Ceh v8 labs module 15 hacking wireless networks

C E H L a b M a n u a l

H a c k in g W i r e l e s sN e t w o r k s

M o d u le 15

Module 15 - Hacking W ireless Netw orks

H a c k i n g W i r e l e s s N e t w o r k sIVi-Fi is developed on IEEE 802.11 standards and is widely used in wire/ess communication. It provides wire/ess access to app/ications and data across a radio network.

Lab ScenarioWireless network teclmology is becoming increasingly popular but, at the same time, it has many security issues. A wireless local area network (WLAN) allows workers to access digital resources without being tethered to their desks. However, the convenience of WlANs also introduces security concerns that do not exist in a wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone with ability to intercept and decode them. Several reports have explained weaknesses 111 the Wired Equivalent Pnvacy (WEP) algorithm by 802.1 lx standard to encrypt wireless data.

To be an expert ethical hacker and penetration tester, you must have sound knowledge of wireless concepts, wireless encryption, and their related threats. As a security administrator of your company, you must protect the wireless network from hacking.

Lab ObjectivesThe objective of this lab is to protect the wireless network from attackers.

111 this lab, you will learn how to:

■ Crack WEP using various tools

■ Capture network traffic

■ Analyze and detect wireless traffic

Lab Environment111 the lab you will need a web browser with an Internet connection.

■ Tins lab requires AirPcap adapter installed on your machine for all labs

Lab DurationTime: 30 Minutes

Overview of Wireless NetworkA wireless network refers to any type of computer network that is w ireless and is commonly associated with a te lecom m unications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of rem ote information transmission system that uses electrom agnetic w aves such as

I CON KEY

[£Z7 Valuableinformation

Test rouiknowledge

= Web exercise

m Workbook review

C 7 Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 15 Hacking W ireless N etw orks

C EH Lab Manual Page 819 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


radio waves for die c a rr ie r . Tlie implementation usually takes place at the physical level or layer of die network.

L a b T a s k s

Pick an organization diat you feel is worthy of vour attention. Tins could be an educational uistimtion, a commercial company, 01־ perhaps a nonprofit chanty.

Recommended labs to assist you 111 Wireless Networks:

■ WiFi Packet Slutting Using AirPcap with Wireshark

■ Cracking a WEP Network with Aircrack-ng for Windows

■ Sniffing die Network Using the OmniPeek Network Analyzer

L a b A n a l y s i s

Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s security posture and exposure.

^ T A S K 1

O verview

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T O T H I S L A B .

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C EH Lab Manual Page 820


W i F i P a c k e t S n i f f i n g U s i n g A i r P c a p

w i t h W i r e s h a r kT h e A ir P c a p a d a p te r is a U S B device th a t, w h e n u s e d in ta n g e n t n it׳ h th e A ir P c a p

d r iv e rs a n d W in P c a p lib ra r ie s , a llo w s a p e n te s te r to m o n ito r 8 0 2 .1 1 b /g t r a f f ic in

m o n ito r m ode .

■ c o n k e y L a b S c e n a r i o

Wireless networks can be open to active and also passive attacks. These types of attacks include DoS, MITM, spooling, jamming, war driving, network liijacking, packet sniffing, and many more. Passive attacks that take place on wireless networks are common and are difficult to detect since die attacker usually just collects information. Active attacks happen when a hacker has gathered information about the network after a successful passive attack. Sniffing is die act of monitoring die network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die wireless networks. These tools allow hackers to find an unprotected network diat diey can hack. Your wireless network can be protected against tins type of attack by using strong encryption and authentication methods.

111 tins lab we discuss the Wireshark tool, which can sniff the network using a wireless adapter. Since you are the etlncal hacker and penetration tester of an organization, you need to check the wireless security, exploit the flaws ni WEP, and evaluate weaknesses present 111 WEP for your organization.

L a b O b j e c t i v e s

The objective of tins lab is to help sftidents learn and understand how to:

■ Discover WEP packets

[£ Z 7 V a l u a b l e

i n f o r m a t i o n

S T e s t y o u r

k n o w l e d g e

— W e b e x e r c i s e

m W o r k b o o k r e v i e w




L a b E n v i r o n m e n t

To execute the kb, you need:

■ Install AirPcap adapter drivers; to install navigate to D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless NetworksVAirPcap -Enabled Open Source tools, and double-click setup_airpcap_4_1_1.exe to install

■ When you are installing the AirPcap adapter drivers, it any installation error occurs, install the AirPcap adapter drivers 111 compatibility mode (right-click the AirPcap ad ap ter driver exe hie, select Properties־^ Com patib ility. 111

compatibility mode, and select W indows7)

" W ireshark located at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless Netw orks\A irPcap -Enabled Open Source tools\w ireshark-w in64- 1.4 .4 .exe

■ Run diis lab 111 Windows Server 2012 (host machine)

■ An access point configured with WEP on die host machine

■ This lab requires the AirPcap adapter installed on your machine. Ifyou don’t have this adapter, please do not proceed with this lab

■ A standard AirPcap adapter widi its drivers installed on your host machine

■ WinPcap libraries, Wireshark, and Cain & Abel installed on your host machine

■ Administrative privileges to run AirPcap and other tools

L a b D u r a t i o n

Time: 15 Minutes

O v e r v i e w o f W E P ( W i r e d E q u i v a l e n t P r i v a c y )

Several serious w e a k n e s s e s 111 the protocol have been identified by cryptanalysts with die result diat, today, a WEP connection can be easily cracked. Once entered

£ 7 T o o ls d e m o n s tr a te d in th is la b a r e a v a ila b le in D:\CEH- T ools\C EH v8 M odule 15 H ack in g W ire le s s N e tw o rk s

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited



onto a network, a skilled hacker can modify software, netw ork settings, and odier security settings.

Wired Equivalent Privacy (WEP) is a deprecated security algorithm for IEEE 802.11 wireless networks.

L a b T a s k s

Download AirPcap drivers Jtrom the site and lollow die wizard-driven installation steps to install AirPcap drivers.

1. Launch the S ta rt menu by hovering the mouse cursor on the lower-left corner of the desktop.

FIG U R E 1.1: Windows Server 2012—Desktop view

2. Click the A irP cap C ontro l Panel app to open the A irP cap Contro lP anel window.

FIG U R E 1.2: Windows Server 2012—Apps

3. The AirPcap Control Panel window appears.

Configure AirPcap

ca You can download AirPcap drivers from http://www. a1rdemon.net/ riverbed.html

m The AirPcap adapters can work in monitor mode. In tliis mode, the AirPcap adapter captures all of the frames that are transferred on a channel, not just frames drat are addressed to it.



http://www


AirPcap Control Panel

Settings Keys

Interface

AirPcap USB wireless capture adapter nr. 00 V Blink Led

Model: AirPcap Nx Transmit: yes Media: 802.11 a/b/g/n

@ Include 802.11 FCS in Frames2437 MHz [BG 6]

Basic Configuration

Channel

Extension Channel

Capture Type 802.11 + Radio v FCS Filter All Frames

Help

CancelReset Configuration Ok Apply

F IG U R E 1.3: AirPcap Control Panel window

4. On the Settings tab, click the In te rface drop-down list and select AirPcap USB w ire less capture adapter.

5. 111 the Basic Configuration section, select suitable Channel, C apture Type, and FCS F ilter and check the Inc lude 802.11 FCS in Fram es check box.

* AirPcap Control Panel_ ם

Settings Keys

Interface

AirPcap USB wireless capture adapter nr. 00 V Blink Led

Model: AirPcap Nx Transmit: yes Media: 802.11 a/b/g/n

Basic Configuration

✓]Include 802.11 FCS in Frames

v FCS Filter All Frames

Channel 2412 MHz [BG 1]

Extension Channel 0 v

Capture Type 802.11 Only v

Help

CancelReset Configuration Ok Apply

F IG U R E 1.4: AirPcap Control Panel window'

6. Now, click die K eys tab. Check die E nable W EP D ecryp tion check box. Tins enables die WEP decryption algoridim. You can Add N e w Key, R em ove Key, Ed it Key, and M ove K ey UP and Down.

c a The Multi-Channel Aggregator can be configured like any real AirPcap device, and therefore can have its own decryption, FCS checking and packet filtering settings.

Q=& In BasicConfiguration bos settings: Channel: The channels available in the Channel list box depend upon the selected adapter. Since channel numbers 14 in the 2.4GHz and 5GHz bands overlap and there are center frequencies (channels) that do not have channel numbers., Each available channel is given by its center frequency.




7. After configuring settings and keys, click OK.

AirPcap Control Panel *

Settings Keys

WEP Configuration

[Enable WEP Decryption

Keys Add New Key

Remove Key

Edit Key

Move Key Up

Move Key Down

Help

CancelApplyOkReset Configuration

F IG U R E 1.5: AirPcap Control Panel window

Launch W iresh a rk N e tw o rk A nalyzer. The W iresh ark main window appears.

E l “ ! x ־'The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1.8)]Idfile £dit View £0 Capture Analyze Statistics Telephony Tools Internals Help

I j W t f M t M B B K S A I * * m T ± [B ►י p ] ^ ^ 01 0 yt mFilter | v | Expression... Clear Apply Save

WebsiteVisit the project's website

User's GuideTh« User's Guid« (local version, if instaied

f t

The World's Most Popular Network Protocol AnalyzerVersion 1.8.2 (SVN Rev 44520 from /trunk-1.8)

Open

WIRESHARK

«, Interface List

Security

Open a p-evousV captured fie

Open Recent:

^ Sample CapturesA rich assortment of example captir• files on th* wiki

Work with Wireshark as secu!*ty as posstte

I EProfile: Default

M startChoose one or mo1 ׳ nteffaces to capture from, then Start

" t " AirPcap US8 wireless capture adapter nr. 00: \\.\ai A ff] \Devke\NPF_{0A6DAE573־C5C4־CFE9־F4E־E8E8J s

J Microsoft Corporation: \Device\MPFJ82C13C97■‘' ' o |־י£ ru r.pc c . ^k . r \ mdc v I

^ Capture OptionsStart a capture with a«u.*a opeons

Ready to load or capture

In Basic Configuration Settings: Extension Channel: For 802.1 In adapters, one can use the Extension Channel list to create a “wide” channel. The choices are -1 (the preceding 20MHz frequency band), 0 (no extension channel), or +1 (the succeeding 20MHz frequency band). The channel of the additional frequency band is called the extension channel.

T AS K 2D

Capturing the packets

m You can downloadWireshark fromhttp: //www. wireshark.org.

F IG U R E 1.6: Wireshark Network Analyzer main window




9. Configure AirPcap as ail interface to \\ ark. Select C aptu re ->

In te rfa c e ... (C trl + l). You can also click die icon on die toolbar.I - ז□ן x(/Tj The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i

File Edit View Go | Capture | Analyze Statistics Telephony Jools internals Help

? & [WPI 61 €1 D I * 0 ® ^J v Expression... Clear Apply Save

l i ^ K i t I B interfaces...W Options...

WebsiteVWt the project's websne

User's GuideThe User $ Guide (local verson, tf instiled)

b 0pen aOpen a previously captured *te

Open Recent:3

^ Sample CapturesA rich assortmert of example capture files on the wild

Interface List

e interfaces to capture from, then Start

Start

Work with Wireshark as securely as poss4>teיךיי AirPcap USB wireless capture adapter nr. 00: \\.\ai ^

® \Device\NPFJ0A6OAE57-3C5C4־CFE9־F4E־E8E83: = Microsoft Corporation: \Devke\NPFJ82C18C97-'J®

OT Po.Hair prio cpc c3>«;r, \ mpc —

Capture OptionsStart a capture *ith detailed options

Profile: DefaultReady to load or capture

F IG U R E 1.7: Wireshark Network A11aly2er with interface option

10. The W iresh ark: C ap tu re In te rfa c e s window appears. By default, die AirPcap adapter is not 111 ninnuig mode. Select die A irp cap USB w ire les s c a p tu re a d a p te r nr. 00 check box. Click S ta rt

H ie following aresome o f die many featuresWireshark providesavailable for U N IX andWindows.

* Capture live packet data from a network interface.

■ Display packets with very detailed protocol information.

י Open and Save packet data captured.

■ Im port and Exportpacket data from and to a lot o f other capture programs.

■ Filter packets on many criteria.

* Search for packets on many criteria.

■ Colorize packet display based on filters.

■ Create various statistics

Wireshark: Capture Interfaces

Description IP Packets Packets/s10 | ,,t" AirPcap USB wireless capture adapter nr. 00 none 2154 15 Details

□ 0 none 0 0 Details

P I ff Microsoft Corporation fe80::3d78:efc3:c874:6f57 375 3 Details

1 ] Iff 1 Realtek PCIe GBE Family Controller none 375 3 Details

Help Start Stop Options Close

F IG U R E 1.8: Wireshark Capture Interface

11. Automatically, die C apturing from A irP cap USB w ire le s s c a p tu re ad ap to r nr. 00 - W iresh a rk window appears, and it starts capturing packets from AirPcap Adapter.

Note: Wireshark isn't an intrusion detection system. It does not warn you when someone does tilings on your network that he/ she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on.




[/T| Capturing from Ai-Pcap USB wireless capture adapter nr. 00: \V\airpcapOO [Wi׳eshark 1.8.2 (SVN Rev 44520 from/trunk-...1 ־ I ם xFile Edit Vie* 60 Capture Analyze Statistics Telephony Tools internals Help

K <u a tt * 1 m h x a <a 1 a 4• ± ifsln e i a s i H

Flags־ Flags־

Flags=. Flags־ Flags־

fram e , S N 4 0 3 1 ־ , fram e , S N 4 0 3 2 ־ , frame, SN264־, fram e , S N 1 7 5 3 ־ , fram e , S N 4 0 3 3 ־ ,

FN=0,FN=0,

FN=0,FN=0,FN=0,

fram e , SN=265, FN=0, F la g s ־ f?B lo c k A ck , F lags= o pm .rm ft frame, 5n4034־, fn=0, Flags־ fram e , S N 2 6 6 ־ , FN=0, F la g s ־ Efram e , S N 1 6 4 2 ־ , F N 0 ־ , F la g s ־ -frame, 5N=1756, FN=0, Flags־ fram e , SN*4035, f n -0 , F la g s - fram e , SN-267, fn -0, F la g s - ecdgcmcnt (No data), SN-91S, TN-3, rlac fram e , SN-4036, FN-0, F la g s - fram e , SN-268, FN-0, F la g s - Eframe, sn-4037, FN-0, Plags- '

Save (׳Clear Appl ...

164 164 322 109 164 322

3707 164 322 132 109 164 91

3838 164 322 164

[ ,Expression י

InfoBeaconBeaconBeaconBeaconBeaconBeacon802.11BeaconBeaconBeaconDeaconBeaconBeaconAcknowlBeaconBeaconBoacon

Time Source Destination Protoccl278 12. 8113270 N e tgea r_8 0 : a b : 3e B ro a d ca s t 802.11279 12. 9136860 N e tg e a r_ 8 0 :a b : 3e B ro a d ca s t 802.11280 12. 9347300 Netgear_32:7c :06 Broadcast 802.11281 12. 9844520 N e tg e a r _ a e :2 4 :cc B ro a d ca s t 802.11282 13.0160930 Net g ea r_8 0 : a b : 3e B ro a d ca s t 802.11283 13.0370690 N e tg e a r_3 2 :7 c :06 B ro a d ca s t 802.11284 13.0411940 e 2 :55 :e 5 :2 7 :b l :c O (e 4 :d 2 :6 c :4 0 :f e :2 7 (8 02 .1 1285 13.1184520 N e tg e a r_8 0 :a b :3 e B ro a d ca s t 802.11286 13.1394870 N e tg e a r_3 2 :7 c :06 B ro a d ca s t 802.11287 13.1836990 Conpex_6 8 :b 6 : f 5 B ro a d ca s t 802.11288 13.1891990 N e tg e a r _ a e :24 :c c B ro a d ca s t 802.11289 13.2208270 N e tg e a r_8 0 :a b : 3e B ro a d ca s t 802.11290 13. 2400780 N e tg e a r_3 2 : 7c :06 B ro a d ca s t 802.11291 13. 2898380 2 c :d b :c f : c 6 :a a :6 4 4 5 :c 9 :c 7 :6 a :0 4 :09 802.11292 13. 3233130 N e tg e a r_8 0 :a b : 3e B ro a d ca s t 802.11293 13. 344 3 83 0N e tg ea r_3 2 :7c :06 B ro a d ca s t 802.11294 13.4257280 N « tg ea r_8 0 : ab : 3q B ro a d ca s t 802.11

IS Frame 1 : 3247 b y te s on w ir e (25976 b i t s ) , 3247 b y te s c a p tu red (25976 b i t s ) on in t e r f a c e 0 l±j IE E E 802.11 un re co g n ized (R ese rv ed fr a m e ), F la g s : ----r . f t

.H.. IT־ *q־k. ] . c . . ( + .z . ר ___...........u. A_RD-............../ N .. . n . . .. [ .z .............b9]h.

48 8c fd ec 65 71 93 5e2b d9 5a lc 69 b2 8d f l91 75 15 5e 5f 52 44 3d4e ac ca ab 6e 87 fa 1605 fO le 62 39 5d 68 c7

06 Ob 16 8f 49 54 c8 136b c3 5d 83 63 fO e6 28c9 cc 8a df ef c3 aO 9891 86 aa b2 10 86 b4 2fd5 5b be 5a cb 84 20 b3

OOOO 0010 0020 0030 004 0

Profile: Default0 AirPcap JSB wireless capture adapter nr. GO:... Packets: 489 Displayed: 489 Marked: 0

m Wireshark can capture traffic from many different network media types - and despite its name - including wireless LA N as well. Which media types are supported, depends on many things, such as the operating system you are using.

F IG U R E 1.9: Wireshark Network Analyzer window with packets captured

12. Wait while Wireshark captures packets from AirPcap. II die F ilte r T oo lb ar option is not visible on die toolbar, select V ie w -> F ilte r Too lbar. The Filter Toolbar appears.

N ote: Wireshark doesn't benefit much from Multiprocessor/Hvperdiread systems as time-consuming tasks, like filtering packets, are single direaded. No mle is widiout exception: During an “update list of packets 111 real time” capture, capturing traffic mns 111 one process and dissecting and displaying packets runs 111 another process, which should benefit from two processors.

Capturing from AirPcap USB wireless capture adapter nr. 00: \Y\airpcapOO [Wiresharlc 1.8.2 (SVN Rev 44520 from /trunk-... I ~ I ם r xinternals Help

4 0. 0. ax 4 m m ם ו <r Expression.. Gear Apply Save

Protocol Length nfo

©י ?

Beacon fra m e , s n 4 0 2 5 ־ , fn־o, F la g s ־ Beacon fra m e , s n1628־ , f n 1 1 ־ , F la g s ־ Beacon fra m e , S N 4 0 2 6 ־ , F N 0 ־ , F la g s ־ Beacon frame, sn^4027, fnÔ, Flags^ D e a u th e n t ic a t io n , s n -1780, fn -4 , F la g s • Beacon fra m e , s n -4028, f n -0 , F la g s - Beacon fra m e , SN-4029, FN-0, F la g s - Beacon fra m e , SN-4030, FN-0, F la g s - Beacon frame, SN-4031, FN-0, Flags- Beacon fra m e , SN-4032, FN-0, F la g s - Beacon frame, SN-204, FN=0, Flags- Beacon fra m e , S N 1 7 5 3 ־ , F N 0 ־ , F la g s ־ Beacon fra m e , s n4 ־033 , f n 0 ־ , F la g s ־ Beacon frame, £N=26S, FN=0, Flags־ 802.11 B lo c k A ck , F la g s ־ opm.RMFT Beacon fra m e , s n 4 0 3 4 ־ , fn 0 ־ , F la g s ־ Beacon fra m e , S N 2 6 6 ־ , F N 0 ־ , F la g s ־

S t 802 1 1 164e : 6f 6b 18 802 1 1 109S t 802 1 1 164S t 802 1 1 164n _ f 2 45 Oc 802 1 1 30S t 802 1 1 104S t 802 1 1 164S t 802 1 1 164S t 802 1 1 164S t 802 1 1 164S t 802 1 1 322S t 802 1 1 109S t 802 1 1 164S t 802 1 1 322ou f e 27 (802 1 1 3707S t 802 1 1 164S t 802 1 1 322

3247 b y te s cap tu red (25976 b i t s ) on in t e r f a c e 0 Flags: ....s .F T

____ I T . . H. . . e q .Ak . ] .c . . ( t . z . i . . ..................U.a_RD=............../ M .. . n . . .. [ . Z ................b9 ]h .

5 71 93 5e 9 b2 8d f l f 52 44 3d e 87 fa 16 9 5d 68 c7

Profile: Default)isplayed: 7211 Marked: 0

■/ Main Tco barFilter Too bar /י

Wireless ToolbarStatus Bar >י

✓ Packet Li** Packet QetailsPacket Bytes /י

lime Display Format ►I Name Resolytion ►! */ Coloriz• P«ck«t List

Auto Scroll in Liye Capture

Q Zoom In Ctrl■*■■*■Q Zoom Qut Ctrl■*■־Q Normal Size Ctr1+ =

E Resize All Columns Shift■*■ Ctrl+RDisplayed Columns ►

Expand Subtrees Shift■*■ RightExpand Al Ctrl* RightCollapse All Ctrl■*■ Left

Colorize Conversation ►

Reset Coloring 1-10 Ctrl■*■ Space^ Coloring Rules...

Show Packet in New WindowCtrl+R

m u t

00000010002000300040

00:100:100;loo100■I®

Wireshark can open packets captured from a large number of other capture programs.

F IG U R E 1.10: Wireshark Network Analyzer window with interface option




13. Now select V ie w -> W ire less Toolbar. The wireless toolbar appears 111 die window.

kD Capturing from AirPcap USB wireless capture adapter nr. 00: \\.\airpcap00 [Wireshark 1.8.2 {SVN Rev 44520 from /trunk ... I — ’ ם P x

File Edit | View | Go Capture Analyze

tg Wain Todbar

Statist cs Telephony Jools Internals Help

► * 5 ik [M]S Q 0• ט I & 0 %' Expression״ Clear Apply Save

m * i >/ Wain Todbar Fltcr Toolbar

* Wireless Toolbar

| v [ Dr i v e r [v] Wireless Setings-. Decryption Keys...־ [

Protocol Length Info802.11 164 Beacon frame, SN-4025, FN-0, Flags-.........

109 Beacon frame, 5N-1628, FN-11, Flags־........164 Beacon frame, 5n=4026, fn=o, Flags־ .........164 Beacon frame, SN-4027, FN-0, Flags*.........30 Deauthentication, 5N-1780, fn- 4, Flags-..

164 Beacon frame. SN-4028, fn-0, Flags-.........164 Beacon frame. SN-4029, fn-0. Flags-.........164 Beacon frame, SN-4030, FN-0, Flags-.........164 Beacon frame, SN-4031, TN-0, Flags-.........164 Beacon frame, sn-4032, FN-0, Flags-.........322 Beacon frame, 5N-204, fn- 0, Flags-...........109 Beacon frame, SN-1753, FN-0, Flags-.........164 Beacon frame, SN-4033, fn-0, Flags-.........322 Beacon frame, SN-265, FN-0, Flags-...........

3707 802.11 Block Ack, Flags-opm.RMFT164 Beacon frame, SN=4 0 34 , FN=0, Flags=.........322 Beacon frame, SN-266, FN-0, Flags-...........

ste:6f:6b:18 802.11St 802.11St 802.11n_f2:45:0c 802.11st 802.11St 802.11st 8 0 2 .11st 8 0 2 .11st 802.11.St 802.11St 802.11St 802.11St 802.11c:40:fe:27 (802.11st 802.11st 802.11

3247 bytes captured (2S976 bits) on interface 0 Flags: __ R.FT

Ctrl•*■*Ctrl■*■■Ctrl•*■־

Shift■׳ Right Ctrl-Right

Ctrl•*־ Left

'

_IT .. H... eq. ak. ] . c .. ( +.Z . ו. . .....................u .a_rd-........... / N... n.... [ . z ............... b9 ]h .

5 71 93 5e 9 b2 3d f l f 52 44 3d e 87 f a 16

CtrKR 9 5d 68 c7

£02.11 Chan ■׳ Status 3־rPackct List P3cket Details Packct Bytes

Jim• Display Format Name Resolution Colori7e Packet list Auto Scroll in Liye Capture

200m n Zoom Qut Normal S2e

Resi:e All Columns Displayed ColumnsEipanc Subtrees Expand Al Collapse AllColori2e Conversation

Rcitl Culjrhy 1-10 Coloring Rules...Show Packet in New Window

OODO001000200030

Profile: Default£ AirPcap USB .vireless capture adapter nr. O): ... Paclcets: 12986 Displayed 12986 Marked: כ

O Wireshark is a network packet analyzer that captures network packets and tries to display that packet data as detailed as possible.

F IG U R E 1.11: Wireshark Network Analyzer window with wireless toolbar option

and d es tin a tio n of the packet captured by14. You will see die so urce Wireshark.

r t3׳) Capturing from AiiPcdp USB wireless capture adapter nr. 00: \V\airpcapOO [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J ח r *

£ile £dit View (jo Cooturc Analyze Statistics Telephony Tools Internals Help

m u * 9t * 6 ו |0א | י ו ^ ^ ^ ט : ו1א ^ ^ ^ » 3ו ט3 אFilter |~v | Expression... Clear Apply Save

jv ] Wireless Settings... Decryption Keys..None£0211 Charnel: v !Channel CHfset v FCS Filter All Frames

Protocol Length Info802.11 164 Beacon frane, SN=4033, FN=0, Flags־

322 Beacon frame, SN=265, FN=0, Flags־ E3707 802.11 Block Ack, Flags=opm.RMFT

802.11 164 Beacon frame, SN-4034, fn- 0, Flags- 802.11 322 Beacon frane, SN=266, FN=0, Flags־ C802.11 132 Beacon frane, sn1642־, fn=o, Flags־ 802.11 109 Beacon frane, SN1756־, fn=0, Flags־ 802.11 164 Beacon frane. SN=4035. FN=0, Flags־ 802.11 91 Beacon frane, SN=267, FN=0, Flags= E802.11 3838 Acknowledgement (No data), SN-915, FN-3, Flac802.11 164 Beacon frane, SN-4036, FN=0, Flags- 802.11 322 Beacon frane, SN=2btt, fn- u, Flags-

Time Source Destination282 13.0160930 Netgear_30:ab:3e Broadcast283 13.0370690 Netgear_32:7c :06 Broadcast 802.11284 13. 0411940 e2:55:e5:27 :bl:cO ( e4 :d2 :6c:40:f e:27 C802.ll

BroadcastBroadcastBroadcastBroadcastBroadcastBroadcast45:c9:e7:6a:04:e9Broadcast

285 13.1184520 Netgear_80: ab: 3e286 13.1394870 Netgear_32:7c :06287 13.1836990C0mpex_65:be:f5288 13.1891990 Netgear_ae: 24: cc289 13. 2208270 Netgear_80:ab:3e290 13. 2400780 Netgear_32:7c :06291 13. 2898380 2c:db:ef:e6:aa:64292 13. 3233130 Netgear_80: ab; 3e

ou2.11 104 Beacon Trane, 5n-4us/ , fn-u, Flags-................802.11 164 Beacon frane. SN-4038. FN-0. Flags-..................802.11 322 Beacon frane, SN-270, FN-0, Flags-............... B802.11 164 Beacon franc, SN-4039, FN-0, Flags-...............802.11 322 Beacon frane, SN-271, FN-0, Flags-............. .. C

293 13. 3443830 Netgear_3z:7c:06 Broadcast294 13.4257280 Netgear_80:ab:3e Broadcast295 13. 5282000 Netgear 80:ab:3e Broadcast?06 13. S4907?ONetgear_?2:7c:06 Broadcast297 13. 6304580 Netgear_80: ab: 3e Broadcast298 13. 6514 500 Netgear _32: 7c. 00 Br oadcasl

<fl__________________________________________________♦ Frane 293: 322 bytes on wire (2576 bits), 322 bytes captured (2S76 bits) on interface 0+ ieee 802.11 Beacon frane, Flags: .............S3 IEEE 802.11 wireless lan management frame

.................. L • 2 |.L'. 21. . . . 1. d__d....... Kj sum WLR..... SOH 1........

f f f f 4C 60 de 32 7C 0696 31 8e 64 00 00 00 0073 75 6d 20 57 4c 52 016c 03 01 01 05 04 01 0230 18 01 00 00 Of ac 02

80 00 00 00 f f f f f f f f4c 60 de 32 7c 06 cO 1064 00 11 04 00 09 4b 7508 82 84 0b 16 24 30 4800 00 2a 01 00 2f 01 00m an nn n f r\A nn n f

0000 0010 0020 0030 004 0

Profile: Default© AirPcap USB wi'eless capture adapter nr. GO:... Paclcets: 32940 Displayed: 32040 Marked: 0

m One possible alternative is to ran tcpdump, or the dumpcap utility diat comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze diese packets by running Wireshark with restricted privileges on the packet capture dump file

F IG U R E 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets

15. After enough packet capUires, stop Wireshark




Capturing from AirPcap USB wireless capture adapter nr. 00 ־ Wireshark

£ile Edit View Go Capture Analyze Statistics Telephony Tools Help

m m a ® *Expression... Clear Apply

$02.11 Channel: 2412 [BG1] | v ] Channel Offset |0 | v | FCS Filter All Frames |v|None Wireless Settings... Decryption Keys...

InfoFragnented ieee S02.ll frameunrecognized (Reserved frame), Flags־ . . . p . m . .Beacon frame, SN=2080, FN=0, Flags־ BI=100,unrecognized (Reserved frame), SN2851־, FN0־, Flags־o Beacon frame, SM=2081, PN0־, Flags־ BI ,־100Beacon frame, SN-2085, FN-O, Flags- BI-100,Beacon frame, SN=3733, FN=7, Flags־ BI1]8896־Beacon frame, sn2087־, fn-0, Flags־ B1100־,Null function (no data), SN3864־, fn=15, Flags־ ...P.M Data, SN-2916, fn- 0, Flags-.p F.Beacon frame. SN-2088, FN-0, Flags- BT-100,Beacon frame, &N-2089, FN̂ -O, Flags- BI-100,Beacon frame, SN-1151, FN-2, Flags- BI-55820Null function (no data), SN-2733, FN-0, Flag>-.. . P... Acknow ledgenent, F la g s - Beacon frame, SN-2093, fn-0, Flags- BI-100,Qos Data + CF-P011. 5N-1B31, FN-15, Flags-.p.PR..T L Beacon frame. SN-2095, fn-0. Flags- BT-100,

Destination Protocol802.11 IEEE 80: 13י : C7:0802.11 IEEE

802.11 Broadcast IEEE802.11 f f :57:a6:9:1EEE802.11 Broadcast IEEE802.11 Broadcast IEEE802.11 Broadcast IEEE802.11 Broadcast ieee802.11 f9:ea:f9:f IEEE802.11 13:e6:61:a IEEE802.11 Broadcast IEEF802.11 Broadcast IEEE802.11 f f : f f : f f :3 IEEE

802.11 IEEE8:2׳c:b0:5d802.11 horiHalpr_o. ieee802.11 Broadcast IEEE

802.11 IEEE 4: 24׳d: 22: e802.11 Broadcast IEEF

). Time Source4992 90.885184 2a:13:4C:al:CC:la4993 90.8856774994 90.985558 Netgear_ae:24:cc4995 91.049792 ab:76:13:1c:e6:3f4996 91.087908 Netgear_ae:24:cc4997 91.497565 Netgear_ae:24:cc4998 91.600033 98:14:34:f c :48:cc4999 91.70239* Dlg1talG_02:e8:d55000 91.704757 f 8:af:ed:3d:6c:62 500191.705380 bl:7c:25:46:el:dl5002 91. 804794 Netgear_ae:24:cc5003 91.907138 N«tgear_a«:24:cc5004 92.112081 lc :12:30:8b:24: f55005 92.246059 MonHaiPi _0a:72:8a 5000 92.2462765007 92. 316789 Netgear_ae:24:cc5008 92. 319258 91:6c: 5c: 32:50:d25009 92. S2164S Netgear_ae:24:cc

+ Frame 1: 14 bytes on wire (112 bits), 14 bytes captured (112 bits)S IEEE 802.11 Acknowledgement, Flags: .............

Type/Subtype: Acknowledgement (Oxld)Frame control: OxOODJ (Normal) ש

......].0000 d4 00 00 00 2c bO 5d 80 ab 3e 6a 3e 19 81

PioHIc; Defaultlapluie atiajlei nr. 00:... Packets; 5C09 Displayed; 3009 MaiJ.cc: C0 AiP.ap LSBv

F IG U R E 1.13: Stop wiieshaik packet capture

16. Go to F ile from menu bar, and select Save

AirPcap USB wireless capture adapter nr 00 ־ Wiresharkט* פ [d<t yicw 20 £cptjrc Analyze Statistics Telephony Tools tJelp

& cw.0 b a n|n| <3. q| ן yt b & i b ט 31! Opengecent ►Merge... kpressicn״ Clear Appf/

Clri»W 1rnc! Offset: [0 [ v j FCSFilter All Frames [v^None ["vj Wireless Settings- Decryption Keys...

InfoControl wrapper. Flags-.pm.R.f .Beacon frane, SN-353, FN-0, Flags־ Beacon frane, SN-3 54, FN-O, Flags־. . . .Beacon frane[Ka1formed Packet]Beacon frane, 5n=356, fn=0, Flags־. . . . Data, SN357־, FN1־ , Flags=opmP.. FT Beacon frane, SN358־, FN0־, Flags־ Beacon frane, sn361־ , FN0־, Flags־ . . . .Beacon frane, SN364־ , FN=0, Flags־. . . .Beacon frame, SN=335, FN=14, Flag5=... Data, 5n3037־, fn3־, Flags=.p. . . . F. Beacon frane, sn369־, fn0־, Flags־ Beacon frane, SN370־ , fn0־, Flags־ Beacon frane, SN372־ , fn0־. Flags־. . . . Beacon frane, SN=375, FN=0, Flags־. . . . Null function (no data), SN-36, FN-0, Null function ( no data), 5N-36, fn-O, Beacon frane, SN-3746, FN-O, Flags-...

BI-100, S׳12530=61

B I5 ,100־

BI S ,־100BI S ,־100B I 1 0 0 ־ , S

, BI=200,

B I 1 0 0 ־ , S I B I 1 0 0 ־ , S I B I 1 0 0 ־ , S I B I 1 0 0 ־ , S I Flags-. .. PR. .T Flags־ . .. pr. . t [— I

BI-36936

Destination Protocol802.11 IEEE

802.11 Broadcast IEEE802.11 IEEE1:93י:f f :ee

802.11 f f :f6:54:d'IEEE8 0 2 .11 broadcast ieee802.11 d4:fa:cb:c.lEEE802.11 Broadcast IEEE802.11 d4:aa:01:4 IEEE802.11 B ro a d c a s t IEEE802.11 B ro a d c a s t IEEE802.11 IPv6mcaSt_HEEE802.11 Broadcast IEEE802.11 Broadcast IEEE802.11 Broadcast IEEE802.11 B ro a d c a s t IEEE802.11 2c:bO:5d:8'IEEE802.11 2c:bO:5d:8'IEEE802.11 ff:ff:lb:f-IEEE

E Save As. .

£xport

£ £rint._

:24:cc ► 1:02: cd

b :24:ec 1:24: CC

Ctrl+P p:f8:41 :24:cc

E Quit Ctrl*Q f : b 8 : c l/ ouxj zov . wavam wwctjwai _«iw . 24 : CC7641 267. 835429 Netgear_ae: 60: ce7642 267. 877946 01:54:29:01:00:447643 268.038309 Netgear_ae: 24: cc7644 268.143787 Netgear.ae:24:cc7645 268. 345546 Netgear_ae: 24: cc7646 268. 652782 Netgear_ae: 24: cc7647 268.661651 HorHai Pr_0a: 72 :8a7648 268. 662160 noma1pr_0a: 72 :8a7649 269.164812 4 8:09:39:1a:ce:d4

Frane 1: 14 bytes on wire (112 bits), 14 bytes captured (112 bits) י- ieee 802.11 Acknowl edgernent, Flags: .............

Type/Subtype: Acknowledgement (Oxld)00 Frame control: OxOOD4 (Nornal)

....... j• ■>)>■■00D0 d4 00 00 00 2c bo 50 80 ab Je 6a 4e 19 81

^ File: "C:\Oters\ADMN - '\AppOata\local\T... Packets: 7649 Displayed: 6£9ל Marked: 0 Drcppec: C

U i Tlie latest version is faster and contains a lot of new features, like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man- in-the-Middle attacks.

F IG U R E 1.14: Save the captured packets

17. Enter die F ile nam e, and click Save.




Wireshark: Save file as -Save tn |jj. AirPcap -Enabled Open Source tools <t= & C? ₪-

Name - Date modified Type

** aircrack-ng-0.9-airpcap 10/19/2012 2:44 PM File folder 1Recent places

KDesktop

SLbranes

' VComputer

Network <1 III H i >

1File name: | Packet capture A Save |

Save as type cpdump ■ kfcpcap f pcap :* cap) _̂ J ו׳ . Wresh ark | Cancel

Hdp

(• Captured Displayed♦ Vpackets 7649

Selected packet ו(" Marked packets 0 0(" First to last marked 0 0c Range 1־ ־ 0r Remove Ignored packets 0 0

F IG U R E 1.15: Save the Captured packet file


Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure.


Tool/Utility Information Collected/Objectives Achieved

Wireshark

Used Adapter: AirPcap USB wireless capture adapter nr.00

Result: Number ol sniffed packets captured by Wireshark in network, which include:Packet Number, Time, Source, Destination, Protocol, and Info




Q u e s t i o n s

1. Evaluate and determine the number of wireless cards supported by die wireless scanner.

2. Analyze and evaluate how AirPcap adapters operate.

0 No

Internet Connection Required

0 Yes

Platform Supported

□ !Labs0 Classroom




Lab

C r a c k i n g a W E P N e t w o r k w i t h

A i r c r a c k - n g f o r W i n d o w sA ir c r a c k - n g is a n 8 0 2 .1 1 W E P a n d W P A - P S K k e y s c ra c k in g p ro g ra m th a t

recovers k e y s once e n o u g h d a ta p a c k e ts h a ve been c a p tu re d . I t im p le m e n ts th e

s ta n d a rd F A IS a tta c k a lo n g n ith som e o p tim is a tio n s lik e K o re K a tta c k s , a s w e ll a s

th e a ll-n e w P T W a tta c k , th u s m a k in g th e a tta c k m u c h fa s te r c o m p a re d to o th e r

W E P c ra c k in g to o ls .

L a b S c e n a r i o

Network administrators can take steps to help protect their wireless network from outside tinea ts and attacks. Most hackers will post details of any loops or exploits online, and if they find a security hole, they will come 111 droves to test your wireless network with it. WEP is used for wireless networks. Always change your SSID from the default, before you actually connect the wireless router for the access point. If an SSID broadcast is not disabled on an access point, die use of a DHCP server to automatically assign IP address to wireless clients should not be used because war dnving tools can easily detect your internal IP addressing it the SSID broadcasts are enabled and the DHCP is being used.

As an etlncal hacker and penetration tester of an organization, your IT director will assign you the task of testing wireless security, exploiting the flaws in \\”EP, and cracking the keys present 111 WEP of an organization. 111 tliis lab we discuss how WPA key are cracked using standard attacks such as korek attacks and PTW" attacks.


The objective of tins lab is to protect wireless network from attackers.

111 tins lab, you will learn how to:

■ Crack WEP using various tools

■ Capture network traffic

■ Analyze and detect wireless traffic

I C O N K E Y

'/ V a lu a b l e


> > T e s t y o u r

k n o w l e d g e

— W e b e x e r c i s e

c a W o r k b o o k r e v i e w

& Tools dem onstrated in th is lab are availab le on D:\CEH- Tools\CEHv8 Module 15 Hacking W ireless N etw orks





To execute the kb, you need:

■ A ircrack-ng located at D:\CEH-Tools\CEHv8 M odule 15 Hacking W ireless Networks'!WEP-WPA Cracking Tools\Aircrack-ng\bin

■ Tins tool requires Administrative pnvileges to ran

■ A client connected to a wireless access point

■ This lab requires AirPcap adapter installed on your machine. If you don’t have this adapter please do not proceed with the lab


Time: 20 Minutes

O v e r v i e w o f A i r c r a c k - n g

A wireless network refers to any type of computer network that is w ire les s , and is commonly associated with a te lec o m m u n ic a tio n s network whose in te rco n n e c tio n s between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of re m o te information transmission system that uses e le c tro m a g n e tic w av es , such as radio waves, for the c a rrie r, and this implementation usually takes place at the physical level or layer of the network.

L a b T a s k

1. Launch Aircrack-ng GUI from D:\CEH-Tools\CEHv8 M odule 15 Hacking W ireless Netw orks\A irPcap -Enabled Open Source tools\aircrack-ng-0.9- airp cap b in by double-clicking Aircrack-ng G UI.exe.

2. Click the A irdum p-ng tab.

m V i s i t B a c k t r a c k

h o m e s i te

h t t p : / / w w w . b a c k t r a c k -

lixu 1x . o r g f o r a c o m p l e t e

l i s t o f c o m p a t i b l e W i - F i

a d a p te r s .

m Airplay filter options: -b bssid: MAC address, access point.

T A S K 1

Cracking a WEP N etw o rk

ט To start wlanO in monitor mode type: airmon-ng start wlanO.

m To stop wlanO type: airmon-ng stop wlanO.

F IG U R E 2.1: Airodump-ng window



http://www


3. Click Launch. This will show the airodum p window.xairodump-ng 0.9 ם —

airodump-ng 0.9 — <C> 2006 Thomas d'OtreppeOriginal work: Christophe Devine

usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag]

Known network adapters:1 AirPcap USB wireless capture adapter nr. 00

Network interface index number ->

F IG U R E 2.2: Airodump-ng selecting adapter window

4. Type the Airpcap adapter index number as 0 and select all channels by typing 1 1 . Press Enter.

airodump-ng 0.9

airodump-ng 0.9 - <C> 2006 Thomas d'OtreppeOriginal work: Christophe Devine

usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag]


Network interface index number -> 0 Channel<s>: 1 to 14. 0 = a ll -> 11(note: i f you specify the sane output prefix, airodump will resume the capture session by appending data to the existing capture file )Output f ilename pref ix ->


5. It will prompt you for a file name. Enter C ap tu re and press Enter.

m To confirm diat die card is in monitor mode, run the command “ iwconfig” . You can then confirm the mode is “ monitor” and the interface name.

tewJ Aircrack-ng option: - b bssid Long version — bssid. Select the target network based on the access point's MAC address.

m For cracking W PA /W PA 2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up W PA/W PA2 key processing.




airodump-ng 0.9 I ~ I כ




Network interface index number -> 0 ChanneKs): 1 to 14, 0 - a ll 11 <־<note: if you specify the same output prefix, airodump will resume the capture session by appending data to the existing capture file>Output filename prefix ->|capture |<note: to save space and only store the captured WEP IUs, press y.The resulting capture file w ill only be useful for WEP cracking)Only write WEP IUs <y/n) —>

m Aircrack-ng completes determining the key; it is presented to you in hexadecimal format such as K E Y FO UN D ! [BF:53:9E:DB:37],


6. Type y 111 O nly w r ite W EP IVs Press E n ter

airodump-ng 0.9




Network interface index number 0 <־ChanneKs): 1 to 14, 0 = a ll -> 11(note: i f you specify the same output prefix, airodump w ill resume the capture session by appending data to the existing capture file )

-> captureOutput filename prefix<note: to save space and only store the captured WEP IUs, press y. The resulting capture file w ill only be useful for WEP cracking)

(Only write WEP IUs <y/n>־ ע

F IG U R E 2.5: Airodump-ng dumping the captured packets window

7. After pressing y it will display Wi-Fi traffic; leave it running for few minutes.

m Airodump option: -f <msecs> : Time in ms between hopping channels.

m Airplay filter option: d dmac : MAC address, Destination.

8. Allow airodump-ng to capturea large number ot packets (above 2,000,000).




11 Channel :11 -airodump-ng 0.9.3 L - l ° l -

BSSID PUR Beacons It Data CH MB ENC ESSID rHB8:A3:86:3E:2F:37 -78 5 0 1 48 WEP? SAACHI1C:7E:E5:53 :04:48 -80 5496 2146 11 48 UPA D־Link_DIR-5244C:60:DE:32 :3B:4E -80 181 1 6 48 UPA Ithey Ithey4C:60:DE:32 :7C:06 -81 5 0 11 48 WEP? Kusum WLR80:A1:D7:25 :63:13 -77 13 0 1 54 OPN80:A1:D7:25 :63:10 ־78 21 0 1 54 WEP? G0E80:fll:D7:25 :63:12 -80 12 0 1 54 OPN80:A1:D7:25 :63:11 ־78 18 0 1 54 OPN<J4:44^9:F9 :4q:nn 1 99rh4 11 4R IJPA HANTFn|0e 9r z״ &z m 9c -10 53036 224385 11 54 WEP NETGEARBSSID STATION PUR Packets ESSIDB8 : A3:86:3E 2F:37 00:24:2C:38:39:96 -75 1 SAACHI1C:7E:E5:53 A4:48 AC:72:89:6B:BD:B3 -81 38 D־Link_DIR-5241C:7E:E5:53 A4:48 30:69:4B:C7:F9:F7 -84 29 D-Link_DIR-5241C:7E:E5:53 04:48 D0:B3:3F:12:O1:FF -79 7 D-Link_DIR-5241C:7E:E5:53 04:48 E0:F8:47:95:05:D6 -82 421 D-Link_DIR-52494:44:52:F2 45:0C 4C:ED:DE:02:5B:BF -80 2 GANTEC94:44:52:F2 45:0C 4C:ED:DE:94:CE:El -80 5 GANTEC94:44:52:F2 45:0C 00:26:82:CF:09:C2 -80 16256 GANTEC94:44:52:F2 45:0C 50:01:BB:58:05:27 -76 1 GANTEC94:44:52:F2 45:0C 00:23:15:73:E7:E4 -73 293 GANTEC00:09:5B:AE 24:CC 1C:66:AA:7C:F0:79 -81 213 NETGEAR00:09:5B:AE 24 :CC 04:54:53:0E:2C:OB -33 125920 NETGEAR

< | III >

F IG U R E 2.6: Airodump-ng Channel listing window

9. Now close the window.

10. Go to A irc rack-n g andclick A dvanced O ptions

- xAircrack-ng GUI ם

Aircrack-ng Arodump-ng ] Airdecap-ng | WZCook | About

Choose.Filename (s)

Encryption (§) W EP Key size 1128 v | bits □ Use wordlist □ Use PTW attack

O WPA

Key search filter Baiteforce

ח Alphanumeric charactersLast keybytes ן IaJ bnjteforce —LZj

1 1 BCD characters @ Multithreading bnjteforce1 1 Numeric (Fntz'BOX) 1 1 Single Bnjteforce attack

I□ 1 -□ 2□ 3 =□ 4□ 5□ 6

□ לU 8 V

□ Specify ESSID

I I Specify BSSID

Fudge factor

Disable KoreK attacks

Launch

F IG U R E 2.7: Aircrack-ng options window

11. Click Choose and select the filename ca p tu re , ivs

Note: Tins is a different file from the one you recorded; this file contains precaptured IVS keys. The path is D:\CEH -Tools \C EHv8 M odule 15 H ack in g W ire less N e tw o rk s \A irP c ap -E nabled Open Source to o ls \a irc ra ck -n g -0 .9 -a irp c ap

m airmon-ng is a bash script designed to turn wireless cards into monitor mode. It auto-detects which card you have and run the right commands.

m Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting W EP IVs (Initialization Vector) for the intent o f using them with aircrack-ng.




Note: To save time capturing the packets, for your reference, the cap tu re .iv s tile (tins ca p tu re .iv s tile contain more than 200000 packets) is at D :\CEH -Tools\C EHv8 M odule 15 H ack in g W ire less Netw orksVA irPcap -Enabled Open S o urce to o ls \a irc ra ck -n g -0 .9 - airpcap.

12. After selecting tile, click Launch.

Aircrack-ng GUIQi-J

Aircrack-og Airodump-ng j Airdecap-ng [ WZCook About

Choose 1Filename(s) "D:\CEH-T00 ls\CEHv8 Module 15 Hacking Wireless Networks\AirPcap ■Enabled Open

Key size 128 v bits Q Usewordlist Q Use PTW attack

Key search filter Biuteforce

Q Alphanumeric charactersLast keybytes 1 1* 1

biuteforce — tZ J□ BCD characters M Multithreading biuteforce1 1 Numeric (FritzlBOX) 1 1 Single Biuteforce attack

Enctyption (§) W EP

O WPA

@ Advanced options

□ Specify ESSID

□ Specify BSSID

Fudge factor 2

m A

n2□ 3 =□ 4□ 5□ 6□ 7□ 8 V

Disable KoneK attacks

Launch

F IG U R E 2.8: Aircrack-ng launch window

13. If you get the enough captured packets, you wiil be able to crack the packets.

14. Select your target network from BSSID and press Enter.

C:\W1ndows\System32\cmd.exe- "C:\Users\Adm1n1strator\Desktop\a1rcrack-ng "־”!!- ם * IOpening D:\CEH-T001s\CEHv8 Module 15 Hacking Wireless NetworksSHirPcap -Enabled Open Source tools\aircrack-ng-0.9-airpcap\capture. ius Read 231344 packets.

WEP <231233 IUs> WEP <111 IUs>00:09:5B:AE:24:CC 94:44:52:F2:45:0CIndex number of target network ? 1

Iff ll To put your wireless card into monitor mode: airmon-ng start rausbO.

m You may use this key without the in your wireless client connection prompt and specify that the key is in hexadecimal format to connect to the wireless network.

F IG U R E 2.9: Select target network




m Aircrack-ng can recover the W EP key once enough encrypted packets have been captured with airodump-ng.

Aircrack-ng 0.9.3

[00:00:06] Tested 1 keys <got 164492 IUs>KB depth byte<uote>0 0/ 1 BF< 42 > B9< 15> 4B< 13> 41 < 12> FF< 9> F6< 4>1 0/ 3 53< 40 > C9< 32> 34< 20> flF< 19> B4< 19> 40< 16> S2 0/ 4 9E< 40) D8< 28> 64< 23> 88< 23> E4< 18> 82< 18>3 0/ 1 DB< 143> 9?< 46 > 33< 33> 43 < 29> 38< 27> 36< 26 >

KEV FOUND! [ BF:S3:9E:DB:3? J Decrypted correctly: 100X

C:\Users\fldninistrator\Desktop\aircrack-ng-0.9.3-win\airerack-ng-0.9.3-win\bin>

F IG U R E 2.10: aircrack-ng with W EP crack key


Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.



Aircrack-ng

Number of packet captured: 224385

Cracked wireless adaptor name: NETGEAR

Output: Decrypted key BF:53:9E:DB:37

Q u e s t i o n s

1. Analyze and evaluate how aircrack-ng operates.

2. Does die aircrack-ng suite support Airpcap Adapter?





□ Yes

Platform Supported

0 No

0 !Labs




3

S n i f f i n g t h e N e t w o r k U s i n g t h e

O m n i P e e k N e t w o r k A n a l y z e rO m n iP e e k is a s ta n d a lo n e n e tw o rk a n a ly s is to o l u s e d to so lve n e tw o rk p ro b le m s .

L a b S c e n a r i o

Packet sniffing is a form of wire-tapping applied to computer networks. It came into vogue with Ethernet; tins mean that traffic 011 a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic address to other stations. Sniffing programs turn off the filter, and thus see everyone traffic. Most of the hubs/switches allow the inducer to sniff remotely usmg SNMP, which has weak authentication. Usmg POP, IMAP, HTTP Basic, and talent authentication, an intruder reads the password off the wire ni cleartext.

To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing die network, and DNS poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis of wired and wireless networks. 111 tliis lab we discuss wireless packet analysis of capuired packets.


The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.


111 tins lab, you need:

Advanced O י m niPeek N etw o rk Analyzer located at D:\CEH-T00 ls\CEHv8 M odule 15 Hacking W ireless Networks\W i-Fi P acket Sniffer\Om niPeek N etw o rk Analyzer

■ You can also download the latest version ot O m niPeek N etw o rk Analyzer from the lnik http: / /www.w1ldpflckets.com

I CON KEY

/ V a l u a b l e


s T e s t y o u r

k n o w l e d g e

w W e b e x e r c i s e

m W o r k b o o k r e v i e w

& Tools dem onstrated in th is lab are availab le in D:\CEH- Tools\CEHv8 M odule 15 Hacking W ireless N etw orks



http://www.w1ldpflckets.com


■ If you decide to download die la tes t version, dien screenshots shown 111 die lab might differ

■ Run diis tool 111 Windows Server 2008

■ A web browser and Microsoft .NET Framework 2.0 or later

■ Double-click O m niPeek682dem o.exe and follow the wizard-driven installation steps to install OmniPeek

■ Administrative privileges to mil tools


Tune: 20 Minutes

O v e r v i e w o f O m n i P e e k N e t w o r k A n a l y z e r

You can download OmniPeek Network Analyzer from

OmniPeek Network Analyzer gives network engineers real-time visibility and expert analysis of each and even7 part of die network from a single interface, which

http://www.wi1dpackets.co includes Edieniet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11 a/b/g/n.

L a b T a s k s

1. Launch OmniPeek by selecting S tart ̂־־ All Program s ־) W ildpackets Omni packets Demo.

2. Click V iew sam ple files.

m . T A S K 1

Analyzing WEP P ackets

» י-: =J< Ech View Capture Send Monitor Tools Window Help WildPdcket 6 m׳ niPeek; & ■ i t , ; a a a j a f e 1 & . r ט ± ט י • B « ג ,,

Start Page x jO O a SI

New Capture Open Capture File f$ HUView Omni Engines Start Monitor

Recent Files Location SummaryWsP.att C\Prog׳om =i09 (x86)\WidPac*ate\OmPMk D«nc\aanptoe\AEP pkl SSD ־ BlackSlato Kay - 123«5€785D Pacxet Exa-noba.pxt CAProgrem Filoa (x8€)'V/JdPactaUVO■mP881 D«nc\a#npla»VPecl>«t

Example#, pktWÂpd C.XProgrwn (x8€)'V/kJPacH»\0רזיP»»t D«no\*anplM\APA.pkt SSD ־ BlackSlat* PS< = wldpac»:*te

Recent Capmre Tem plates I oration Summaryhe r#e*at t#nput»«

Documentation Resources► (flWWPWWT* ► Lg1r a 1!e2QuQ-ma► \Aowr tf־« Cerwj Staled Go do► vtevr yutt iMtaiBdH nsiructoi*► me L**׳ Sude► CnrCrgire Oefcirg Started Quide

► jvow attapfe *toe I► WUPBCcmcttwsa Events EH ]► Vow Het.vo־k •rol̂ ais 6po *hit# papers, and moro L iiiJ

Technical Support Training & Servicesc3l euoso rt reaou •c63 f 9 r Wild Packet 3 pro duels C2D ד vfevr :ech ►

WMFBCttts :ecfncaisuooort EZD י̂כ13ג « ► >mP63< Sjppcrted harcv/3rs L'iiil

► wlcPa;«t8 Acadcny LIU► fine caac:ut 1•״cP3:tets oorsuitns QD► l'vP6e< סט

i

I 4 _rj[Fd־ ic p, press FI

F IG U R E 3.1: Omnipeek

Select W EP.pkt

main window

J } None



http://www.wi1dpackets.co


PFI. Edit v *w C*x״ e Send Monitor Tool! Window Help W lld P .. kt ! ׳S ^ n lP e e k

^ • t! • m a. fe: a a j a t, ** Bi i! r a » tz 1ב . E ^ ©^,:oEStart Fac« x ׳

o jd 3 4 י5WildPackets OmniPeek Sample Files PasK.e! bampies.cM

Sancte fie wch a variety of wired traffic.

1־ >£ •■ס ד

(i2J45675*i ־ SackSiate Key ־

2 •ncrypUd traffic. (SSID י BlackSlilt 9SK « wldpacUtt)

AlPiOcS. nc154C Tied: Boulevard. S AotrU C eefc. 2jlfoma

מ25)9כ*לנ2נ0

te p, press Pi- ב:

F IG U R E 3.2: Omiiipeek Sample Files Window

4. It will open W EP.pkt 111 die window. Select Packets from die left pane.

^ O m n iP e e k gives netw ork engineers real- tim e visib ility and Expert Analysis into every part of the n etw ork from a single in terface, including Ethernet, Gigabit, 10 Gigabit,8 0 2 .1 1a/b/g/n w ireless, VoIP, and V ideo to rem ote offices.

F IG U R E 3.3: TELN ET-U 11VVEP packets Window

5. Double-click any of die packets 111 die nglit pane.




£z~ Com prehensive n etw ork perform ance m anagem ent and monitoring of entire enterprise netw orks, including netw ork segm ents a t rem ote offices

6. Click die right arrow to view the next packet.

[£Z"OmniPeek Connect m anages an organization’s Om nipliance and Tim eLine netw ork recorders, and provides all the console capab ilities of O m niPeek Enterprise w ith the exception of local capture and V oIP call playback

7. Close the tab from the top and select different options from the nglit pane; click Graphs.

Wild icketi O m n iP rfk

' li] & 1iiB: J 1le Edit View Capture Send Monitor Tools Window Help

. <- v • u • ׳! : a!l J il al. * * ai i\TS ► E -WEP put - Packet »3 x

0x000000000x0000000011514:29:38.441934700 G52 1.9 Mbps1 2412M31 602.11b1001־45

0 :0 Mask oxc-3]*00 Management [0 Mask OxOC]%1000 Seacon [0 Mask OxFO]100000000 [1]

0 ..............Acfl-scricc c rcer.0 ............Ken-Protected Fras9. .0.........Wo Ncre Data. . . 0 . . . . Fcvcx Management - active r s ia--- 0 ... 7/115 15 net a R~-Transvissioa..........0 .. le s t o r Vnfragjcntsd Franz...........0. Kcc an Exit Trout tne Distrioizloa syszen

___Suit WEP.pkt׳ &"

. 4 ■J2EB3HQDQ: •# Facket tJurfcer:

9 F lag•:

9 Packet Larvgrh:9 Tisertasf:9 Eata Pare:

j־־# Channel:9 S ic ra l Laval:

f ic״c ! ast:j- 9 Noise Level:

j *-• Seise d2c:B T~ 802 .11 me Eeader | I - • version:

<§ T ipe:I- 9 SuLtyte:

! B “ץ״ J r a c C ontrol Plag3: : •! 1-9 j i - •

•

. 1 . . .31acicSlatc............ * H I . . .2 ------.......... * ......... ?................... ’ . . .SC* .b

י: 06 י כ C CC CC CC FF FF FF FF FF FF 00 16 01 AL 82 31 00 16 Cl A l £2 31 10 23 14 33 34) ל 04 00 00 00 00 0:33: CC 31 C4 CC CA 42 6C €1 63 63 53 6C 61 ?4 65 01 08 e2 64 EE S6 12 24 48 K 33 31 01 32 04 8C 98 B0p:5S: iC CS C4 CC Cl 00 00 2A 01 00 DD 18 00 SO 72 02 01 01 CC CO C3 A4 00 00 27 A4 30 00 42 43 SC 00 620099: 32 2 r CO DC 07 00 OC 43 00 00 00 00 00 00 00 00

F IG U R E 3.5: TELNET-UnW E P packets frame window

1 F it Ed* View. Capture Send Monitor Tools Window Help

l i A l

W ild '.»( ki t 6 rnnlP»*ek׳

»a 9. ! n _ ! - E ■ n « u i. י 2^1 נ 1!Start Pi$4 WEP pkt x

Enier 3 fiter Gxpf-mior here (1.09 F1 forhdp) I iDashboards

*> i n i a d @ 1 h i !ר 1 - ו5 ׳> .

vott &voeo 3ack»: Source Destination sSSID =lags Channel Signal Data Rate See ^

Aodex 1 * B u f fa lo :A l: 32:31 ■},}Ethernet B icedcert * 3 a f f a l= :A l : 32 :31 *? 1 %1פפ 170 113 - IZyirosss 2 * B u f fa lo :A l: 82:31 ■9 Ethernet Broadcast * B a rm s : A1:52: :31 ?״ 1 %1פפ 1.3 113

Capture 100(dde3׳= ► ■j> Bu ffa lo :A l: 32:31 ■•!Ethernet Srcsdcast * 3 u f f a lo :A l :3 2 :31 *? ככ 1ו :1־

*°s S * B u f f a lo : A l :82:31 Ethernet Brcedcart * 3 u f f a lo : A l : B2 *? 103t 1.0 113Expert * L.teon iech: 5 5: C2: CC * 3 .1 r ra l2 :A 1 :22

* B u f fa lo :A l: 32:31 i ^ I •teon7e^:.c.e:c;-: * *a ffa L ? :A L :3 2 Wf 1001 13.9 74“b: 8 * B u f f a lo ( A lt82: 31 11 teoniech:EE:C3:CC * 3 a f f a lo : A l : 32 ■ii*■ 100* 12.0 71

9 * B u f fa lo :A l: 32:31 Ij{|11teonTech:SS:03:CC * 3 u f f a lo : A l : 32 100» 9.0 74Web 10 * B u f f a lo :A l:32:31 lj|)l.teon7ech:S5:C3:CC * 3 a f f a l : : A l : 22 'lit lo o t 6.0 74

Server* : : *B u rra io :A 1 :8 2 :3 1 ■p1:teoal«cn:55:c2 : *5 a r ra 1 5 :A i:5 2 Wf 100% 8.0 74Cteru 1: * B u f f a lo :A lt82!31 ■S >11teonT«ch :55:C 3 :C 3* : a־ f fa lD :A l:32: Wf lo o t 6.0 71*A©*? 13 * 3 u f f a lo ! A ll 32131 ■ i|L1 tco aT cch :E E :C 3 sC 3* : af־ f al o«Al «92 Wf lo o t 6.0 74

14 * B u f f a lo : A l :92:31 ■J|l-teoa7ech:55:C3:OC * 3 u f f a lo : A l : 52 Wf lo o t 6.0 74Vokc ft Video aurra1c:A1:52:31* :צ IpE i& e rnet srcaocast *9 u rra 19 :A 1 :s2 : •p lo o t 1.0 113

C9I» U * B u f f a lo :A l! 82 !31 ■*jEth#rn#t 816ז»*זג<נ * ■ i i f f a l ' r i l : 12 *p 1001 1.0 USיי*** * ־1 B u f f a lo 1 A l l 32131 ■JpEthcract Sreadcaat * 3 a f f a l s : A l : 22 *? lo o t 1.0 115

Vkuak 1: * B u f f a lo :A l:82;31 ■SEtheiaet &:cedcaat * 3 a f f a l ; : A l : !2 *p lo o t 1.0 115r ?w m j c IÊ lhe r& e t S:CeOCa£t *5 a fr 3 1 3 :A l: 52 lo o t 1.0 115

3’C^tt 20 * .-*uS S a lo :A l:32 :3 l ■•)Ethernet B reisraa t tp ■< : r r » l? r i l : ■2 •9 lo o t 1.0 113SLdlbUcs 21 * B u f fa lo :A ll 82131 ■]Êthernet Srcadceet * 3 a f f a lo : A l : 22 lo o t 1.0 115

SDllK 22 * B u f fa lo :A l: 32:31 ■Êthernet Ezceocaat ■ 4 3 i f f 1 1 ; :A l:12 *? lo o t 1.0 115Prctacos 21 * B u f f a lo :A l: 82:31 ■SJElheraei BlCcOCaSt * 3 j f f a l 2 : A l : 52 *P lo o t 1.0 115Sumvtry 2* *3 u rra 10 :A 1 :s2 :31 ■ ^ Ethernet Brceocast * 5 j r r a io : A l : : 2 •P lo o t 1.0 115

V/irdesi 2S * 3 u f f a lo : A l: 32: 31 *11teon7ech:5S:03:0C * 3 a f f a lo : A l : 32 lo o t 21.0 71| ALAN 2c * B u f f a lo :A l:82:31 ■1011teon7ech:5S:C2:C־C * 3 u f f a lo : A l : 32 1001 13.0 74

* ־2 B u f f a lo :A l:32:31 * 1 .teon iech:55:02:C«C * 3 j f f a l = : A l : 52 Wf lo o t 12.0 74Signal 2: *B u rra 10 :A 1 :8 2:3 1 3 Wf lo o t 9.0 74

<1 ................. ■ 1 _Lpacms: 2003 Duration 000:4c

Fj flap, press Fl a;M.cr.e

F IG U R E 3.4: TELN ET-U nW EP packets analyzer




F ־Edit View Capture Send Monitor Tools Window Help

• fcl • H : !3ft J _!j g) f : 4 fe S1; j! s « jStart WlEP.pkt x 'AEP pkt - Packet =332

j5k| 51*03־ii !ב n><r / j» X 0 Ua <3>liL^

Packet Size DistributionAcdcs Cbun; Conpersons Appicetion _ayer Protocols by 3ytc5 Zppicstion Layer P־־oto:ols by 3ackets ARP An \̂ss oacast$ COfTpgred to Total Erred PotDCQls־0E»ert EventsBoert VoP -H.323 Cal Erors E>oert V0P - RTP B׳rcrsBoert: Y0P - SIP Errors Ex>ert '׳•jireess Clent -^■ slcal Errors׳Ejoert N rebs ReossociaticnDeried G^cbfc =our Pert Ublirabor (bts/3] Gâbfc =our Pert Uttli2attor (perc•׳!;) Gigabt! TtvoPytLttuaton (bits/s) C-KXbt: Twopytutiiraron Cpercent)

. Network lltlixeto! (bits/s)' f : ::•:■:.־ י ■: :c't:׳

«rc Reacts arrl Reoies TCPAravs*TCP V3LCP \-0lP ^Votocos v/«b Protocoe woto Jftlcv/rdess: Access Potns bv TrustWfrdaK Access Points vs. Clents V/rdes* Assccobons arc Reeojoaoto-i: V/rrittQ ־ 3׳ tes to/frorr Dutroubor Syote V7r«te«s: Cierts ay Trust v/rdess: Data 'vpes v/rdess: »acke: TreesV/rdess; 3adcts to'fron Dstnbubon Sv: V/rdess: ^cbe Req vs. ^rcbe Rso V/rdess: êres

Dashboardst ‘tenrortvwoe & vceoAadex

Captureacte3׳=

*b:Web

Cterts»A0es

Vokc a VideoCals

StdlfeliLSMiflM

SurMnoryV/irdes*

*9י01PacKrts: zcXX) Duration 000:40 י

rteip, press F1

FIG U R E 3.6: W EP Graphs window

8. Now traverse through all the options 111 die left pane of the window.


Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.



OmniPeekNetworkAnalyzer

Packet Information:• Packet Number• Flags• Status• Packet Length• Timestamp• Data Rate• Channel• Signal level

£ ~ O m n iP e e k Enterprise also provides advanced V o ice and V ideo over IP functionality including signaling and M edia analyses of voice and video, V oIP playback, voice and video Expert Analysis, Visual Expert, and more




• Signal dBm• Noise Level• Noise dBm• 802.11 MAC Header Details

Q u e s t i o n s

1. Analyze and evaluate the list of captured packets.


0 Yes □ No

Platform Supported

0 Classroom □ !Labs



Ceh v8 labs module 15 hacking wireless networks

Technology

e e s c e s o pications

b s c e n

w h e n u s e d

e s sn e t w o r

tio n s network

c e hlab

te rc o n n e c tio

n g e n t n i t h th