Wireless Penetration Testing For Realz and WCTF

Similar documents
HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

What is Eavedropping?

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Hacking Wireless Networks by data

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Wireless Attacks and Countermeasures

LESSON 12: WI FI NETWORKS SECURITY

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Configuring WEP and WEP Features

Gaining Access to encrypted networks

Wireless Networking Basics. Ed Crowley

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

5 Steps Wifi Hacking Cracking WPA2 Password

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

Chapter 24 Wireless Network Security

Family Structural Overview

Wireless Networking. Chapter The McGraw-Hill Companies, Inc. All rights reserved

Section 4 Cracking Encryption and Authentication

Wireless LAN Connection Guide

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

Wireless Technologies

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

Advanced WiFi Attacks Using Commodity Hardware


b/g/n 1T1R Wireless USB Adapter. User s Manual

Configuring a VAP on the WAP351, WAP131, and WAP371

Mobile MOUSe WIRELESS TECHNOLOGY SPECIALIST ONLINE COURSE OUTLINE

Wireless Security Algorithms

The Final Nail in WEP s Coffin

WPA Migration Mode: WEP is back to haunt you

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Configuring Cipher Suites and WEP

Wireless Networking based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

ENH900 EXT ENH900 EXT. Wireless 11N Outdoor Dual Band Dual Concurrent AP /CB PRODUCT OVERVIEW

HACKING & INFORMATION SECURITY Presents: - With TechNext

Assignment Project Whitepaper ITEC495-V1WW. Instructor: Wayne Smith. Jim Patterson

802.11g PC Card/USB Wireless Adapter

ENH900EXT N Dual Radio Concurrent AP. 2.4GHz/5GHz 900Mbps a/b/g/n Flexible Application

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Wireless LAN USB Adaptor WL-2111 Quick Installation Guide V.1.0

Project 3: Network Security

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

Wireless Print Server with 3G Mobile Video. Wireless G USB 2.0 Adapter

Content. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

ENH700EXT N Dual Radio Concurrent AP PRODUCT OVERVIEW

PRODUCT OVERVIEW. Learn more about EnGenius Solutions at

802.11b+g Wireless LAN USB Adapter. User Manual

WL-5420AP. User s Guide

WIRELESS AS A BUSINESS ENABLER. May 11, 2005 Presented by: Jim Soenksen and Ed Sale, Pivot Group

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Wireless Network Security

International Journal of Computer Engineering and Applications, Volume XII, Issue III, March 18, ISSN

Security of WiFi networks MARCIN TUNIA

1.0 Basic RF Characteristics (15%) 1.1 Describe RF signal characteristics Frequency Amplitude Phase 1.1.

Wireless technology Principles of Security

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

Outdoor Wireless USB Adapter User Guide

CYBERSECURITY PROFESSIONAL PENETRATION TESTER

Viewing Status and Statistics

Decision Computer Group

BrosTrend. User s Guide. BrosTrend Dual Band WiFi USB Adapter. Model No.: WNA016/AC5/AC6/AC7. Version No.: V2.

802.11ac 3x3 Dual Band High-Powered Wireless Access Point/Client Bridge

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

Basic User Manual KS USB WiFi Antenna

WL 5011s g Wireless Network Adapter Client Utility User Guide

Exam Questions CWSP-205

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

Enterprise Wi-Fi Recon - reaping the benefits L U K E MCDONNELL (intrepid)

Wireless USB 600AC USER MANUAL. Dual Band USB Adapter. HNW600ACU Rev

PACKAGE CONTENT TECHNICAL SPECIFICATION. Ethernet: One 10/100 Fast Ethernet RJ-45. Power Jack Power Status. LAN (Internet connection)

Basic Wireless Settings on the CVR100W VPN Router

Physical and Link Layer Attacks

EnGenius Quick Start Guide

PMS 138 C Moto Black spine width spine width 100% 100%

Wireless Router at Home

CCNA 3 (v v6.0) Chapter 4 Exam Answers % Full

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Intelligraphics Qualcomm Atheros Windows CCXv4 Product Specification

iconnect625w Copyright Disclaimer Enabling Basic Wireless Security

Link & end-to-end protocols SSL/TLS WPA 2/25/07. Outline. Network Security. Networks. Link and End-to-End Protocols. Link vs. End-to-end protection

Wi-Fi Advanced Stealth BlackHat US, Las Vegas August 2-3, 2006

Evil Twin Wireless Access Point Attack

Configuration of Access Points and Clients. Training materials for wireless trainers

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

Project 3: Network Security

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

FinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes

based on Chapter 15 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

AWUS036NHR Long-Range Indoor IEEE n USB Adapter User Manual

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

Wireless KRACK attack client side workaround and detection

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Introduction Enjoy business-class, high-speed wireless and Bluetooth connectivity on your desktop with the Realtek 8822BE ac PCIe x1 Card.

Transcription:

Wireless Penetration Testing For Realz and WCTF @Rmellendick rmellendick@gmail.com @DaKahuna2007 da.kahuna@gmail.com

DISCLAIMER This is provided for informational purposes only. It is illegal in most countries, especially the US, to connect, decrypt traffic, penetrate, or inject any Wi- Fi network other than your own or any network where you do not have explicit (ROE) permission given to you by the rightful owner. YOU are solely responsible for any and all of your own actions and assume the consequences of those actions.

Legal stuff Know the wiretap laws and do not violate them Some states require that both parties consent to a phone call being recorded Know the scanner laws for the state you are operating in, remember to check this before traveling out of state Make sure your activities are authorized in the written rules of engagement In most states it is legal to monitor any radio transmission as long as its not a telephone call or pager traffic Additional activities to avoid: Jamming transmissions Decoding pager traffic Illegally transmitting

Why You Should Listen to Us You Shouldn t

DefCon 15

DefCon 21

Pentesting Distributions Network Security Toolkit (2003) Whoppix (2005) Auditor (2005) WHAX (2005) Pentoo (December 2006)* BackTrack 1.0 (2006) Kali Linux (March 2013)

Wireless Encryption WEP WPA 802.11i (WPA2) Cipher Algorithm RC4 RC4 (TKIP) AES-CCMP Encryption Key 40-bit 128-bit 128-bit Initialization Vector 24-bit 48-bit 48-bit Authentication Key None 64-bit 128-bit Integrity Check CRC-32 Michael CCM Key Distribution Manual 802.1X (EAP) 802.1X (EAP) Key Unique To: Network Packet, Session, User Packet, Session, User Key Hierarchy No Derived from 802.1X Derived from 802.1X Ad-hoc Security (P2P) No No Yes (IBSS) Pre-authentication No No Yes (EAPOL) Source: Wireless Security: The need for WPA and 802.11i, Abuzar Amini,

Methodology Develop a methodology make it repeatable Scope work Rules of engagement get out of jail free Enumeration/Assessment Target information collection SSIDs, ESSIDs & MACs Modes of encryption Parsing useful information from sites using EAP

Methodology Passive reconnaissance Active reconnaissance Exploitation MiTM Client side attacks Cracking encryption Validation and Out- brief Report Why, Who, What, Where, How

Wireless Pentesting What Do I Need Platform Selection Selecting an Operating System Pentesting Software Choices Choosing Wireless Network Cards 3 card setup vs. 2 card setup Deciding on an Antennas

Platform Selection Laptop External Wireless Adapter External Antenna Power Source Smartphone or Tablet Self- contained

Minimum Requirements - Platform PDA/phone history Laptop Fusion Smartphone Tablet

Selecting and Operating System Windows Mac OS X Fusion Multiple VM s *NIX

Pentesting Software Choices Non- GUI Aircrack- NG Suite AirGraph Kismet- NG Tshark Reaver GUI Cain & Able GISKismet Wireshark

Deciding on an Antenna Antenna Selection Radiation Pattern Matters Omnidirectional Fixed Magmount Directional Yagi Cantenna Panel

Deciding on an Antenna Omni Directional Dipole Directional Panel Yagi

GPS Selection USB based Must be NMEA compliant Latest models BU 353- S4 48 channels Columbus V- 800 66 channels

Choosing a Wireless Network Card Wireless Device Selection Alpha cards (B) (G) or (N) or (ABGN) Rokland N3 (BGN) Rosewill N600 UBE (ABGN) SR- 71 (ABG) AirPcapNx (ABGN) WiSpy DBX (2.4 and 5Ghz) Chipset is the key The good Atheros Ralink Realtek

Testing Gear Have a repeatable process for validating antennas/setup Hand testing fixed point Automated testing Kismet (kismet script shootout.rb) Know how different cards and antenna combinations work Never be surprised by your equipment on an assessment Know your target and plan ahead

Wireless Pentesting Attacks MITM Evil Access Point (Evil AP) Jasager (WiFi Pineapple) Karmetasploit Attwifi (new attack) PiWAT PwnPlug Injection Bluetooth

Password Cracking Wireless Tools Non- GUI GUI Aircrack- ng Suite Pyrit oclhashcat- plus/oclhashcat- lite WEPCrack Cain & Able KisMac hashcat- GUI

Putting It Into Practice Wireless CTF Contest Connection Make a connection in the most hostile environment Hide and seek Recon (finding an access point in crowded RF space) Fox and Hound Advanced Recon (finding a person) Password Cracking Getting in (using all the tools that are available) System Takeover Exploitation and putting it all together (both offense and defense)

Putting It Into Practice BSSIDes- dc WCTF The New Tower - Less is More"

The Old

Prep- work

Prep- work

The New

Rules You must register with the key server All Game BSSID s are in the context of BSSIDesWCTF# Offense and defense in play Every team that solves a challenge gets points for the challenge Keys will be within all of the networks Once connected scan for port 80 or 6666 IRC channels will be BSSIDesdcWCTF 180/370 points CAN be captured in 4 hours or less on a stock laptop 8 of the challenges are 100% solvable 1 challenge is VERY HARD but risk/reward is high so manage your time

Challenge 1 Welcome to the Terrordome BsidesWCTF1 (10 pts)

Challenge 2 Michael Ballack found me, can you?" BsidesWCTF2 (10 pts)

Challenge 3 "Home Invasion" BsidesWCTF3 (15 pts)

Challenge 4 This will WiPS you into shape BsidesWCTF4 (15 pts)

Challenge 5 WEP used to be easy BsidesWCTF5 (20 pts)

Challenge 6 "From Phil to #52 BsidesWCTF6 (20 pts)

Challenge 7 It's getting hot in herre; turn up the AirConditioner BsidesWCTF7 (30 pts)

Challenge 8 "Welcome Back to DC Things are not what they appear BsidesWCTF8 (30 pts)

Challenge 9 "Cisco is like CycloX Wireshark is your friend What s in a name BsidesWCTF9 (30 pts)

Scoring In order to participate in the Wireless Pentathlon you will need the following: A working copy of GnuPG or PGP depending on your operating system. A valid Public/Private key pair to be used for *SIGNING* your submissions. Access to email. Wireless Pentathlon Scoring Instructions and PGP Public Key are at http://wifi- ctf.subba.net A flag.sh shell script has been provided to aid in uploading keys. It s use is optional, but you will find that it might make it easier/faster to submit your scores.

Scoring To Submit a flag do the following: Copy the flag from it's location; it will be a long set of random numbers/ letters. Make sure you have the whole thing, no breaks or spaces. If using flag.sh use:./flag.sh <key> e.g../flag.sh cbbe3ec55dd050e749918770af0a40b6d8192679 Copy and paste resulting PGP message into an email You must email this resulting PGP message, and ONLY this text block to wifi- ctf@subba.net YOU MUST DO THIS WITH THE GPG KEY YOU SUBMITTED TO THE CTF The scoreboard will be updated every 3 minutes

Logging We will be logging all channels 2.4Ghz 5Ghz during the CTF For a copy of the PCAPs you must register and score!

Questions @Rmellendick rmellendick@gmail.com @DaKahuna2007 da.kahuna@gmail.com Please fill out this survey for the Conference https://www.surveymonkey.com/s/bsidesdc13- Speaker

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback