Section 4 Cracking Encryption and Authentication

Similar documents
Tutorial: Simple WEP Crack

Gaining Access to encrypted networks

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Hacking Wireless Networks by data

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.

Is Your Wireless Network Being Hacked?

Hacking Encrypted Wireless Network

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

WPA Migration Mode: WEP is back to haunt you

EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre

Wireless Attacks and Countermeasures

This repository. Insights. Projects 0. Join GitHub today

WIRELESS EVIL TWIN ATTACK

Wireless Network Security

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

Security of WiFi networks MARCIN TUNIA

FAQ on Cisco Aironet Wireless Security

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Wireless Network Security

CyberP3i Hands-on Lab Series

Wireless Security Algorithms

Wireless LAN Security. Gabriel Clothier

Wireless Network Security Spring 2016

Missouri University of Science and Technology ACM SIG-Security 2014 Wi-Fi Workshop Exploitation Handbook

Using aircrack and a dictionary to crack a WPA data capture

Wireless Network Penetration Testing Using Kali Linux on BeagleBone Black

Wireless Network Security Spring 2015

5 Steps Wifi Hacking Cracking WPA2 Password

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

Network Security. Security in local-area networks. Radboud University Nijmegen, The Netherlands. Autumn 2014

What is Eavedropping?

Configuring Layer2 Security

Nomadic Communications Labs

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

WPA Passive Dictionary Attack Overview

GETTING THE MOST OUT OF EVIL TWIN

Wireless Attacks and Defense. By: Dan Schade. April 9, 2006

SharkFest'17 US. Basic workshop of. IEEE packet dissection. Megumi Takeshita

Nomadic Communications Labs. Alessandro Villani

Intrusion Techniques

BackTrack 5 Wireless Penetration Testing

WLAN Roaming and Fast-Secure Roaming on CUWN

Wireless KRACK attack client side workaround and detection

Securing a Wireless LAN

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Vulnerability issues on research in WLAN encryption algorithms WEP WPA/WPA2 Personal

Section 7 Using a Wireless IPS/IDS

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

VLANs and Association Redirection. Jon Ellch

Configuring Wireless Security Settings on the RV130W

Open System - No/Null authentication, anyone is able to join. Performed as a two way handshake.

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

Activity Configuring and Securing a Wireless LAN in Packet Tracer

Chapter 2. Switch Concepts and Configuration. Part II

Wireless technology Principles of Security

Monitoring the Mobility Express Network

Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems

FinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes

Ethical Hacking and Prevention

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Sample Exam Ethical Hacking Foundation

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Project 3: Network Security

Many organizations worldwide turn to

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

Wireless Setup Instructions for Windows

Building a wireless capturing tool for WiFi

Network Security. Security in local-area networks. Radboud University, The Netherlands. Spring 2017

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Configuring Authentication Types

Chapter 11: Networks

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Content. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2

Configuring a VAP on the WAP351, WAP131, and WAP371

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

TestsDumps. Latest Test Dumps for IT Exam Certification

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Appendix E Wireless Networking Basics

Chapter 24 Wireless Network Security

Overview. Information About wips CHAPTER

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Wireless Networking Basics. Ed Crowley

Obstacle Avoiding Wireless Surveillance Bot

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

iconnect625w Copyright Disclaimer Enabling Basic Wireless Security

Wireless Hacking How to Hack Wireless Networks Beginner s Guide

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Troubleshooting End User Wireless Networks

How to set up your wireless network

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

Recurrent Security Gaps In ac Routers

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

How Insecure is Wireless LAN?

Transcription:

Section 4 Cracking 802.11 Encryption and Authentication In the previous section we showed the vulnerabilities of Open Wireless LANs. In this section we ll show some of the techniques and tools used to break the wireless encryption. Once you have cracked the encryption, you can use all the tools from the previous section to see what everyone is doing. Some of these techniques are specific to vendor and protocol specific attacks. We ll use both Windows and Linux tools to crack encryption and authentication! 1/12/11 1 www.inpnet.org www.hotlabs.org

LAB 4.1: LEAP Cracking- Asleap/Pre-Hashed Dictionary File The purpose of this lab is to learn how to break Encryption and Authentication methods used in securing wireless networks. WEP encryption used for confidentiality and integrity on a wireless LAN utilizes a weak implementation of RC4 encryption. The RC4 keys initialization vector s generated by a WEP Network connection are weak and therefore able to be cracked. In order to successfully crack WEP 800,000 to 1,000,000 WEP encrypted frames must be captured. In this lab you will capture and crack a WEP key. WPA-PSK uses a passphrase for authenticating wireless clients to the network. The WPA passphrase is an 8-63 ascii character text string that is used to authenticate wireless users. The WPA passphrase is susceptible to a dictionary attack and this lab will show you how to capture and crack a WPA key. LEAP authentication is a Cisco proprietary mechanism to allow users to connect to a wireless network using a username and a password. The username is sent in cleartext and the password is hashed to protect it in transit on the wireless network. The hashing of the password can be broken with a tool called Asleap. Product Information Source Omnipeek PersonaL Free http://wildpackets.com Asleap http://asleap.sourceforge.net/ Where, When, Why Requirements / Dependencies You have already learned how to capture passwords, web traffic, email content, and sniff open wireless networks. But most enterprise class wireless LAN s implement some form of encryption and authentication. Some of those security mechanisms are weak and therefore susceptible to attack. A wireless pen tested must know how to identify those threats and know the susceptibility of the network to attack. Also, it is necessary to be able to perform the cracks to illustrate to a customer the weaknesses of the wireless network security. Omnipeek Personal Wireshark Airpcap USB adapter 1/12/11 2 www.inpnet.org www.hotlabs.org

Aircrack Tamosoft Commview Aireplay Nokia N800 wireless client CoWPAtty Asleap Large Dictionary file Running an ASLEAP Crack against a LEAP Authentication Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Step 7. Prepare to Capture the LEAP authentication with Omnipeek. Instructor will tell you went to start the capture and on what channel. Start your capture to catch the LEAP conversation. Save capture file as a TCP Dump file. Open a command prompt. Change to the Asleap directory. Run Asleap against the capture file using the pre hashed dictionary. 1/12/11 3 www.inpnet.org www.hotlabs.org

Lab 4.2: WEP Cracking and Acceleration Aircrack-ng is used to statically attack traffic gathered by WEP encrypted wireless routers in order to crack the WEP key used. It can also be used to brute-force WPA keys. Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/11 4 www.inpnet.org www.hotlabs.org

Lab Part 1 - Using Airodump-ng, Aircrack-ng and Aireplay-ng to quickly crack a WEP key What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to accelerate IV collection time Recover the WEP key using a statistical attack using aircrack-ng Step 1. Step 2. Configure your access point for a 64-bit WEP key of 009E4DD7E8 and have your N800 act as a client and connect to your access point. In this tutorial the access point SSID is LinksysL but yours will be as assigned earlier. Start hitcast on your N800 s to generate traffic.launch Airodump-ng to view your access point and N800 as potential targets../ath_monitor ß to set your card in monitor mode airodump-ng ath0 1/12/11 5 www.inpnet.org www.hotlabs.org

We see plenty of potential targets that are encrypted a few of which have authenticated wireless clients with traffic. Step 3. Step 4. Once you have located the N800 s traffic on your network we need to switch channels to monitor only that channel. My 'linksysl' access point is on channel 6 as should yours by default. airodump-ng -w /tmp/linksysl_traffic -channel 6 ath0 Now we can see that we are just on channel 6 and that we have one wireless station (00:13:46:9F:AC:36) that is connected to the access point linksysl. Since we are dumping into a capture file, everything that our card can see will be logged. The Data packets are what are of interest to us when cracking WEP keys; the more you collect the less time it takes to statistically attack and recover the key. With only 1 client authenticated and little traffic, it will take a long time to collect these packets (we will see how using a replay attack this can be dramatically decreased). Step 5. Now you wait! As each unique initialization vector (IV) is collected (indicated by the increase in #Data packets) you get closer to having enough IV's to send to aircrack-ng to be attacked. But you have probably noticed that it can take a very long time to collect enough IV s to crack the key right? For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's and for 128 bit and higher then you want 1 million or higher. So we need to find a way to generate a lot more traffic so that we can collect IV s faster; we can do so with aireplay-ng. From a command prompt type: Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h 00:13:46:9F:AC:36 ath0 Where b is YOUR ACCESS POINT MAC and h is YOUR N800 s MAC It is telling aireplay that you want to launch a type 3 attack. Which is an ARP replay attack in which an ARP packet is picked out of the air and 1/12/11 6 www.inpnet.org www.hotlabs.org

'replayed' or constantly thrown back at the router causing the router to respond with traffic in the form of an ARP reply. 312,631 unique IV's should be enough for us to start an attack against a 64 bit key, so let's start. (You have no idea how strong the key will be so a good rule is always start with the least and move up. We can specify the guessed key strength with the -n switch). Step 6. aircrack-ng /tmp/linksysl_traffic*.cap -n 64 This will give you a list of all the networks where data has been collected. Since we didn't supply the -IVs switch, it collected all traffic instead of just the IVs. We see that we have 357,169 IVs for the linksysl network. Just type 5 in to select that network and the script will do the rest. 1/12/11 7 www.inpnet.org www.hotlabs.org

Since we had enough IVs it only took 18 seconds to recover the 64 bit key used. 00:9E:4D:D7:E8 Step 7. Now you can connect to the target access point as a legitimate user. What you learned in this Lab: In this Lab you learned to use Product to: Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key 1/12/11 8 www.inpnet.org www.hotlabs.org

Lab 4.3: WPA Cracking Aircrack-ng can also be used to brute-force WPA Pre-Shared Keys (PSK). Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/11 9 www.inpnet.org www.hotlabs.org

What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Use aireplay-ng to deauth a client Recover the WPA key using aircrack-ng Lab Part 1 - Using Airodump-ng, Aireplay-ng, and Aircrack-ng to crack a WPA key Step 0 - Configure your access point with a WPA-PSK key of applesauce and have your N800 act as a client and connect to your access point. In this tutorial the access point SSID is LinksysL but yours will be as assigned earlier. Start hitcast on your N800 s to generate traffic. Step 8. Step 9. Launch Airodump-ng to find your access point and N800 as potential targets (making sure we log to a capture file so that we can capture the 4-Way handshake). airodump-ng -w /tmp/wpa_linksysl channel 6 ath0 1/12/11 10 www.inpnet.org www.hotlabs.org

Step 10. Step 11. Noticing that our linksysl network has now switched to WPA with TKIP cipher, our previous WEP type attack where we collect unique IVs is no longer useful to us. In order to crack a WPA key, we need to see the EAPOL 4-Way handshake that takes place at the very beginning of the association with the access point; obviously we have missed that as a client is already associated with the access point. We have 2 options: 1 Wait for someone else (or the same client) to associate and authenticate with the access point. 2 Force the already-associated client to disconnect and re-connect using a forged deauth packet. For sake of time we will use the 2 nd option; forging a deauthenticate packet using the aireplay-ng tool. aireplay-ng -0 30 -a 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 where a is your ACCESS POINT MAC and c is YOUR n800 MAC This will launch a deauth attack against the wireless client forcing them to reauthenticate therefore allowing us to sniff for the 4-Way handshake. Step 12. Step 13. Use aircrack-ng to verify that we have actually collected the 4-Way handshake. aircrack-ng -w /root/wordlist.txt /tmp/*.cap 1/12/11 11 www.inpnet.org www.hotlabs.org

(This time we give it a large dictionary file to brute-force with). Step 14. Step 15. Seeing that we have collected the handshake, we choose the target network (3) and let the cracking phase take place. Now you wait! The time it takes will depend on the key length and complexity, the speed of your computer(s), and the size of your dictionary file. 1/12/11 12 www.inpnet.org www.hotlabs.org

Lab 4.4: Aircrack-ng Aircrack-ng is used to statically attack traffic gathered by WEP encrypted wireless routers in order to crack the WEP key used. It can also be used to brute-force WPA keys. Once these keys are cracked then one can associate with the access point as a legitimate user. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Usage and Features Requirements / Dependencies Attack This tool is designed to recover/crack WEP keys and/or WPA keys Recover/crack WEP or WPA keys Linux or Windows operating system Captured traffic of target access point Time 1/12/11 13 www.inpnet.org www.hotlabs.org

What you will do in this lab: Use Airodump-ng to find a target Capture encrypted traffic Recover the WEP key Lab Part 1 - Using Aircrack-ng to crack a WEP key Step 1. Step 2. Launch Airodump-ng to view potential targets. (It is not necessary to log to a file at this point or choose a channel because we don't know anything about our target yet). airodump-ng ath0 (run the ath_monitor script if you need set your card in monitor mode first). We see plenty of potential targets that are encrypted a few of which have authenticated wireless clients with traffic. 1/12/11 14 www.inpnet.org www.hotlabs.org

Step 3. Step 4. Pick your target and switch channels to monitor only that channel. For this tutorial I will use the 'linksysl' access point that is encrypted with WEP and on channel 6. airodump-ng -w /tmp/linksysl_traffic -channel 6 ath0 Now we can see that we are just on channel 6 and that we have one wireless station (00:13:46:9F:AC:36) that is connected to the access point linksysl. Since we are dumping into a capture file, everything that our card can see will be logged. The Data packets are what are of interest to us when cracking WEP keys; the more you collect the less time it takes to statistically attack and recover the key. With only 1 client authenticated and little traffic, it will take a long time to collect these packets (we will see how using a replay attack this can be dramatically decreased). Step 5. Step 6. Now you wait! As each unique initialization vector (IV) is collected (indicated by the increase in #Data packets) you get closer to having enough IV's to send to aircrack-ng to be attacked. Once you have enough then you can point the capture file at aircrack for cracking. For a 64 bit you want anywhere from 300,000 to 700,000 unique IV's and for 128 bit and higher then you want 1 million and/or higher. 312,631 unique IV's should be enough for us to start an attack against a 64 bit key, so let's start. (You have no idea how strong the key will be so a good rule is always start with the least and move up. We can specify the guessed key strength with the -n switch). Step 7. 1/12/11 15 www.inpnet.org www.hotlabs.org

aircrack-ng /tmp/linksysl_traffic*.cap -n 64 This will give you a list of all the networks where data has been collected. Since we didn't supply the -IVs switch, it collected all traffic instead of just the IVs. We see that we have 357,169 IVs for the linksysl network. Just type 5 in to select that network and the script will do the rest. Since we had enough IVs it only took 18 seconds to recover the 64 bit key used. 00:9E:4D:D7:E8 Step 1. Now you can connect to the target access point as a legitimate user. What you learned in this Lab: In this Lab you learned to use Product to: Pick a WEP enabled wireless access point as a target Collected unique IVs Statistically attacked the IVs in order to recover the WEP key 1/12/11 16 www.inpnet.org www.hotlabs.org

Lab Part 2 - Using Aircrack-ng to crack a WPA key What you will do in this lab: Use airodump-ng to find a target Capture encrypted traffic Recover the WPA key Step 1. Step 2. Launch Airodump-ng to find potential targets (making sure we log to a capture file so that we can capture the 4-Way handshake). airodump-ng -w /tmp/wpa_linksysl channel 6 ath0 Step 3. Noticing that our linksysl network has now switched to WPA with TKIP cipher, our previous WEP type attack where we collect unique IVs is no longer useful to us. In order to crack a WPA key, we need to see the EAPOL 4-Way handshake that takes place at the very beginning of the association with the access point; obviously we have missed that as a client is already associated with the access point. We have 2 options: 1 Wait for someone else (or the same client) to associate and authenticate with the access point. 1/12/11 17 www.inpnet.org www.hotlabs.org

2 Force the already-associated client to disconnect and re-connect using a forged deauth packet. Step 4. For sake of time we will use the 2 nd option; forging a deauthenticate packet using the aireplay-ng tool that is a part of the aircrack-ng suite. aireplay-ng -0 30 -a 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 This will launch a deauth attack against the wireless client forcing them to reauthenticate therefore allowing us to sniff for the 4-Way handshake. Step 5. Step 6. Use aircrack-ng to verify that we have actually collected the 4-Way handshake. aircrack-ng -w /tmp/wordlists/ large_dictionary_file.txt /tmp/wpa_linksysl*.cap (This time we give it a large dictionary file to brute-force with). Step 7. Step 8. Seeing that we have collected the handshake, we choose the target network (3) and let the cracking phase take place. Now you wait! The time it takes will depend on the key length and complexity, the speed of your computer(s), and the size of your dictionary file. The supplied dictionary file is very large. 1/12/11 18 www.inpnet.org www.hotlabs.org

Step 9. We have the WPA key! 'security' was the word used as the key. Now we can authenticate with the access point as a regular user. 1/12/11 19 www.inpnet.org www.hotlabs.org

Lab 4.5: Aireplay-ng Aireplay-ng is a utility used to dramatically decrease the time it takes to collect enough data in order to crack a WEP key or forge deauthentication frames to cause a DoS attack. Product Information Source http://www.aircrack-ng.org GPL http://www.aircrack-ng.org/ Where, When, Why Usage and Features Attack It can take a lot of valuable time to collect enough data on a WEP enabled wireless network in order to crack a WEP key; time that Joe IT might not have in order to conduct his penetration test. Aireplay-ng will allow Joe to dramatically reduce the time it takes in order to break into a WEP enabled access point so that he can spend more time focusing on other weaknesses of the client network. Different attack modes Can use live captured packets, forged packets, or archived packets Requirements / Dependencies Linux operating system patched drivers for supported wireless card supported wireless card What you will do in this lab: Find a WEP enabled access point Launch a replay attack 1/12/11 20 www.inpnet.org www.hotlabs.org

Lab Part 1 - Using Aireplay-ng to sped up IV collection time Step 1. Step 2. Become root by typing su at a command prompt and type in the root password. Launch airodump-ng in order to view target access points. Step 3. Step 4. Step 5. Step 6. Find the target access point and switch airodump-ng to monitor only that channel. We will use linksysl on channel 6. airodump-ng -w /tmp/linksysl_capture -channel 6 ath0 Now there is not a lot of traffic so we will be here for a long time collecting enough IVs in order to launch an attack against the WEP key. Launching a replay attack will help fix that. Aireplay-ng -3 -b 00:18:39:C8:F3:0F -h 00:13:46:9F:AC:36 ath0 It is telling aireplay that you want to launch a type 3 attack. Which is an ARP replay attack in which an ARP packet is picked out of the air and 1/12/11 21 www.inpnet.org www.hotlabs.org

'replayed' or constantly thrown back at the router causing the router to respond with traffic in the form of an ARP reply. The -b switch is the MAC address of the router, -h is the MAC address of an authenticated client and then we supply the interface from which the replay attack will be launched. Step 7. At this rate the amount of time it will take is dramatically less and we can soon send our packets off to aircrack-ng to be cracked. Overall it took us about 10 minutes to collect the amount of traffic (128332 packets as seen in the picture above) that otherwise would have us sitting around for weeks. NOTE: See the attached video created by muts of Backtracks entitled Clientless WEP Cracking for a demonstration on how to crack a WEP key of an access point with no connected clients as well as the Cracking WEP in 10 minutes to see aireplay in action. What you learned in this Lab: In this Lab you learned to use Product to: 1. Speed up an attack against a WEP enabled access point 1/12/11 22 www.inpnet.org www.hotlabs.org

Lab Part 2 - Using Aireplay-ng to deauthenticate a client What you will do in this lab: Locate a wireless client and forge a deauthenticate packet to force a disconnection/reconnection Step 1. Step 2. Become root by typing su at a command prompt and type in the root password. Launch airodump-ng in order to view possible targets by typing: airodump-ng ath0 Step 3. Choose the client that you would like to deauthenticate and forge a deauth packet using aireplay-ng -0 attack. -b supplies the bssid of the access point and it is always more effective if you supply the -c station switch otherwise it will send to broadcast and that is not very reliable. 1/12/11 23 www.inpnet.org www.hotlabs.org

Step 4. aireplay -0 10 -b 00:18:39:C8:F3:0F -c 00:13:46:9F:AC:36 ath0 If successful this attack will force the station 00:13:46:9F:AC:36 to disconnect. This is useful in a denial of service attack, for sniffing for the EAPOL 4-Way handshake, or other credentials that might be passed at the beginning of a session. 1/12/11 24 www.inpnet.org www.hotlabs.org

Lab 4.6: Airodump-ng Airodump is a wireless discovery utility that will display all access points within range of your wireless card as well as signal strength, encryption status, wireless clients in the area, and log all information gathered to a packet capture file for analysis. Product Information Source http://www.aircrack-ng.org Free / Open Source (GPL, MPL) http://www.aircrack-ng.org Where, When, Why Network Analysis Joe IT would use this tool when he needs an idea of what access points are in the area and who is connecting to these access points, how much traffic is moving on the network, what access points clients are probing for, and what type of encryption is used on the networks. He can also very easily use this tool to log captured network traffic to a file. Usage and Features Display Access Points / Wireless Networks in range Displays encryption types used by the wireless networks Shows wireless clients that are probing for or associated with which ap logs captured traffic to a capture file Requirements / Dependencies Linux or Windows operating system Wireless card with supported chipset (the ubiquity card has the supported atheros based chipset) Where to Go for More Information http://www.aircrack-ng.org 1/12/11 25 www.inpnet.org www.hotlabs.org

What you will do in this lab: View wireless traffic in range Log traffic to a capture file Step 5. Step 6. Put card into monitor mode by running the script ath_monitor at the command prompt. Launch airodump-ng with the appropriate parameters. Step 7. Step 8. Notice that we need to run this as root so type su followed by the root password. The parameters that need to be supplied can be seen in the picture above. A simple way to launch the application with logging to a file and hop all channels would be typed as follows: airodump-ng -w /tmp/capture_file ath0 Once that command is executed the screen will display all information that can be gathered in the area. 1/12/11 26 www.inpnet.org www.hotlabs.org

From the screenshot we can see in the top left hand corner we have the BSSID which is the MAC address of each access point that is in range. We then see the power or signal strength (usually a good indicator of how close it is), followed by the beacons that are being sent from the access point, the data that is airborne, channel, encryption type, and ESSID (SSID). If it is not broadcast then you will see a placeholder <length: <int>>. On the bottom we see wireless stations (wireless clients that are either associated to a certain access point or just in the area and probing). Step 9. Step 10. Since we didn't specify a channel as a parameter, we are hoping all channels. (Notice the CH variable in the top left changing?) You can specify a certain channel by stopping the script by clicking CTRL C and adding the --channel parameter: airodump-ng -w /tmp/capture_file -channel n ath0 Then you will only listen on channel n. To view the traffic that we have captured, open the capture file in your favorite protocol analyzer. For this purpose we will use Wireshark. At the command prompt type: wireshark /tmp/capture_file and look for interesting traffic. (More details about this will be giving as another lesson but as a quick example we can see that in our capture file we were able to watch someone login to their web based email account). 1/12/11 27 www.inpnet.org www.hotlabs.org

What you learned in this Lab: In this Lab you learned to use Product to: 2. Find MAC addresses of access points within range 3. Find broadcasted SSID's in range 4. Capture and view traffic of wireless networks 5. Find MAC address of wireless clients within range 6. Get an overall picture of the type of traffic happening on your target network 1/12/11 28 www.inpnet.org www.hotlabs.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback