Section 4 Cracking Encryption and Authentication
|
|
- Rosamund Brooks
- 6 years ago
- Views:
Transcription
1 Section 4 Cracking Encryption and Authentication In the previous section we showed the vulnerabilities of Open Wireless LANs. In this section we ll show some of the techniques and tools used to break the wireless encryption. Once you have cracked the encryption, you can use all the tools from the previous section to see what everyone is doing. Some of these techniques are specific to vendor and protocol specific attacks. We ll use both Windows and Linux tools to crack encryption and authentication! 1/12/
2 LAB 4.1: LEAP Cracking- Asleap/Pre-Hashed Dictionary File The purpose of this lab is to learn how to break Encryption and Authentication methods used in securing wireless networks. WEP encryption used for confidentiality and integrity on a wireless LAN utilizes a weak implementation of RC4 encryption. The RC4 keys initialization vector s generated by a WEP Network connection are weak and therefore able to be cracked. In order to successfully crack WEP 800,000 to 1,000,000 WEP encrypted frames must be captured. In this lab you will capture and crack a WEP key. WPA-PSK uses a passphrase for authenticating wireless clients to the network. The WPA passphrase is an 8-63 ascii character text string that is used to authenticate wireless users. The WPA passphrase is susceptible to a dictionary attack and this lab will show you how to capture and crack a WPA key. LEAP authentication is a Cisco proprietary mechanism to allow users to connect to a wireless network using a username and a password. The username is sent in cleartext and the password is hashed to protect it in transit on the wireless network. The hashing of the password can be broken with a tool called Asleap. Product Information Source Omnipeek PersonaL Free Asleap Where, When, Why Requirements / Dependencies You have already learned how to capture passwords, web traffic, content, and sniff open wireless networks. But most enterprise class wireless LAN s implement some form of encryption and authentication. Some of those security mechanisms are weak and therefore susceptible to attack. A wireless pen tested must know how to identify those threats and know the susceptibility of the network to attack. Also, it is necessary to be able to perform the cracks to illustrate to a customer the weaknesses of the wireless network security. Omnipeek Personal Wireshark Airpcap USB adapter 1/12/
3 Aircrack Tamosoft Commview Aireplay Nokia N800 wireless client CoWPAtty Asleap Large Dictionary file Running an ASLEAP Crack against a LEAP Authentication Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Prepare to Capture the LEAP authentication with Omnipeek. Instructor will tell you went to start the capture and on what channel. Start your capture to catch the LEAP conversation. Save capture file as a TCP Dump file. Open a command prompt. Change to the Asleap directory. Run Asleap against the capture file using the pre hashed dictionary. 1/12/
4 Lab 4.2: WEP Cracking and Acceleration Aircrack-ng is used to statically attack traffic gathered by WEP encrypted wireless routers in order to crack the WEP key used. It can also be used to brute-force WPA keys. Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source Free / Open Source (GPL, MPL) Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/
5 Lab Part 1 - Using Airodump-ng, Aircrack-ng and Aireplay-ng to quickly crack a WEP key What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to accelerate IV collection time Recover the WEP key using a statistical attack using aircrack-ng Step 1. Step 2. Configure your access point for a 64-bit WEP key of 009E4DD7E8 and have your N800 act as a client and connect to your access point. In this tutorial the access point SSID is LinksysL but yours will be as assigned earlier. Start hitcast on your N800 s to generate traffic.launch Airodump-ng to view your access point and N800 as potential targets../ath_monitor ß to set your card in monitor mode airodump-ng ath0 1/12/
6 We see plenty of potential targets that are encrypted a few of which have authenticated wireless clients with traffic. Step 3. Step 4. Once you have located the N800 s traffic on your network we need to switch channels to monitor only that channel. My 'linksysl' access point is on channel 6 as should yours by default. airodump-ng -w /tmp/linksysl_traffic -channel 6 ath0 Now we can see that we are just on channel 6 and that we have one wireless station (00:13:46:9F:AC:36) that is connected to the access point linksysl. Since we are dumping into a capture file, everything that our card can see will be logged. The Data packets are what are of interest to us when cracking WEP keys; the more you collect the less time it takes to statistically attack and recover the key. With only 1 client authenticated and little traffic, it will take a long time to collect these packets (we will see how using a replay attack this can be dramatically decreased). Step 5. Now you wait! As each unique initialization vector (IV) is collected (indicated by the increase in #Data packets) you get closer to having enough IV's to send to aircrack-ng to be attacked. But you have probably noticed that it can take a very long time to collect enough IV s to crack the key right? For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's and for 128 bit and higher then you want 1 million or higher. So we need to find a way to generate a lot more traffic so that we can collect IV s faster; we can do so with aireplay-ng. From a command prompt type: Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h 00:13:46:9F:AC:36 ath0 Where b is YOUR ACCESS POINT MAC and h is YOUR N800 s MAC It is telling aireplay that you want to launch a type 3 attack. Which is an ARP replay attack in which an ARP packet is picked out of the air and 1/12/
7 'replayed' or constantly thrown back at the router causing the router to respond with traffic in the form of an ARP reply. 312,631 unique IV's should be enough for us to start an attack against a 64 bit key, so let's start. (You have no idea how strong the key will be so a good rule is always start with the least and move up. We can specify the guessed key strength with the -n switch). Step 6. aircrack-ng /tmp/linksysl_traffic*.cap -n 64 This will give you a list of all the networks where data has been collected. Since we didn't supply the -IVs switch, it collected all traffic instead of just the IVs. We see that we have 357,169 IVs for the linksysl network. Just type 5 in to select that network and the script will do the rest. 1/12/
8 Since we had enough IVs it only took 18 seconds to recover the 64 bit key used. 00:9E:4D:D7:E8 Step 7. Now you can connect to the target access point as a legitimate user. What you learned in this Lab: In this Lab you learned to use Product to: Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key 1/12/
9 Lab 4.3: WPA Cracking Aircrack-ng can also be used to brute-force WPA Pre-Shared Keys (PSK). Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source Free / Open Source (GPL, MPL) Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/
10 What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to deauth a client Recover the WPA key using aircrack-ng Lab Part 1 - Using Airodump-ng, Aireplay-ng, and Aircrack-ng to crack a WPA key Step 0 - Configure your access point with a WPA-PSK key of applesauce and have your N800 act as a client and connect to your access point. In this tutorial the access point SSID is LinksysL but yours will be as assigned earlier. Start hitcast on your N800 s to generate traffic. Step 8. Step 9. Launch Airodump-ng to find your access point and N800 as potential targets (making sure we log to a capture file so that we can capture the 4-Way handshake). airodump-ng -w /tmp/wpa_linksysl channel 6 ath0 1/12/
11 Step 10. Step 11. Noticing that our linksysl network has now switched to WPA with TKIP cipher, our previous WEP type attack where we collect unique IVs is no longer useful to us. In order to crack a WPA key, we need to see the EAPOL 4-Way handshake that takes place at the very beginning of the association with the access point; obviously we have missed that as a client is already associated with the access point. We have 2 options: 1 Wait for someone else (or the same client) to associate and authenticate with the access point. 2 Force the already-associated client to disconnect and re-connect using a forged deauth packet. For sake of time we will use the 2 nd option; forging a deauthenticate packet using the aireplay-ng tool. aireplay-ng a 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 where a is your ACCESS POINT MAC and c is YOUR n800 MAC This will launch a deauth attack against the wireless client forcing them to reauthenticate therefore allowing us to sniff for the 4-Way handshake. Step 12. Step 13. Use aircrack-ng to verify that we have actually collected the 4-Way handshake. aircrack-ng -w /root/wordlist.txt /tmp/*.cap 1/12/
12 (This time we give it a large dictionary file to brute-force with). Step 14. Step 15. Seeing that we have collected the handshake, we choose the target network (3) and let the cracking phase take place. Now you wait! The time it takes will depend on the key length and complexity, the speed of your computer(s), and the size of your dictionary file. 1/12/
13 Lab 4.4: Aircrack-ng Aircrack-ng is used to statically attack traffic gathered by WEP encrypted wireless routers in order to crack the WEP key used. It can also be used to brute-force WPA keys. Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source Free / Open Source (GPL, MPL) Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/
14 What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Recover the WEP key Lab Part 1 - Using Aircrack-ng to crack a WEP key Step 1. Step 2. Launch Airodump-ng to view potential targets. (It is not necessary to log to a file at this point or choose a channel because we don't know anything about our target yet). airodump-ng ath0 (run the ath_monitor script if you need set your card in monitor mode first). We see plenty of potential targets that are encrypted a few of which have authenticated wireless clients with traffic. 1/12/
15 Step 3. Step 4. Pick your target and switch channels to monitor only that channel. For this tutorial I will use the 'linksysl' access point that is encrypted with WEP and on channel 6. airodump-ng -w /tmp/linksysl_traffic -channel 6 ath0 Now we can see that we are just on channel 6 and that we have one wireless station (00:13:46:9F:AC:36) that is connected to the access point linksysl. Since we are dumping into a capture file, everything that our card can see will be logged. The Data packets are what are of interest to us when cracking WEP keys; the more you collect the less time it takes to statistically attack and recover the key. With only 1 client authenticated and little traffic, it will take a long time to collect these packets (we will see how using a replay attack this can be dramatically decreased). Step 5. Step 6. Now you wait! As each unique initialization vector (IV) is collected (indicated by the increase in #Data packets) you get closer to having enough IV's to send to aircrack-ng to be attacked. Once you have enough then you can point the capture file at aircrack for cracking. For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's and for 128 bit and higher then you want 1 million and/or higher. 312,631 unique IV's should be enough for us to start an attack against a 64 bit key, so let's start. (You have no idea how strong the key will be so a good rule is always start with the least and move up. We can specify the guessed key strength with the -n switch). Step 7. 1/12/
16 aircrack-ng /tmp/linksysl_traffic*.cap -n 64 This will give you a list of all the networks where data has been collected. Since we didn't supply the -IVs switch, it collected all traffic instead of just the IVs. We see that we have 357,169 IVs for the linksysl network. Just type 5 in to select that network and the script will do the rest. Since we had enough IVs it only took 18 seconds to recover the 64 bit key used. 00:9E:4D:D7:E8 Step 1. Now you can connect to the target access point as a legitimate user. What you learned in this Lab: In this Lab you learned to use Product to: Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key 1/12/
17 Lab Part 2 - Using Aircrack-ng to crack a WPA key What you will do in this lab: Use airodump-ng to find a target Capture encrypted traffic Recover the WPA key Step 1. Step 2. Launch Airodump-ng to find potential targets (making sure we log to a capture file so that we can capture the 4-Way handshake). airodump-ng -w /tmp/wpa_linksysl channel 6 ath0 Step 3. Noticing that our linksysl network has now switched to WPA with TKIP cipher, our previous WEP type attack where we collect unique IVs is no longer useful to us. In order to crack a WPA key, we need to see the EAPOL 4-Way handshake that takes place at the very beginning of the association with the access point; obviously we have missed that as a client is already associated with the access point. We have 2 options: 1 Wait for someone else (or the same client) to associate and authenticate with the access point. 1/12/
18 2 Force the already-associated client to disconnect and re-connect using a forged deauth packet. Step 4. For sake of time we will use the 2 nd option; forging a deauthenticate packet using the aireplay-ng tool that is a part of the aircrack-ng suite. aireplay-ng a 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 This will launch a deauth attack against the wireless client forcing them to reauthenticate therefore allowing us to sniff for the 4-Way handshake. Step 5. Step 6. Use aircrack-ng to verify that we have actually collected the 4-Way handshake. aircrack-ng -w /tmp/wordlists/ large_dictionary_file.txt /tmp/wpa_linksysl*.cap (This time we give it a large dictionary file to brute-force with). Step 7. Step 8. Seeing that we have collected the handshake, we choose the target network (3) and let the cracking phase take place. Now you wait! The time it takes will depend on the key length and complexity, the speed of your computer(s), and the size of your dictionary file. The supplied dictionary file is very large. 1/12/
19 Step 9. We have the WPA key! 'security' was the word used as the key. Now we can authenticate with the access point as a regular user. 1/12/
20 Lab 4.5: Aireplay-ng Aireplay-ng is a utility used to dramatically decrease the time it takes to collect enough data in order to crack a WEP key or forge deauthentication frames to cause a DoS attack. Product Information Source GPL Where, When, Why Usage and Features Attack It can take a lot of valuable time to collect enough data on a WEP enabled wireless network in order to crack a WEP key; time that Joe IT might not have in order to conduct his penetration test. Aireplay-ng will allow Joe to dramatically reduce the time it takes in order to break into a WEP enabled access point so that he can spend more time focusing on other weaknesses of the client network. Different attack modes Can use live captured packets, forged packets, or archived packets Requirements / Dependencies Linux operating system patched drivers for supported wireless card supported wireless card What you will do in this lab: Find a WEP enabled access point Launch a replay attack 1/12/
21 Lab Part 1 - Using Aireplay-ng to sped up IV collection time Step 1. Step 2. Become root by typing su at a command prompt and type in the root password. Launch airodump-ng in order to view target access points. Step 3. Step 4. Step 5. Step 6. Find the target access point and switch airodump-ng to monitor only that channel. We will use linksysl on channel 6. airodump-ng -w /tmp/linksysl_capture -channel 6 ath0 Now there is not a lot of traffic so we will be here for a long time collecting enough IVs in order to launch an attack against the WEP key. Launching a replay attack will help fix that. Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h 00:13:46:9F:AC:36 ath0 It is telling aireplay that you want to launch a type 3 attack. Which is an ARP replay attack in which an ARP packet is picked out of the air and 1/12/
22 'replayed' or constantly thrown back at the router causing the router to respond with traffic in the form of an ARP reply. The -b switch is the MAC address of the router, -h is the MAC address of an authenticated client and then we supply the interface from which the replay attack will be launched. Step 7. At this rate the amount of time it will take is dramatically less and we can soon send our packets off to aircrack-ng to be cracked. Overall it took us about 10 minutes to collect the amount of traffic ( packets as seen in the picture above) that otherwise would have us sitting around for weeks. NOTE: See the attached video created by muts of Backtracks entitled Clientless WEP Cracking for a demonstration on how to crack a WEP key of an access point with no connected clients as well as the Cracking WEP in 10 minutes to see aireplay in action. What you learned in this Lab: In this Lab you learned to use Product to: 1. Speed up an attack against a WEP enabled access point 1/12/
23 Lab Part 2 - Using Aireplay-ng to deauthenticate a client What you will do in this lab: Locate a wireless client and forge a deauthenticate packet to force a disconnection/reconnection Step 1. Step 2. Become root by typing su at a command prompt and type in the root password. Launch airodump-ng in order to view possible targets by typing: airodump-ng ath0 Step 3. Choose the client that you would like to deauthenticate and forge a deauth packet using aireplay-ng -0 attack. -b supplies the bssid of the access point and it is always more effective if you supply the -c station switch otherwise it will send to broadcast and that is not very reliable. 1/12/
24 Step 4. aireplay b 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 If successful this attack will force the station 00:13:46:9F:AC:36 to disconnect. This is useful in a denial of service attack, for sniffing for the EAPOL 4-Way handshake, or other credentials that might be passed at the beginning of a session. 1/12/
25 Lab 4.6: Airodump-ng Airodump is a wireless discovery utility that will display all access points within range of your wireless card as well as signal strength, encryption status, wireless clients in the area, and log all information gathered to a packet capture file for analysis. Product Information Source Free / Open Source (GPL, MPL) Where, When, Why Network Analysis Joe IT would use this tool when he needs an idea of what access points are in the area and who is connecting to these access points, how much traffic is moving on the network, what access points clients are probing for, and what type of encryption is used on the networks. He can also very easily use this tool to log captured network traffic to a file. Usage and Features Display Access Points / Wireless Networks in range Displays encryption types used by the wireless networks Shows wireless clients that are probing for or associated with which ap logs captured traffic to a capture file Requirements / Dependencies Linux or Windows operating system Wireless card with supported chipset (the ubiquity card has the supported atheros based chipset) Where to Go for More Information 1/12/
26 What you will do in this lab: View wireless traffic in range Log traffic to a capture file Step 5. Step 6. Put card into monitor mode by running the script ath_monitor at the command prompt. Launch airodump-ng with the appropriate parameters. Step 7. Step 8. Notice that we need to run this as root so type su followed by the root password. The parameters that need to be supplied can be seen in the picture above. A simple way to launch the application with logging to a file and hop all channels would be typed as follows: airodump-ng -w /tmp/capture_file ath0 Once that command is executed the screen will display all information that can be gathered in the area. 1/12/
27 From the screenshot we can see in the top left hand corner we have the BSSID which is the MAC address of each access point that is in range. We then see the power or signal strength (usually a good indicator of how close it is), followed by the beacons that are being sent from the access point, the data that is airborne, channel, encryption type, and ESSID (SSID). If it is not broadcast then you will see a placeholder <length: <int>>. On the bottom we see wireless stations (wireless clients that are either associated to a certain access point or just in the area and probing). Step 9. Step 10. Since we didn't specify a channel as a parameter, we are hoping all channels. (Notice the CH variable in the top left changing?) You can specify a certain channel by stopping the script by clicking CTRL C and adding the --channel parameter: airodump-ng -w /tmp/capture_file -channel n ath0 Then you will only listen on channel n. To view the traffic that we have captured, open the capture file in your favorite protocol analyzer. For this purpose we will use Wireshark. At the command prompt type: wireshark /tmp/capture_file and look for interesting traffic. (More details about this will be giving as another lesson but as a quick example we can see that in our capture file we were able to watch someone login to their web based account). 1/12/
28 What you learned in this Lab: In this Lab you learned to use Product to: 2. Find MAC addresses of access points within range 3. Find broadcasted SSID's in range 4. Capture and view traffic of wireless networks 5. Find MAC address of wireless clients within range 6. Get an overall picture of the type of traffic happening on your target network 1/12/
Tutorial: Simple WEP Crack
Tutorial: Simple WEP Crack Version: 1.20 January 11, 2010 By: darkaudax Introduction This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and
More informationGaining Access to encrypted networks
Gaining Access to encrypted networks Everything we have learned so far we can do it without having to connect to the target network. We can get more accurate info and launch more effective attacks if we
More information2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp
2013 Summer Camp: Wireless LAN Security Exercises 2013 JMU Cyber Defense Boot Camp Questions Have you used a wireless local area network before? At home? At work? Have you configured a wireless AP before?
More informationWireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities
Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent
More informationHacking Wireless Networks by data
Hacking Wireless Networks by data -disclaimer- The sole purpose of this article is so that you may be informed about how your neighbor may be able to take a laptop, crack your wep/wpa key to your router
More informationD. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.
Volume: 119 Questions Question No: 1 John Smith uses a coffee shop's Internet hot-spot (no authentication or encryption) to transfer funds between his checking and savings accounts at his bank's website.
More informationOnce in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.
Hacking WEP wifi passwords 1. Getting the right tools Download Backtrack 3. It can be found here: http://www.remote-exploit.org/backtrack_download.html The Backtrack 4 beta is out but until it is fully
More informationIs Your Wireless Network Being Hacked?
The ITB Journal Volume 9 Issue 1 Article 5 2008 Is Your Wireless Network Being Hacked? Paul King Ivan Smyth Anthony Keane Follow this and additional works at: http://arrow.dit.ie/itbj Part of the Computer
More informationHacking Encrypted Wireless Network
Hacking Encrypted Wireless Network Written by Fredrik Alm CompuTechSweden 2010 http://www.fredrik-alm.se/ REQUIREMENTS Software: Operating System: Linux kernel (Recommended: BackTrack 4 Final ) Download:
More informationETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT
1. P. ČISAR, 2. S. MARAVIĆ ČISAR ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT 1. Academy of Criminalistic and Police Studies, 11080 Belgrade - Zemun, Cara Dusana 196, SERBIA 2. Subotica
More informationWPA Migration Mode: WEP is back to haunt you
Black Hat USA 2010 WPA Migration Mode: WEP is back to haunt you Leandro Meiners (lmeiners@coresecurity.com / @gmail.com) Diego Sor (dsor@coresecurity.com / diegos@gmail.com) Page 1 WPA Migration Mode:
More informationEAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre
EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool Matt Neely and Spencer McIntyre SecureState 2011 Synopsis In this paper we present how to determine the EAP type used by an 802.11 network
More informationWireless Attacks and Countermeasures
Wireless Attacks and Countermeasures Wireless Network Technology Wireless network refers to any type of computer network which is wireless, and is commonly associated with a network whose interconnections
More informationThis repository. Insights. Projects 0. Join GitHub today
Features Business Explore Marketplace Pricing brannondorsey / wifi-cracking Code Issues 0 Pull requests 1 Sign in or Sign up This repository Watch Projects 0 73 Star 2,627 Fork 183 Insights Dismiss Join
More informationWIRELESS EVIL TWIN ATTACK
WIRELESS EVIL TWIN ATTACK Prof. Pragati Goel Associate Professor, NCRD s Sterling Institute of Management Studies, Navi Mumbai Mr. Chetan Singh NCRD s Sterling Institute Of Management Studie, Navi Mumbai
More informationWireless Network Security
Wireless Network Security Why wireless? Wifi, which is short for wireless fi something, allows your computer to connect to the Internet using magic. -Motel 6 commercial 2 but it comes at a price Wireless
More informationCYBER ATTACKS EXPLAINED: WIRELESS ATTACKS
CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS Wireless networks are everywhere, from the home to corporate data centres. They make our lives easier by avoiding bulky cables and related problems. But with these
More informationToday s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.
Today s challenge on Wireless Networking David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd. Agenda How Popular is Wireless Network? Threats Associated with Wireless Networking
More informationSecurity of WiFi networks MARCIN TUNIA
Security of WiFi networks MARCIN TUNIA Agenda 1. Wireless standards 2. Hidden network and MAC filtering protection bypassing 3. Encryption independent attacks 4. Attacks on WEP 5. Attacks on WPA/WPA2 6.
More informationFAQ on Cisco Aironet Wireless Security
FAQ on Cisco Aironet Wireless Security Document ID: 68583 Contents Introduction General FAQ Troubleshooting and Design FAQ Related Information Introduction This document provides information on the most
More informationINTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK ANALYSIS OF PENETRATION TESTING AND COUNTERMEASURES FOR SECURING WIRELESS NETWORK
More informationWireless Network Security
Wireless Network Security By: Jose Rodriguez Table of Contents Wireless Network Security...1 Table of Contents...2 Introduction...3 Wireless Network Requirements...4 Wireless Network Protocols...5 Wireless
More informationCyberP3i Hands-on Lab Series
CyberP3i Hands-on Lab Series Lab Series using NETLAB Designer: Dr. Lixin Wang, Associate Professor Hands-On Lab on Securing Wireless Networks The NDG Security+ Pod Topology Is Used 1. Introduction In this
More informationWireless Security Algorithms
(NOTE: If you are using a virtual lab to run your attacks you will need an external Wi Fi attachment. The other option is to have a direct install on your computer. Virtual labs cannot access your wireless
More informationWireless LAN Security. Gabriel Clothier
Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #7 WiFi Security 1 Announcements Please do HW#2 in using the stable OMNET++ 4.6, not the beta version. Porting has proven difficult... Form project
More informationMissouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook
Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook 1 2 The information provided in this manual is to be used for educational purposes only. The authors
More informationUsing aircrack and a dictionary to crack a WPA data capture
Step by Step Backtrack 5 and wireless Hacking basics Installing Backtrack 5 Creating a Backtrack 5 R3 Live CD Installing to the Hard drive Installing and running with VMware Reaver WPA dictionary attack
More informationWireless Network Penetration Testing Using Kali Linux on BeagleBone Black
Wireless Network Penetration Testing Using Kali Linux on BeagleBone Black Aparicio Carranza, PhD 1 and Casimer DeCusatis, PhD 2 1 The New York City College of Technology CUNY, USA, acarranza@citytech.cuny.edu
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #7 More WiFi Security 2015 Patrick Tague 1 Class #7 Continuation of WiFi security 2015 Patrick Tague 2 Device Private WiFi Networks AP Local AAA
More information5 Steps Wifi Hacking Cracking WPA2 Password
Advertise Here Contact Us Request Tutorial Write for Us Download» Hacking Knowledge Hacking News Hacking Tutorial Hacking Widget Online Tools» Tips and Trick Website» Phone Hacking Search 9,517 91 +525
More informationHACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim
HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU Mc Graw mim CONTENTS Foreword Acknowledgments Introduction xvn xlx XX1 Hacking 802.11
More informationNetwork Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014
Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8
More informationNetwork Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014
Network Security Security in local-area networks Radboud University Nijmegen, The Netherlands Autumn 2014 Announcement Exercise class (werkcollege) time and room changed: Friday, 15:30-17:30, in LIN 8
More informationWhat is Eavedropping?
WLAN Security What is Eavedropping? War Driving War Driving refers to someone driving around with a laptop and an 802.11 client card looking for an 802.11 system to exploit. War Walking Someone walks
More informationConfiguring Layer2 Security
Prerequisites for Layer 2 Security, page 1 Configuring Static WEP Keys (CLI), page 2 Configuring Dynamic 802.1X Keys and Authorization (CLI), page 2 Configuring 802.11r BSS Fast Transition, page 3 Configuring
More informationNomadic Communications Labs
Nomadic Communications Labs Alessandro Villani avillani@science.unitn.it Security And Wireless Network Wireless Security: Overview Open network Open network+ MAC-authentication Open network+ web based
More informationCyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security HTML PHP Database Linux Operating System and Networking: LINUX NETWORKING Information Gathering:
More informationWPA Passive Dictionary Attack Overview
WPA Passive Dictionary Attack Overview TakehiroTakahashi This short paper presents an attack against the Pre-Shared Key version of the WPA encryption platform and argues the need for replacement. What
More informationGETTING THE MOST OUT OF EVIL TWIN
GETTING THE MOST OUT OF EVIL TWIN B-SIDES ATHENS 2016 GEORGE CHATZISOFRONIOU (@_sophron) sophron@census-labs.com www.census-labs.com > WHOAMI Security Engineer at CENSUS S.A. Cryptography, Wi-Fi hacking,
More informationWireless Attacks and Defense. By: Dan Schade. April 9, 2006
Wireless Attacks and Defense By: Dan Schade April 9, 2006 Schade - 2 As more and more home and business users adapt wireless technologies because of their ease of use and affordability, these devices are
More informationSharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita
Basic workshop of SharkFest'17 US IEEE802.11 packet dissection Sample trace and supplemental files are located http://www.ikeriri.ne.jp/download/defcon Megumi Takeshita Packet Otaku ikeriri network service
More informationNomadic Communications Labs. Alessandro Villani
Nomadic Communications Labs Alessandro Villani avillani@science.unitn.it Security And Wireless Network Wireless Security: Overview Open network Open network+ MAC-authentication Open network+ web based
More informationIntrusion Techniques
Intrusion Techniques Mgr. Rudolf B. Blažek, Ph.D. Department of Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek 2010-2011 Network Security MI-SIB, ZS 2011/12,
More informationBackTrack 5 Wireless Penetration Testing
BackTrack 5 Wireless Penetration Testing Beginner's Guide Master bleeding edge wireless testing techniques with BackTrack 5 Vivek Ramachandran [ PUBLISHING 1 open source I community experience distilled
More informationWLAN Roaming and Fast-Secure Roaming on CUWN
802.11 WLAN Roaming and Fast-Secure Roaming on CUWN Contents Introduction Prerequisites Requirements Components Used Background Information Roaming with Higher-Level Security WPA/WPA2-PSK WPA/WPA2-EAP
More informationWireless KRACK attack client side workaround and detection
Wireless KRACK attack client side workaround and detection Contents Introduction Components used Requirements EAPoL Attack protections Why this works Possible impact How to identify if a client is deleted
More informationSecuring a Wireless LAN
Securing a Wireless LAN This module describes how to apply strong wireless security mechanisms on a Cisco 800, 1800, 2800, or 3800 series integrated services router, hereafter referred to as an access
More informationSETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26
Table of Contents 0 SETTING UP THE LAB 1 HARDWARE REQUIREMENTS 1 SOFTWARE REQUIREMENTS 2 KALI LINUX INSTALLATION: 3 INSTALL KALI LINUX UNDER VMWARE 3 INSTALLING KALI LINUX ON PC 11 Kali Linux on USB: Advantages
More informationVulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal
Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal Lazaridis Ioannis, Pouros Sotirios, Veloudis Simeon DEI College, Thessaloniki, Greece Abstract: This paper presents
More informationSection 7 Using a Wireless IPS/IDS
Section 7 Using a Wireless IPS/IDS We ve been playing with the bad-guy side of Wireless LANs for awhile. In this section we ll be taking the other side. Trying to detect and protect against the hackers.
More informationAttacking Networks. Joshua Wright LightReading LIVE! October 1, 2003
Attacking 802.11 Networks Joshua Wright Joshua.Wright@jwu.edu LightReading LIVE! October 1, 2003 Attention The material presented here reflects the personal experience and opinions of the author, and not
More informationOutline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.
Outline 18-759: Wireless Networks Lecture 10: 802.11 Management Peter Steenkiste Departments of Computer Science and Electrical and Computer Engineering Spring Semester 2016 http://www.cs.cmu.edu/~prs/wirelesss16/
More informationVLANs and Association Redirection. Jon Ellch
802.11 VLANs and Association Redirection Jon Ellch Contents 1 Foreword 2 2 Background 3 3 Introduction 4 3.1 The state of the art......................................... 4 4 PVLANs and virtual BSSIDs
More informationConfiguring Wireless Security Settings on the RV130W
Article ID: 5021 Configuring Wireless Security Settings on the RV130W Objective Wireless networking operates by sending information over radio waves, which can be more vulnerable to intruders than a traditional
More informationOpen System - No/Null authentication, anyone is able to join. Performed as a two way handshake.
Five components of WLAN Security 1. Data Privacy 1. Privacy is important because transmission occurs over the air in freely licensed bands. The Data can be sniffed by anyone within range. 2. Eavesdropping
More information4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions
4.4 IEEE 802.11 MAC Layer 4.4.1 Introduction 4.4.2 Medium Access Control 4.4.3 MAC Management 4.4.4 Extensions 4.4.3 802.11 - MAC management Synchronization try to find a LAN, try to stay within a LAN
More informationActivity Configuring and Securing a Wireless LAN in Packet Tracer
Activity Configuring and Securing a Wireless LAN in Packet Tracer Objectives: 1. Configure a Wireless Access Point (WAP) local IP address. 2. Configure a WAP with an SSID. 3. Change the administrator s
More informationChapter 2. Switch Concepts and Configuration. Part II
Chapter 2 Switch Concepts and Configuration Part II CCNA3-1 Chapter 2-2 Switch Concepts and Configuration Configuring Switch Security MAC Address Flooding Passwords Spoofing Attacks Console Security Tools
More informationWireless technology Principles of Security
Wireless technology Principles of Security 1 Wireless technologies 2 Overview This module provides an introduction to the rapidly evolving technology of wireless LANs (WLANs). WLANs redefine the way the
More informationMonitoring the Mobility Express Network
About the Cisco Mobility Express Monitoring Service, on page 1 Customizing the Network Summary View, on page 2 Viewing the Details of Configured WLANs, on page 5 Customizing Access Points Table View, on
More informationEncrypted WiFi packet injection and circumventing wireless intrusion prevention systems
Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems White Paper Tim de Waal - 2015 Table of contents 1. Introduction 2. Proposed attack 2.1. Attack outline 2.2. Attack
More informationFinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes
1 FINFISHER: FinIntrusion Kit 4.0 Release Notes 2 Copyright 2013 by Gamma Group International, UK Date 2013-07-12 Release information Version Date Author Remarks 1.0 2010-06-29 ht Initial version 2.0 2011-05-26
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More informationNWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012
NWD2705 Dual-Band Wireless N450 USB Adapter Version 1.00 Edition 1, 09/2012 Quick Start Guide User s Guide www.zyxel.com Copyright 2012 ZyXEL Communications Corporation IMPORTANT! READ CAREFULLY BEFORE
More informationSample Exam Ethical Hacking Foundation
Sample Exam Sample Exam Ethical Hacking Foundation SECO-Institute issues the official Ethical Hacking courseware to accredited training centres where students are trained by accredited instructors. Students
More informationConfiguring Repeater and Standby Access Points and Workgroup Bridge Mode
20 CHAPTER Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter describes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge.
More informationProject 3: Network Security
CIS 331 October 3, 2017 Introduction to Networks & Security Project 3: Network Security Project 3: Network Security This project is due on Tuesday, October 17 at 10 p.m.. You must work in teams of two
More informationMany organizations worldwide turn to
Vulnerability Analysis of GWireless Benjamin Lim (A0100223) National University of Singapore limbenjamin@u.nus.edu April 21, 2015 arxiv:1508.02082v1 [cs.cr] 9 Aug 2015 Abstract Wireless networking has
More informationCEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.
Sniffers - Wireshark: The most popular packet sniffer with cross platform support. - Tcpdump: A popular CLI sniffer available for both the Unix and Linux platforms. - Windump: Windows version of tcpdump.
More informationCSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology
CSNT 180 Wireless Networking Chapter 7 WLAN Terminology and Technology Norman McEntire norman.mcentire@servin.com Founder, Servin Corporation, http://servin.com Technology Training for Technology Professionals
More informationWireless Setup Instructions for Windows
Wireless Setup Instructions for Windows NOTE: For successful wireless setup, you will need to have a network cable for a temporary connection to your wireless router or access point, and you must know
More informationBuilding a wireless capturing tool for WiFi
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks. 2009; 2:654 668 Published online 2 April 2009 in Wiley InterScience (www.interscience.wiley.com).107 Building a wireless capturing tool for
More informationNetwork Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017
Network Security Security in local-area networks Radboud University, The Netherlands Spring 2017 A two-slide intro to networking I Command on tyrion: netcat -lp 51966 Command on arya: echo "Hi tyrion"
More informationConfiguring Repeater and Standby Access Points and Workgroup Bridge Mode
CHAPTER 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter descibes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge.
More informationConfiguring Authentication Types
CHAPTER 11 This chapter describes how to configure authentication types on the access point. This chapter contains these sections: Understanding Authentication Types, page 11-2, page 11-10 Matching Access
More informationChapter 11: Networks
Chapter 11: Networks Devices in a Small Network Small Network A small network can comprise a few users, one router, one switch. A Typical Small Network Topology looks like this: Device Selection Factors
More informationSecuring Wireless Networks by By Joe Klemencic Mon. Apr
http://www.cymru.com/ Securing Wireless Networks by By Joe Klemencic (faz@home.com) Mon. Apr 30 2001 Many companies make attempts to embrace new technologies, but unfortunately, many of these new technologies
More informationContent. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2
Content Chapter 1 Product Introduction... 2 1.1 Package Contents... 2 1.2 Product Features... 2 1.3 Product Usage... 2 1.4 Before Installation... 2 1.5 Disable other manufacturers wireless network adapters...
More informationConfiguring a VAP on the WAP351, WAP131, and WAP371
Article ID: 5072 Configuring a VAP on the WAP351, WAP131, and WAP371 Objective Virtual Access Points (VAPs) segment the wireless LAN into multiple broadcast domains that are the wireless equivalent of
More informationHooray, w Is Ratified... So, What Does it Mean for Your WLAN?
Global Leader in Wireless Security Hooray, 802.11w Is Ratified... So, What Does it Mean for Your WLAN? A Brief Tutorial on IEEE 802.11w Gopinath K N and Hemant Chaskar AirTight Networks www.airtightnetworks.com
More informationTestsDumps. Latest Test Dumps for IT Exam Certification
TestsDumps http://www.testsdumps.com Latest Test Dumps for IT Exam Certification Exam : PW0-200 Title : Certified wireless security professional(cwsp) Vendors : CWNP Version : DEMO Get Latest & Valid PW0-200
More informationCS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis
CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture preview 802.11 Security IEEE
More informationAppendix E Wireless Networking Basics
Appendix E Wireless Networking Basics This chapter provides an overview of Wireless networking. Wireless Networking Overview The FWG114P v2 Wireless Firewall/Print Server conforms to the Institute of Electrical
More informationChapter 24 Wireless Network Security
Chapter 24 Wireless Network Security Wireless Security Key factors contributing to higher security risk of wireless networks compared to wired networks include: o Channel Wireless networking typically
More informationOverview. Information About wips CHAPTER
1 CHAPTER This chapter describes the role of the Cisco 3300 mobility services engine (MSE) and the Cisco Adaptive Wireless Intrusion Prevention System (wips) within the overall Cisco Unified Wireless Network
More informationExpected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy
CHAPTER 9 DEVELOPING NETWORK SECURITY STRATEGIES Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy Network Security Design
More informationWireless Networking Basics. Ed Crowley
Wireless Networking Basics Ed Crowley 2014 Today s Topics Wireless Networking Economic drivers and Vulnerabilities IEEE 802.11 Family WLAN Operational Modes Wired Equivalent Privacy (WEP) WPA and WPA2
More informationObstacle Avoiding Wireless Surveillance Bot
Volume 118 No. 20 2018, 4309-4314 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Obstacle Avoiding Wireless Surveillance Bot ijpam.eu Aman Aryan, Aakanksha Mishra, Raashi Pradeep Shetty Department
More informationWorldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System
Your world, Secured 2016 Worldwide Release System Overview Wi-Fi interception system is developed for police operations and searching of information leaks in the office premises, government agencies and
More informationiconnect625w Copyright Disclaimer Enabling Basic Wireless Security
iconnect625w Enabling Basic Wireless Security Copyright Copyright 2006 OPEN Networks Pty Ltd. All rights reserved. The content of this manual is subject to change without notice. The information and messages
More informationWireless Hacking How to Hack Wireless Networks Beginner s Guide
Wireless Hacking How to Hack Wireless Networks Beginner s Guide Evan Lane Copyright 2017 Evan Lane. All rights reserved. Printed in the USA The information in this book represents only the view of the
More informationProcedure: You can find the problem sheet on the Desktop of the lab PCs.
University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Advance Networks Laboratory 907529 Lab.3 WLAN Security Objectives 1. Configure administrator accounts.
More informationTroubleshooting End User Wireless Networks
CHAPTER 5 This chapter provides troubleshooting suggestions for typical user problems and contains these sections: Using the Cisco SSC Simplified User Interface, page 5-1 Association Failure, page 5-2
More informationHow to set up your wireless network
How to set up your wireless network There are several steps involved in securing your wireless network. I recommend that you take these steps in order and only change one item at a time. While this may
More informationCOMP 2000 W 2012 Lab no. 3 Page 1 of 11
COMP 2000 W 2012 Lab no. 3 Page 1 of 11 Lab Introduction Background The Internet is based on packet-switched protocols. Information is carried in packets (it is divided into packets), which can be imagined
More informationRecurrent Security Gaps In ac Routers
Recurrent Security Gaps In 802.11ac Routers Mohammed Farik, ABM Shawkat Ali Abstract: In comparison to earlier IEEE 802.11 standard (a/b/g/n) routers, today s popular 802.11ac standard routers have enhanced
More informationUsing PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer
Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer Q. What is PEAP? A. Protected Extensible Authentication Protocol is an IEEE 802.1x EAP security method that uses an
More informationHW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)
HW/Lab 4: IPSec and Wireless Security CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday) This HW/Lab assignment covers Lectures 8 (IPSec) and 10 (Wireless Security). Please review these
More informationHow Insecure is Wireless LAN?
Page 1 of 7 How Insecure is Wireless LAN? Abstract Wireless LAN has gained popularity in the last few years due to its enormous benefits such as scalability, mobile access of the network, and reduced cost
More information