –m 60:FB:42:D5:E4:01
wlan0 Command -m p MAC
Address Wlan0 interface MAC Address
72
၆ MAC Address
Access Point
Tracing
Airodump-ng Wireless Network Client
MAC Address macchanger utility
Client MAC Address Wifi Card MAC Address
MAC Address Client Access
Point Wireless Network
airodump-ng utility Option http://www.aircrack-

ng.org/doku Web Address
73
Open Authentication
Authentication Open Authentication
Access Point p
Configur Client
Open Authentication Access Point
Time for action - Bypassing Open Authentication

Open Authentication
၁ Wireless Lab Access Point Open Authentication

Access Point Security Mode Setting None
p Access Point
74
၂ w w d “ ”
Command
၃ Open Authentication Username

/Password / passphrase
Tracing
Hack p
Access Point
Shared Key Authentication

Shared key Authentication WEP Key Client
Shared Secret Shared key Authentication
75
Wireless Client Access Point Authentication Rquest

Challenge p d Client
y Challenge yp yp
x Client
Authentication
Communication
Plain Text Challenge Encrypted Chanllenge
Keystream XOR operation
keystream Access Point Chellenge
Key yp
76
Challenge yp Challenge
Keystream Shared Key Access Point
Time for action - Bypassing Shared Authentication

Authentication
yp
၁ Wireless Lab Network Shared Authentication

Security Mode WEP Authen-
tication Shared Key Shared Authentication
77
၂ Client Network ၁
Shared Key
၃ Shared Key Authentication Access Point

Client packet Shared Authentication
Log airodump-ng
option airodump-ng mon0 –c -11 –bssid 00:21:91:D2:8E:25 –w keystream
Command Command -w Option
Option packet keystream
Packet session
trace
Access Point Client

Client Deauthentication
Client
Shar d y airodump
packet Access Point Client packet
p p AUTH
Column SKA
78
၅ y d keystream File p
Keystream keystream
-01-00-21-91-D2-8E-25.xor
၆ Shared Key Authentication aireplay-ng Tool

aireplay-ng -1 0 –e Wireless Lab –y keystream-01-00-21-91-D2-8E-25.xor
–a 00:21:91:D2:8E:25 –h aa:aa:aa:aa:aa:aa mon0 Command
aireplay-ng ၅ Keystream Wireless Lab
SSID Aceess Point dd 00:21:91:D2:8E:25
aa:aa:aa:aa:aa:aa
Wireshark wlan.addr==aa:aa:aa:aa:aa:aa filter
packet
79
၇ aireplay-ng Output
၈ Wireshark
၉ Packet authentic aireplay-ng tool

Access Point
80
၁ Packet Access Point Client

Challenge text
81
၁၁ Packet Access Point yp Challenge Tool
၁၂ Aireplay-ng yp d keystream
packet Message
Acess Point
82
၁၃ Tool Access Point
83
၁ Aceess Point Configuration Page

MAC Address AA:AA:AA:AA:AA:AA
Tracing
authentication exchange keystream dervice
Access Point Authentication
Self study - Filling up the access point’s tables

Access Point Client
Connection p y- wrapper
Access Point MAC Address Connection request
m internal Table
Client Access
Point Connection Denial of
Service (DoS) attack Router
84
Client
Network
Summary
WLAN authentication
 Hidden SSIS
 MAC Filter Wireless Packet MAC Address yp

Packet MAC Address
encrypt
 Open Authentication Authentication
 Shared key Authentication

Access Point Challence keystream
Tool
Key
WEP, WPA WPA2 WLAN encryption

85
86
Chapter 4
WLAN Ecryption Flaws
87
Introduction
640 K
“ 4 m m m y y w d”
Bill Gates, Founder, Microsoft
WLAN
committee WEP WPA encryption
Exploit
WLAN encryption
2000 WEP
WPA
WPA
 Different encryption schemas in WLANs

 Cracking WEP encryption
 Cracking WPA encryption
88
WLAN encryption
WLAN Data packet Data Packet
Encryption WLAN committee (IEEE 802.11) Data

encryption Protocol
 Wired Equivalent Privacy (WEP)

 Wifi Protected Access (WPA)
 Wifi Protection Access 2 (WPAv2)
encryption protocol
WEP encryption
WEP protocol 2000
Access Point
WEP protocol Protocol
WEP Walker, Arbaugh, Fluhrer,

Martin, Shamir, KoreK yp
WEP
BackTrack Platform Tool WEP encryption

Tool Aircrack-ng Suite
Tool airmon-ng, aireplay-ng, airodump-ng, aircrack-ng utility
89
WEP Wireless Lab Access

Point
Time for action - Cracking WEP
၁ Wireless Lab Access Point Settings

yp
၂ Accees Point Security Mode WEP WEP Key
90
WEP 128bit key Default WEP Key

Hex Value 128 bit abcdefabcdefabcdefabcdef12
၃ Setting Access Point yp

Setting
91
ifconfig wlan0 up mm d wlan0 airmon-ng start

wlan0 mm d mon0 mon0 m m d
mon0 interface iwconfig
mm d
၅ airodump-ng Command airodump-ng mon0 Command

Access Point
Wireless Lab Access Point WEP Mode
92
၆ Wireless Lab
Network packets airodumpng –bssid 00:21:91:
D2:8E:25 --channel 11 --wirte WEPCrackingDemo mon0 Command
--write directive airodump-ng pcap file Packet
၇ Wireless Client Access Point y abcdefabcdefabcdef12

Client airodump-ng
Report
93
၈ Same directory Ls Command

WEPCrackingDemo-* airodump-
ng traffic-dump
၉ airodump-ng #Data m
data packet ၆၈
WEP protocol yp
data packet
Network data packet
aireplay-ng Tool
94
၁ aireplay-ng w ARP packet p

ARP response m Network ARP packet
airepaly-ng
Terminal Window packet
Network Data Traffic
aireplay-ng WEP Key packet ARP
packet ARP x d d p ARP packet
yp d y
aireplay-ng Option
-3 Option ARP replay -b
Network BSSID -h p Client MAC Address
replay attack
Client MAC Address
၁၁ aireplay-ng ARP packet Network

repaly
၁၂ airodump-ng data packet registering

packet WEPCrackingDemon-*
95
၁၃
Console Window mm d aircrack-ng
p WEPCRackingDemo-01.cap aircrack-ng
Software file data packet WEP Key
airodump-ng
WEP Packet aireplay-ng attack aircrack-
ng packets WEP Key
Terminal
Window
၁ aircrack-ng WEP Key Crack Packet
96
၁၅ WEP Key data packet

packet
Network ၅ ၁
data packet aircrack-ng
packet
97
၁၆ packet aircrack-ng Key
WEP Key
၁၇ WEP encryption
WEP Key aircrack-ng
aircrack-ng encrypt Key
data packet
Tracing
Wireless Lab Access Point WEP encryption WEP Key
Access Point Client
aireplay-ng tool
Network ARP packet Access
Point data packet
98
aircrack-ng Packet WEP key
Shared Key Authentication bypass Access Point Authentication
Client p Client
WEP Crack
Self study - Fake authentication with WEP

Cracking
Client Network log off
Access Point Client packet packet
p y
WEP Cracking Shared

Key Authentication bypass authentication association
Client Network log off Network packet
Access Point
WPA / WPA2
WPA (WPA v1 ) TKIP encryption algorithm
TKIP Hardware WEP
WPA2 yp
AES-CCMP algorithm TKIP
99
Radius Server (Enterprise) Pre shared Key (PSK) (personal) based

authentication WPA WPA2 EAP-based authentication
WPA/ WPA PSK y

input Client Aceess Point d
Wordlist passphase Aircrack-ng
Tool WPA /WPA2 PSK passphrase Crack
WPA/ WPA2 PSK Pairwise Transient Key (PTK) per-

sessions key Pre-Shared Key parameter Network SSID,
Authenticator Nounce (ANounce), Supplicant Nounce (SNounce), Authenticator MAC address
(Access Point MAC) Suppliant MAC Address (Wi-fi Client MAC)
Key Access Point Client Data
yp
100
Attacker Conversation
parameter Parameter
Pre-Shared Key Pre-shared key
SSID WPA-PSK passphase
Password Based Key Derivation Function (PBKDF2)
Shared Key
WPA/ WPA2 PSK dictionary attack attacker

Dictionary Attack Tool
Attack Tool passphase 256 bit Pre-shared Key
Parameter PTK
PTK handshake packet Message Intergrity
Check (MIC)
dictionary passphase
Network passphase dictionary
WPA/
WPA2 PSK Crack
101
WPA PSK Wireless Network

CCMP (AES) WPA2-PSK Network
Time for action - Cracking WPA-PSK weak

passphrase
၁ Wireless Lab Access Point Access Point WPA-PSK

WPA-PSK passphase abcdefgh
y
102
၂ airodump-ng Opiton airodump-ng –bssid 00:21:91:D2:8E:25 –channel

11 –write WPACrackingDemo mon0 Command Network
Capture packet
၃ Access Point Client

WPA handshake p
De-authentication packet Client
WPA handshake p airodump-ng Access Point

BSSID WPA Handshake Screen
103
၅ airodump-ng Wireshark Cap file handshake

Wireshark Terminal
Trace File d
Packet Packet EAPOL Key
၆ Key Common Word

Dictionary BackTrack darc0de.lst
dictionary file
Dictionary
BackTrack Dictionary
Password
Dictionary
104
၇ Dictionary pcap file input

aircrack-ng
၈ Aircrack-ng Dictionary passphrase

Key passpharase dictionary file
105
၉ Dictionary attack dictionary file

passpharase
Dictionary file aircrack-ng passphrase
dictionary Attack
Tracing
Passphrase abcdefgh
Access Point Client de-authentication attack
Access Point Client four way
WPA handshaske p
WPA-PSK Dictionary Attack WPA four way handshake

File p Common passphrase Aircrack-ng
p abcdefgh Word
List Aircrack-ng WPA-PSK shared passphrase Crack
d y d
Dictionary
passphrase Dictionary
BackTrack Dictioanry
Dictioarny
Self study -Trying WPA-PSK cracking with Cowpatty

Cowpatty Dicionary attack WPA-PSK passphrase
Tool Tool BackTrack
Cowpatty WPA-PSK passphrase Crack
106
Dictionary Uncommon Passphrase Access Point

Aircrack-ng Cowpatty
WPA2 PSK Network
Speeding up WPA/WPA2 PSK cracking

Dictionary passphrase WPA-Personal Cracki
Common Password phrase

Dictionary passphrase
PSK passphrase PBKDF2 SSID Pre-shared Key CPU

256 bit Pre-Shared
Key output ၉၆
four-way handshake
Parameters Key handshake
MIC ၇
Parameter Handshake
p - mp passphrase Pre-shared key
cracking
107
802.11 standard parlance Pairwise Master Key (PMK) Pre-shared

Key p - Speed
SSID passphrase SSID PMK
PMK
PMK passphrase SSID
PMK p -
WPA/ WPA2
Time for action - Speeding up the cracking process

၁ SSID Wordlist PMK p -
mpm genpmk –f /pentest/passwords/wordlists/darkcode Command
lst –d PMK-Wireless –Lab – “ ”
pre-generated PMK PMK-Wireless-
Lab
108
၂ WPA-PSK network sky sign pass phrase (

dictionary ) network
WPA-handshake p Cowpatty
WPA passphrase
၃ pre-calculated PMK Cowpatty

Key 7.18
109
Dictionary file aircrack-ng ၂၂

pre-calculation
110
၅ PMKs - airolib-ng Tool

airolib-ng PMK-Aircrack –import cowpatty PMK-Wireless-Lab
Command PMK-Aircrack aircrack-ng
database PMK-Wireless-Lab genpmk PMK database
၆ database aircrack-ng p d cracking

Command aircrack-ng –r
PMK-Aircracks WPACrackingDemo2-01.cap
111
၇ BackTrack Tool Pyrit Tool

multi-CPU systems
- p pcap file - p genpmk
mp PMK file pyrit
System genpmk
PMK file Key ၃
Tracing
WPA/WPA2-PSK Cracking Tool
SSID PMK p - Dictionary passphrase

list
Decrypting WEP and WPA packets

WEP WPA Key
information
Key data packet decrypt
112
Key p
Same Trace WEP WPA Packet yp
Time for action - Decrypting WEP and WPA packets

၁ WEPCrackingDemo-01.cap WEP Capture file Packet
yp Aircrack-ng Tool
Airdecap-ng
WEP Key airdecap-ng –w abcdefabcdefabcdefabcdef12 WEPCracking-
Demo-01.cap Command
၂ decrypt WEPCrackingDemo-01-dec.cap
packet
tshark utility
113
၃ WPA/WPA2 PSK WEP

airdecap-ng utility
Command airdecap-ng –p abdefgh WPACrackingDemo-01.cap – “ ”
Tracing
Airdecap-ng WEP - yp packet
yp Wire-
shark Wireshark Wireshark
Documentation Website
114
Connecting to WEP and WEP networks

Network Key Crack authorized Network
Network
Crack Key
Network Log In Network Administrator
Network
Time for action - Connecting to a WEP network

၁ Key iwconfig utility w
y abcdefabcdefabcdefabcdef12
Tracing
WEP network
115
Time for action - Connecting to a WEP network

၁ WPA iwconfig
utility WPA /WPA2 Personal Enterprise
WPA_supplicant Tool
Network WPA-supplicant
Configuration wpa-supp.conf
၂ WPA_supplicant utility -Dwext –iwlan0 –c wpa-supp.conf

p WPA network
WPA_supplicant Connection to XXXX
completed Message
116
၃ WEP WPA Network

Network DHCP Address Dhcpclient3 Command
Tracing
y w WPA/WPA2 Network
WPA_Supplicant utility WPA
network


117
Summary
WLAN encryption
 WEP WEP Key WEP

data packet
 WPA/WPA2 Crack
passphrase
Dictionary Attack passphrase Crack
 rogue access points, evil twins bit flipping attacks

Attack

118
Chapter 5
Attacks on the WLAN

Infrastructure
Infrastructure
119
Introduction
“ ,w p m mp w my’ y”
Sun Tzu, Art of War
WLAN infrastructure
Authorize Network
authorize client
WLAN infrastructure System WLAN client

Wireless Service Infrastructure
 Default accounts and credentials on the access point

 Denial of service attacks
 Evil twin and access point MAC spoofing
 Rogue access points

120
Default accounts and credentials on the

access point
WLAN Access Point Infrastructure Core Building Block
infrastructure
Access Point Password ( Password)

Password Dictionary
d
Tool
Time for action - Cracking default accounts on

the access points
၁ Wireless Lab
Access Point Model D-Link DIR-615
121
၂ Manufacture Website Admin Default Account Credential

Username dm Password
Login Page log in
Default credential account
Router User manual Online Manual

Access Point
Configuration
122
Tracing
Default credential Access Point System
Default credential
y d
Self study - Cracking accounts using bruteforce

attacks
Access Point Password
y Bruteforce
Crack Password
ၡ Access Point
123
HTTP authentication Crack Tool

Hydra Tool BackTrack
Denial of service attacks

WLAN Denial of Service (Dos)
 De-authentication attack
 Dis-association attack
 CTS-RTS attack
 Signal interference or spectrum jamming attack
Wireless LAN infrastructure De-authen-

tication attack
Time for action - De-Authentication DoS attack
၁ Access Point Wireless Lab Open Authentication

encryption Wireshark
packet
124
၂ Client Access airodump-ng

Screen Connection
၃ machine (Computer) Directed De-

authentication attack Command
125
Client Access Point

airodump-ng Screen
၅ Traffic Wireshark De-Authen-

tication packet
126
၆ Wireless Network Broadcast De-

authentication packet
Client
Tracing
De-Authentication frame Access Point Client
Communication
Broadcast De-Authentication packet

Client Access Point
Client Access
Point De-Authentication attack
Denial of Service attack
127
Wireless Network
Self study - Dis-Association attacks

BackTrack Tool Infrastructure Dis-
Association Attack
Evil twin and access point MAC spoofing

WLAN infrastructure Evil Twin
WLAN network
Access Point Access Point
WLAN network SSID
Wireless authorize network

Access point
man-in-the-middle attack communication
m - - -m dd
w
Network
Evil Twin MAC Address

Access Point
128
evil twin
Access Point MAC Address
Time for action - Evil twin with MAC Spoofing

Evil twin
၁ Evil twin Access Point BSSID ESSID airodump-ng

Tool
၂ Wireless Client Access Point
129
၃ airbase-ng Command ESSID

Access Point BSSID MAC Address
Access Point airodump-ng screen

airodump-ng –channel 11 wlan0
Command Window airodump-ng
Access Point
၅ Client De-authenticaiton frame Client
130
၆ Client Access Point Signal Strength

Evil twin Access Point
131
၇ Access Point BSSID MAC address Command
၈ airodump-ng
132
၉ airodump-ng Tool Access Point

Channel Physical Acess Point
Evil twin
Tracing
Authorize Network Evil Twin Client
- auhorize network
Evil Twin Access Point
Access Point
WEP/ WPA encryption traffic
attack attack
WEP Key yp Network
Caffe Latte Attack
Self study - Evil twin and channel hopping

Channel evil twin Client
d Access Point

133
Rouge access point

Rouge access Point authorize network authorize
access point accesspoint
backdoor w
Security control Security control
firewall intrusion prevention system Network
Tool Network
Rouge Access Point Open Authentication

encryption Rouge Access Point
၁ w physical device Rouge Access

Point
Wireless Security authorize
network physical security
၂ Software Rouge Access Point local authorized

network ethernet network d
w Laptop Rouge acess point

134
Time for action - Rouge access point
၁ airbase-ng ESSID Rouge

Command
၂ authorize network Ethernet interface

Rouge Aceess Point Interface Bridge
Bridge Interface Bridge Wifi-Bridge
၃ Ethernet at0 virtual interface airbase-ng

Bridge
135
Bridge interface
၅ packet w d kernel IP
forwarding
၆ Wireless Client Rouge Access Point

Wireless-to-wired
“ - d ” authorized network
Vista
136
၇ DHCP deamon IP Address
137
၈ Rouge Access Point Wireless client Wired Network

host d
w gateway ping
Tracing
Rouge Access Point w w
authorize network LAN traffic Bridge
Bridge Wired network
Self study - Rouge access point challenge

w WPA/ WPA2 encryption Rouge Access Point
Network

138
Summary
Wireless LAN infrastructure
 Compromising default accounts and credentials on access points

 Denial of service attacks
 Evil twins and MAC spoofing
 Rouge access points in the enterprise network
Wireless LAN client

Administrator Client

139
140
Chapter 6
Attacking the Client
141
Introduction
link
Information Security Domain
“ y w ”
Famous Quote in Information Security Domain
WLAN infrastructure Wireless

Client
Hacker Wireless Client Authorize Network
WLAN infrastructure Wireless Client

Client Client Client
Client
 Honeypot and Mis-association attacks

 Caffe Latte attack
 De-authentication and Dis-association attacks
 Hirte attack
 AP-Less WPA-Persoanl Cracking
142
Honeypot and Mis-Association attacks

Laptop Wireless Client
network Network
Windows Preferred Network
List (PNL)
Network Range Network
Hacker
၁ Network SSID
Client Access Point
Client Hacker Client
၂ ESSID fake access point (Access Point )
Coffee
Client
Access Point
Honeypot attack
Hacer Access Point Mis-Association (
143
Time for action - Orchestrating a Mis-Association

attack
၁ Client Wireless Lab

Access Point Client
airodump-ng mon0 Command Output
Client not associate mode Wireless Lab
Profile SSID ( Vivek
)
144
၂ Wireshark mon0
interface
packet Wireshark filter
Client MAC Probe Request Packet
၃ filter wlan.fc.type_subtype==0x04 && wlan.sa==60:FB:42

:D5:E4:01 Vivek Wireless Lab SSID client
Probe Request Packet
145
Hacker Command
Wireless Lab Network Access Point
၅ client Acccess Point

un-associated client
၆ Client
Access Point Access
Point Wireless Lab Client
Access Point Channel 3 Client
Access Point
airodump-ng
146
၇ Wireless Lab SSID Access Point

mm d
၈ Client Wireless Lab
147
၉ De-authentication message Client Access Point

Client
၁ Wireless Lab Access Point Signal Strength

Access Point Client
Access Point Access Point
၁၁ airodump-ng Access Point

Client Association
148
Tracing
Client Network Honeypot
Access Point ESSID
Client
Network
Access Point Access Point Client
Singal Strength Client Access Point
Self study - Forcing a client to connect to the

Honeypot
Client
Access Point De-
149
Authentication packet Access Point Client

Access Point Signal Strength
Client Access Point
p
Client yp
Caffe Latte attack

Honey attack Client Network SSID
Client Access Point
WEP encryption Client Windows OS
Operating System OS WEP Key
Client
Access Point Windows wireless configuration manager
Key
Caffe Latte attack WEP attack Network WEP Key

Client attack Client
WEP Network
Client WEP Key
Caffe Latte attack Client Network WEP Key

150
Time for action - Conducting the Caffe Latte

Attack
၁ Wireless Lab Access Point WEP encryption

Key Hex ABCDEFABCDEFABCDEF12
151
၂ Client Access Point airodump-

ng Tool
၃ Access Point Client (un-

associated stage) Wireless Lab WEP Network
SSID Parameter
airbase-ng Wireless Lab Access Point
152
၅ Client Access Point airbase-ng

Caffe Latte attack
၆ Access Point data packet

airodump-ng
153
၇ cracking
aircrack-ng Command aircrack-ng filename
m airodump-ng
၈ WEP encrypted packet

aircrack-ng
154
Tracing
WEP Key Wireless Client Access Point
Caffe Latte attack
attack
Caffe Latte Wireless Client Access Point

ARP packet
Client ARP Request packet ARP
response packet packet Client
WEP Key yp
Packet aircrack-ng WEP Key
155
Self study - Practice makes you perfect!

WEP Key Caffe Latte attack
Wireshark w traffic
De-authentication and Dis-Association attacks

De-authentication attack Access Point
De-authentication attack Client
De-authentication packets Client Access Point

Client
Time for action - De-authentication the client
၁ Wireless Lab Access Point WEP

encryption Access Point Client conn-
ection Access Point
airodump-ng
156
၂ Client Access Point airodump-ng
၃ Client Access Point Connection aireplay-ng
Client Access Point

Wireshark
157
၅ WEP encryption Client d -

d WPA/ WPA2 encryption
Access Point
WPA encryption
158
၆ Client
159
၇ aireplay-ng Access Point Client
၈ Wireshark
Tracing
Access Point Wireless client
De-authentication frame WEP/WPA/WPA2 encryption
Network Broadcast De-authentication Client
160
Access Point De-authentication packet
Self study - Dis-Association attack on the Client

De-Authentication attack Connection
Dis-Association packet Client Access Point
Connection
Hirte attack
Caffe Latte attack
Hirte attack Hirte attack Caffe Latte
attack fragmentation paket
Hirte attack Aircrack-ng http://www.aircrack-

ng.org/doku.php?id=hirte
Client aircrack-ng
Time for action - Cracking WEP with the Hirte

attack
၁ airbase-ng Tool Caffe Latte attack WEP
access point Hirte attack -l
p -N Option
161
၂ Honeypot Wireless Lab packet Window

airodump-ng Command
၃ Airodump-ng Network packet Hirte-

01.cap
Client Honeypot Access Point Hirte attack

airbase-ng
162
၅ Caffe Latte attack aircrack-ng Key
163
Tracing
w WEP Client
Hirte attack
Key Crack
Self study - Practice, practice, practice

WEP Key Client
AP-less WPA-Personal cracking

WPA WPA2 PSK aircrack-ng
four-way handshake p d y
Access Point Client attack WPA-

Personal Network Crack
WPA cracking
164
WPA Crack Four-way Handshake m Authenticator

Nounce, Supplicant Nounce, Authenticator MAC Supplicant MAC
information x handshake
p information p
packet 1 2 packet 2 3
WPA-PSK Crack WPA-PSK Honeypot Client Access

Point Message 1 2 Passphrase
Message 3 Send Message 1 2
Key
165
Time for action - AP-less WPA cracking

၁ Wireless Lab WPA-PSK Honeypot
Command -z 2 Option TKIP WPA-PSK
access Point
၂ Network packet p airodump-ng
166
၃ Client Honeypot Access Point

Message 2 d
Message 3 Send
airodump-ng p handshake
၅ dict y aircrack-ng airodump-ng

Capture passphrase
crack
167
Tracing
WPA Key Client Crack Crack
packet packet dictionary attack d-
Self study - AP-less WPA cracking

WPA Key Client

168
Summary
Wireless Client
attack
 Honeypot Mis-Association attack

 Wireless Client Key Caffe Latte attack
 Denial of Service attack De-Authentication Dis-Association attack
 Access Point Client WEP Key

Hirte attack
 Client WPA-personal passphrase
-
Client infrastructure

169
170
Chapter 7
Advanced WLAN Attacks
171
Introduction
( )
“ wy my, y m m y my”
Sun Tzu, Art of War
Hacker
Hacker Wireless Access
Man-in-the-middle (MITM)
MITM attack Eavesdropping
Session Hijacking
 Man-in-the-Middle attack
 Wireless Eavesdropping using MITM
 Session Hijacking using MITM
172
Man-in-the-Middle attack
MITM attack WLAN system attack
Configuration
Wired LAN Internet Client Card Access point

Access Point Local hotspot SSID
Access Point
Signal Strength
Wired Wireless Interface

Bridge user traffic
att
Time for action - Man-in-the-Middle attack
၁ Man-in-the-Middle attack p mitm Access

Point Hacker p p airbase-ng
Command airbase-ng –essid mitm –c 11 mon0
173
၂ airbase-ng at0 (tap interface)

Software mitm
Access Point Wired-side interface
၃ Wired (eth0) Wireless interface (at0) Bridge

(Laptop) Command
brctl addbr mitm-bridge, brctl addif mitm-
bridge eth0, brctl addif mitm-bridge at0, ifconfig eth0 0.0.0.0 up, ifconfig at0 0.0.0.0 up
174
Bridge IP Address gateway

DHCP
Bridge interface IP Address ifconfig mitm-
bridge 192.168.0.199 up Command gateway
dd 192.168.0.1 ping Network
175
၅ Kernel IP Forwarding echo >1 /proc/sys/

net/ipv4/ip_forward Command packet w d
၆ Wireless Client mitm p

DHCP (Wired Network w y
Server) IP Address
Client Machine 192.168.0.197 IP Address
Wired Side Gateway dd 192.168.0.1 ping
၇ Host ping request p
176
၈ Client Access Point

airbase-ng Terminal
၉ Wireless interface wired side traffic y

full control Wireshark at0
interface packet sniff
177
၁ Client Machine Gateway 192.168.0.1 p

Wireshark (ICMP display filter packets
Man-in-the-Middle
attack
178
Tracing
Wireless Man-in-the-Middle attack p
p Access Point d
Access Point Wireless Client
Wired LAN Internet
Self study - Man-in-the-Middle over pure wireless

Man-in-the-Middle attack Wireless interface Wired interface
d MITM attack Connection
Network Interface
Wireless interface Access Point
Authorize Network
interface d Wireless Client Access
Point authorize
network
Attack Laptop Wireless Card
Laptop Built-in
Wireless Card External Wireless Card

179
Wireless Eavesdropping using MITM

attack MITM setup
Setup Wireless Eavesdropping
traffic
Wireless traffic
Time for action - Wireless eavesdropping

Wire d pp
၁ man-in-the-middle attack Setup

Wireshark
mitm-bridge
Interface d
180
၂ at0 interface packet sniff Wireless

Client traffic m
181
၃ Wireless Client Web Page

Wireless Acess Point http://192.168.0.1
Password Management interface
၅ Wireshark
182
၆ Web traffic http filter
၇ Wireless Access Point w d HTTP post request
183
၈ packet
၉ HTTP header Plaintext Send Password

Hash
packet 64 request /md5.js
/md5.js
password md md5 hash
184
Password Wireless Security Scope
Hash w d
Hacker
Hacker
၁ man-in-the-middle Client
traffic
Tracing
MITM attack
(eavesdrop)
MITM
traffic
encrypt traffic
d pp
Self study -Finding Google searches

Google private
traffic default plain text
185
Google Search Wireshark

intelligent display filter
Session Hijacking over wireless

MITM attack attack
pp MITM attack
Network Packet
packet distination Response
distination
packet data yp
packet data
packet
MITM setup Wireless

DNS Hijacking Google.com
Browser session
Time for action -Session hijacking over wireless

၁ Man-in-the-Middle attack p
Browser
Google.com Google Home Page
Wireshark Google traffic m
186
၂ Google.com DNS request

DNS Wireshark filter
၃ Browser session Google.com IP address

DNS response hacker machine dd 192.168.0.199
Tool Dnsspoof
syntax dnsspoof –i mitm-bridge mm d
187
Browser Window victim host (google

.com ) DNS request Wireshark Dnsspoof py
188
၅ victim Connection
refused Error Message
dd 192.168.0.199 Google IP Address
p service
၆ apchet2ctl start Command

Apache Server
၇ Browser Apache Default page It

works!
189
၈ victim
hijack session data p spoofed response
Tracing
Wireless MITM application hijacking attack
MITM setup
victim packet
victim DNS request packet
laptop Dnsspoof program DNS response
victim google.com Ip Address
IP Address
victim laptop response Browser
IP address HTTP request
port 80 listening process

Firefox Browser Error Message
Apache Server p port 80
request Browser response
Apache d p It works!
Lower layer ( layer 2) full control

DNS client Web Browser higher layer
application
190
Self study - Application hijacking challenge

Wireless MITM Session hijackin Client
data m d y BackTrack
Ettercap Software Software
network traffic filter
Network traffic security

insecurity Google Security
result insecurity
Finding security configurations on the client

Open access points, WEP protected WPA honeypot
Client
Probe Request probe SSIS encryption (Open,
WEP WPA)
Access
Point SSID Access Point Security configuration
Client Network
network configuration
Access Point
Access Point Network configuration Configuration
Client
Network configuration
191
Time for action - Enumerating wireless security

profiles
၁ Wireless client Wireless Lab
Wireless Client Access Point
Network Probe Request Send
Network Security configuration
Access Point Client profile Open
Network, WEP Protected, WPA-PSK -
profile
virtual int mon0 mon3
airmon-ng start wlan0 Command
192
၂ interface ifconfig –a
Command
၃ Open Access Point mon0
WEP-Protected Access Point mon1
193
၅ WPA-PSK Access Point mon2
၆ WPA2-PSK Access Point mon3
၇
airodump-ng
194
၈ Client Wifi Wireless Lab Network
WPA-PSK
Client Wireless Configuration
Tracing
SSID multiple Honeypot Security configuration
Client Wireless Lab Network
configuration Client configuration Access Point
Client Security configuration

Security configuration
Client
195
configuration configuration Access Point

WiFishing
Self study - Baiting clients

Client Access Point SSID security configuration
Access Point Client Configuration
Network Probe Wifi Client

Client
Summary
Wireless
Setup
victim traffic (eavesdrop)
MITM setup victim Web traffic DNS
spoofing attack application layer
Wireless WLAN

196
Chapter 8
Attacking WPA-Enterprise
And RADIUS
WPA-Enterprise RADIUS
197
Introduction
“ y , d y ”
Popular Saying
WPA-Enterprise
Network administrator WPA-Enterprise
WPA-Enterprise
BackTrack Tool WPA-

Enterprise
 Setting up FreeRadius-WPE
 Attacking PEAP on Windows clients
 Attacking EAP-TTLS
 Security best practice for Enterprises
Setting up FreeRadius-WPE
WPA-Enterprise attack Radius Server
Open Source Radius server d
198
Server p
Joshua Wright Security Researcher FreeRadius

p attack patch
patch FreeRadius-WPE (Wireless Pwnage Edition)
BackTrack p -
Installation
Bac Radius Server p
Time for action -Setting up the AP with Free-

Radius-WPE
FreeRadius p
၁ BackTrack LAN Port (ethernet Port) Access Point

Ehthernet Port port eth1
DHCP
interface IP Address
199
၂ Access Point Log in Security Mode WPA-Enterprise

EAP (802.1x) Section RADIUS server IP Address
192.168.0.198 ၁ Wired
Interface IP Address RADIUS server shared secret
Test
200
၃ BackTrack /usr/local/etc/raddb
Directory Directory FreeRadius-WPE
configuration
201
eap.conf default_eap_type peap
၅ clients.conf RADIUS server

Client Client
Secret test IP Address Range
192.168.0.0/16 ၂
202
၆ setting Radius Server radius –s –

X Command
၇ Server Debug Message

Request
p
203
Tracing
FreeRadius-WPE p
Self study - Playing with RADIUS

FreeRadius-WPE Option Option
configuration
FreeRadius
204
Attacking PEAP
Protected Extensible Authentication Protocol (PEAP) EAP Version
Windows EAP mechanism
PEAP Version
၁ PEAPv0 with EAP-MSCHAPv2 (most popular as this has native support on Windows)
၂ PEAPv1 with EAP-GTC
PEAP Radius Server Validation Server-side certificate

PEAP Certification Validation mis-configuration (confi-
guration )
Client certificate validation PEAP

Crack
205
Time for action -Cracking PEAP
၁ eap.conf PEAP
၂ Radius –s –X Command Radius Server
206
၃ FreeRadius-WPE log file m
Windows PEAP Certication Verification
207
၅ PEAP authentication Windows Wireless Lab
208
၆ Client Access Point Username Password

m SecurityTube w d
abcdefghi
၇ log file MSCHAP-v2 challenge

response
209
၈ abcdefghi Password Password list file Asleap

Tool Password
Tracing
FreeRadius-WPE Honeypot p
Enterprise Client PEAP Certificate Validation mis-
Client Certificate
Client Client Certificate data
yp username/ challenge /response tuple
210
MSCHAP-v2 dictionary attack dictionary attack

challenge/ response pair Asleap
Self study -Variations of attack on PEAP

PEAP mis-configu Certificate validation
administrator authentic server Connect to these servers
list Certificate
Certificate Client
Attacking EAP-TTLS
EAP-Tunneled Transport Layer Security (EAP-TTLS) server certificate
Client certificate
EAP-TTLS Windows
third party ultility
EAP-TTLS inner authentication protocol option

protocol option MSCHAP-v2
Windows EAP-TTLS MAC

OS X
211
Time for action - Cracking EAP-TTLS

၁ EAP-TTLS eap.conf default enable
Radius server log file m
၂ credential username SecurityTube

Password demo12345
၃ log MSHAP-v2 challenge /response
212
password Asleap
password list User
Password password Crack
default list Password
Tracing
EAP-TTLS Crack PEAP Client
Certificate MSCHAP-v2 challenge /
response MSCHAP-v2 dictionary attack
dictionary challenge / response Crack
Asleap
213
Self study - EAP-TTLS

EAP-TTLS PEAP
Security best practices for Enterprises

Personal Enterprise WPA /WPA2
၁ SOHO WPA2-
PSK strong passphrase passphrase ၡ ၆၃
၂ Enterprise WPA2-Enterprise EAP-TLS Client

Server side authentication Certificate
၃ PEAP EAP-TTLS WPA2 Enterprise Certificate

validation Certifying authority
214
Summary
၁ PEAP EAP-TTLS WPA Enterprise Network
Security
215
216
Chapter 9
WLAN Penetration
Testing Methodology
217
Introduction
“ dd .”
Popular Saying
Client Network
Wireless penetration testing
Wireless Network
၁ Planning phase
၂ Discovery phase
218
၃ Attack phase
Reporting phase phase
Planning
phase
၁ Scope of the assessment: Client

(scope of the assessment)


 Access Point Wireless client
 Assessment Wireless Network
 Network
၂ Effort estimation: Scope

Network activity Effort



၃ Legality:
219
Discovery
phase airspace scan
Access Point Client
Time for action - Discovering wirless devices

Wireless device d
၁ Wifi Card monitor mode interface
220
၂ Airspace Scan airodump-ng 802.11 b g band

pp
၃ Client Access Point Wifi Card
221
Network Network administrator Access Point Wireless Client

MAC Address MAC Address phase
222
Tracing
Wireless Network
Wireless Network Network
Network
attack
Attack
Authorize network airspace
Attacking phase
 Rogue Access Point

 Client mis-association
 Unauthorize Client
 Encyption
 Infrastructure
 Client Compromi
Finding rouge access points

Administrator authorize client Access Point MAC address
Authorize Access Point:
 ESSID: Wireless Lab
223
 MAC Address: 00:21:91:D2:8E:25

 Configuration: WPA-PSK
Authorized Clients
 MAC Address: 60:FB:42:D5:E4:01
System Rouge Access Point List
Time for action - Finding rouge access points
၁ Client Swi MAC Address dump

Wire Wireless interface MAC Address
၁ Address Switch
dd 00:21:91:D2:8E:26 00:24:B2:24:7E:BF
၂ Access Point
224
၃ ESSID New NETGEAR Access point

dd 00:24:B2:24:7E:BE d- d dd
00:24:B2:24:7E:BF Rogue device
w w Command physical port

corporate network
Tracing
MAC address matching w Rogue
Access Point
Rogue Access
Point d Craft packet
Wireless intrusion prevention system
225
Finding authorized clients

authorize Client Coporate network
Network
unauthorized client
Time for action - Unauthorized Clients

Unauthorized Client
၁ airodump-ng output Client part
၂ corporate network Client

Client MAC Address d
226
၃ Network unauthorized client
Tracing
Authorized access Point Unauthorized Client
airodump-ng authorize user foreign client
unauthorized user network
Cracking the encryption

Authorized Network WPA network Key
Network encryption -
passphrase Simple dictionary attack
Time for action - Cracking WPA
၁ BSSID-based filter Wireless Lab Access Point

airodump-ng Command
၂ airodump-ng packet WPA handshake
227
၃ Client de-authentication attack
WPA handshake Captu
228
၅ d dictionary attack aircrack-ng

Command
၆ passphrase dictionary attack

C
229
Tracing
Passphrase WPA-PSK
Network administrator passphrase
dictionary attack
Compromising clients
Client Access Point
Client
Time for action – compromising the clients

Client mp m
၁ Client Section airodump-ng
၂ authorized client Wireless Lab Vivek

network Vivek Access Point
airbase-ng
230
၃ de-authentication message Wireless Lab

Client dis
Client Access Point

Vivek
231
Tracing
Client Network honeypot Access
Point authorized access point
Client d Client
Access Point Vivek Access Point
Vivek
Client
Reporting
Enterprise p Network
p
Report
၁ Vulnerability description
၂ Severity
၃ Affected devices
232
Vulnerability type- software /hardware /configuration
၅ Workarounds
၆ Remediaion
Structure patch
information
administrator
Network
Summary
BackTrack Wireless
Network
Network
phase

233
234
Conclusion
235
Introduction
“ d ww m y pp w d; my m y
a boy playing on the seashore, and diverting myself in now and then finding a smoother
pebble or a prettier shell than ordinary, whilst the great ocean of truth lay all undiscovered
m ”
Sir Issac Newton
Wifi Security
Wrapping up
၁ Wireless Lab
PEAP WPA-Enterprise
Wifi Security
Field Tool
Tool attack internet
236
Tool attack
Wireless Lab p
Source Security
Building an advanced Wi-Fi Lab

Lab
Wifi
Lab Wifi Security
Wifi Security
Directional Antennas
Directional Antenna Wifi singal Wifi Network
d
Directional Antenna
( )
Antenna
237
Wi-Fi Access Points

802.11 a/b/g/n Protocol Wifi Access point
Wifi Access Point experiment
Wifi Access Point
patch Access Point

Access Point
Manual
238
Wi-Fi Cards
Wifi Alfa card
Wifi Card Laptop Built-In
Wifi Card Card Wireless
Driver
BackTrack Wifi Card Driver
Laptop Built-In
Wifi Adapter Wifi Card
Smartphones and Other Wi-Fi enabled devices

Laptop Wifi Mobile
device Wifi Smartphone tablet
Built-In Wifi
Mobile Device Wifi
239
Wifi
Staying up-to-date
Security Wifi
Secu y
Mailing lists
http://www.securityfocus.com/ discussion
Mailing list
[email protected] update
240
Websites
Aircrack-NG site suite Tool up-
to-date Thomas d’ pp . . _X
Tool
http://www.aircrack-ng.org
Website Raul Siles Tool

Paper
Research article Conference Material
Wireless Security
http://www.raulsiles.com/resources/wifi.html
Joshua Wright Blog pd

WPA-Enterprise attack Tool
Website
http://www.willhackforsushi.com
Conferences:
Defcon Blackhat Hacker and Security conference
Workshop
Security y
Video
Course material Conference
y
 Defcon: http://wwww.defcon.org
241
 Blackhat: http://www.blackhat.com
BackTrack-Related
Backtrack Platform
BackTrack Version
Website Version Update
Website
 BackTrack website: http://www.backtrack-linux.org

 Offensive security: http://www.offensive-security.com
Conclusion
၁
BackTrack Wifi
Wifi Security
Security
၂ y
(RAY – Electronic)
Telecom Technology
242

Wireless Hackingewewewee

Uploaded by

Copyright:

Available Formats

Wireless Hackingewewewee

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless Hackingewewewee

Uploaded by

Copyright:

Available Formats

TABLE OF CONTENTS

Chapter 1 : Wireless Lab Setup 9

Chapter 2 : WLAN and Its Inherent Insecurities 29

Chapter 3 : Bypassing WLAN Authentication 61

Chapter 4 : WLAN Encryption Flaws 87

Chapter 5 : Attacks on the WLAN Infrastructure 119

Chapter 6 : Attacking the Client 141

Chapter 8 : Attacking WPA-Enterprise and RADIUS 197

Chapter 9 : WLAN Penetration Testing Methodology 217

Hotspot Internet Personal ( )

BackTrack 5 Wireless Penetration Testing

OS (Operting System) BackTrack 5

What this book covers

Chapter 2, WLAN and its inherent insecuirties

Chapter 3, Bypassing WLAN Authentication WLAN Authentication

Open Shared Key

(Hidden SSID) Network

Chapter 4, WLAN Encryption Flaws Wifi Encryption Schemas

Hacker Schemas Flaw

Chapter 5, Attacks on the WLAN Infrastructure WLAN infrastructure

Access point MAC spoofing, bit flipping replay attack

Chapter 6, Attacking the Client Client ( )

association, Caffe Latte, disassociation, ad-hoc connections, fuzzing, honeypots

Chapter 7, Advanced WLAN Attacks infrastructure Client

wireless device fingerprinting, man-in-the-middle

Chapter 8, Attacking WPA Enterprise and RADIUS

Chapter 9, Wireless Penetrating Testing Methodology

What you need for this book

Laptop Virtual Machine

Who this book is for

Ray Marm Aung

Wireless Lab Setup

Abraham Lincoln, 16th US President

 Hardware and Software requirements

Two latops with internal Wi-Fi Cards: Laptop Victim ( )

 One Alfa Wireless adapter : Packet injection packet sniffing BackTrack

Packet Injection Packet Sniffing BackTrack

 BackTrack 5 : BackTrack http://www.backtrack-

Time for action – installing BackTrack

၁ w d BackTrack ISO (BackTrack 5 KDE 32bit edition) Bootable

၂ Laptop First Boot Boot

၅ Install BackTrack Icon Click

၆ Installer Linux System GUI Based Installer

၇ Login Screen Login

Self-study- Installing BackTrack on Virtual Box

BackTrack Installation Virtual Box

BackTrack USB Drive

Setting up the access point

Time for action – configuring the access point

၁ Access Point (Router) Power Laptop Ethernet Cable (Network

၂ Mozilla Firefox w Access point Configuration

၃ Router Log in User Name Password Manual

SSID Wireless Lab Access Point

၅ Authentication Setting Open Authen-

၆ Access Point Data save

Window Wireless Configuration utility Laptop

Router Internet Wireless

Self-study – configuring the access point to use WEP

Setting up the wireless card