Documente Academic
Documente Profesional
Documente Cultură
Lab M a n u a l
H a c k in g W ir e le s s N e tw o rk s M o d u le 1 5
H a c k i n g W i r e l e s s
N e t w o r k s
I Vi-Fi i sdevelopedon I E E E 802.11 standards and i swidely usedin w i r e / e s s communication. Itprovides w i r e / e s sa c c e s st oap p/ications and data a c ro ss a radio network.
I C ON KEY
Lab Scenario
Wireless network teclmology is becoming increasingly popular but, at the same time, it has many security issues. A wireless local area network (WLAN) allows workers to access digital resources without being tethered to their desks. However, the convenience of WlANs also introduces security concerns that do not exist in a wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone with ability to intercept and decode them. Several reports have explained weaknesses 111 the Wired Equivalent Pnvacy (WEP) algorithm by 802.1 lx standard to encrypt wireless data. To be an expert ethical hacker and penetration tester, you must have sound knowledge of wireless concepts, wireless encryption, and their related threats. As a security administrator of your company, you must protect the wireless network from hacking.
Lab Objectives
The objective of this lab is to protect the wireless network from attackers.
111
this lab, you will learn how to: Crack WEP using various tools Capture network traffic Analyze and detect wireless traffic
Lab Environment
C 7T oo ls d e m o n s tra te d in th is lab a re a v a ila b le in D:\CEHT oo ls\C E H v8 M o du le 15 H a c k in g W ireles s N e tw o rk s
111 the
Tins lab requires A irP c ap adapter installed on your machine for all labs
Lab Duration
Time: 30 Minutes
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
radio waves for die c a rr ie r. Tlie implementation usually takes place at the physical level or layer of die network.
^ TASK
O v e rv ie w
L a b T a s k s
Pick an organization diat you feel is worthy of vour attention. Tins could be an educational uistimtion, a commercial company, 01perhaps a nonprofit chanty. Recommended labs to assist you 111 Wireless Networks: WiFi Packet Slutting Using AirPcap with Wireshark Cracking a WEP Network with Aircrack-ng for Windows Sniffing die Network Using the OmniPeek Network Analyzer
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Give your opinion 011 your targets security posture and exposure.
P LE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
W i F i
P a c k e t Sniffing U s i n g A i r P c a p
w i t h W i r e s h a r k
T h e A ir P c a p a d a p te r is a U S B d e v ic e th a t, w h e n u s e d in ta n g e n t n i t h th e A ir P c a p d r iv e rs a n d W in P c a p lib ra rie s , a llo w s a p e n te s te r to m o n ito r 8 0 2 . 1 1 b /g t r a ffic in m o n ito r m o d e .
c o n
key
L a b S c e n a r io
[ Z 7 V a lu a b le in fo rm a tio n
T est your k n o w le d g e
W e b e x e rc is e
W o r k b o o k r e v ie w
Wireless networks can be open to active and also passive attacks. These types of attacks include DoS, MITM, spooling, jamming, war driving, network liijacking, packet sniffing, and many more. Passive attacks that take place on wireless networks are common and are difficult to detect since die attacker usually just collects information. Active attacks happen when a hacker has gathered information about the network after a successful passive attack. Sniffing is die act of monitoring die network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die wireless networks. These tools allow hackers to find an unprotected network diat diey can hack. Your wireless network can be protected against tins type of attack by using strong encryption and authentication methods.
111 tins lab we discuss the Wireshark tool, which can sniff the network using a wireless adapter. Since you are the etlncal hacker and penetration tester of an organization, you need to check the wireless security, exploit the flaws ni WEP, and evaluate weaknesses present 111 WEP for your organization.
L a b O b je c tiv e s
The objective of tins lab is to help sftidents learn and understand how to: Discover WEP packets
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b E n v ir o n m e n t
7 T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:\CEHT o o ls\C E H v 8 M o d u le 15 H a c k in g W ir e le s s N e tw o rk s
To execute the kb, you need: Install AirPcap adapter drivers; to install navigate to D:\CEH -Tools\C EHv 8
M o du le 15 H a c k in g W ireles s Netw orksVA irPcap -Enabled O pen S o u rce to ols,
When you are installing the AirPcap adapter drivers, it any installation error occurs, install the AirPcap adapter drivers 111 compatibility mode (right-click the A irP c ap a d a p te r d riv e r exe hie, select P ro p e rtie s ^C o m p atib ility. 111 compatibility mode, and select W in d ow s7) "
W ire s h a rk 1.4 .4 .e x e
M o du le 15 H a c k in g W ireles s
An access point configured with WEP on die host machine This lab requires the AirPcap adapter installed on your machine. If you dont have this adapter, please do not proceed with this lab A standard AirPcap adapter widi its drivers installed on your host machine WinPcap libraries, Wireshark, and Cain & Abel installed on your host machine Administrative privileges to run AirPcap and other tools
L a b D u r a t io n
Time: 15 Minutes
O v e r v ie w o f W E P ( W ir e d E q u iv a le n t P r iv a c y )
Several serious w e a k n e s s e s 111 the protocol have been identified by cryptanalysts with die result diat, today, a WEP connection can be easily cracked. Once entered
C E H Lab Manual Page 822 Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
se ttin g s,
and odier
Wired Equivalent Privacy (WEP) is a deprecated security a lg o rith m for IEEE 802.11 wireless networks.
L a b T a s k s
C onfigure A irP cap
Download AirPcap drivers Jtrom the site and lollow die wizard-driven installation steps to install AirPcap drivers. 1. Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop.
ca
C o n tro l P a n e l
C o n tro l
The AirPcap adapters can work in monitor mode. In tliis mode, the AirPcap adapter captures all o f the frames that are transferred on a channel, not just frames drat are addressed to it.
3. The A irP c ap
C ontrol P anel
window appears.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Blink Led
Transmit: yes
Extension Channel Capture Type 802.11 +Radio v FCS Filter All Frames
4. On the S e ttin g s tab, click the In te rfa c e drop-down list and select A irP c ap
USB w ire le s s c a p tu re ad ap ter.
5.
111 the B asic C o n fig uratio n section, select suitable C hannel, C a p tu re T yp e, and FCS F ilte r and check the In c lu d e 8 0 2 .1 1 FCS in F ra m e s check box.
AirPcap Control Panel *
Settings Keys
Blink Led
Transmit: yes
802.11 Only
6.
Now, click die K e y s tab. Check die E n a b le W EP D e c ry p tio n check box. Tins enables die WEP decryption algoridim. You can A dd N e w K e y, R e m o v e K e y, E d it K e y, and M o v e K e y U P an d D o w n.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
WEP Configuration [Enable WEP Decryption Keys Add New Key Remove Key Edit Key Move Key Up Move Key Down
D TASK
p a c k e ts
2 Id
file dit
N e tw o r k A n a ly z e r.
The
W ire s h a rk
main window
E l ! x '
C aptu rin g th e
I j W t f M t M B B K S A I * *
Filter
m T [B p ]
Clear Apply
Tools
Internals
Help
^ ^ 0 10
Save
yt
| v | Expression...
WIRESHARK
, Interface List
The W orld's Most Popular Network Protocol Analyzer Version 1.8.2 (SVN Rev 44520 from /trunk-1.8)
Open
Open a p-evousV captured fie Open Recent:
ft
W ebsite
Visit the project's website
M start
Choose one or mo1 nteffaces to capture from, then Start " t " AirPcap US8 wireless capture adapter nr. 00: \\.\ai A
User's Guide
Th User's Guid (local version, if instaied
Sample Captures
A rich assortment of example captir files on th* wiki
Security
Work with Wireshark as secu!*ty as posstte
ff] \Devke\NPF_{0A6DAE573C5C4CFE9F 4E E 8E 8J s
J Microsoft Corporation: \Device\MPFJ82C13C97' | o r u r.pc c . ^ k . r \
'
mdc v I
Capture Options
Start a capture with au.*a opeons
IE
Ready to load or capture Profile: Default
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
ark. Select
C a p tu re
->
(/TjThe W ireshark Network Analyzer [W ireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i
File l i Edit ^ View K Go | Capture | Analyze it IB W interfaces... Options... Jv Expression... Clear Apply Statistics Telephony
? & [WPI 6 1 1
Interface List
Im port and Export packet data from and to a lot o f other capture programs. Filte r packets on many criteria. * Search for packets on many criteria. Colorize packet display based on filters. Create various statistics
0pen a
a 3
Website
VWt the project's websne
Open Recent:
Start
e interfaces to capture from, then Start AirPcap USB wireless capture adapter nr. 00: \\.\ai ^ \Device\NPFJ0A6OAE57-3C5C4C FE 9 F4EE8E83: = Microsoft Corporation: \Devke\NPFJ82C18C97-'J OT Po.Hair prio c pc c3>;r, \ mpc
User's Guide
The User $ Guide (local verson, tf instiled)
Sample Captures
A rich assortmert of example capture files on the w ild Work with Wireshark as securely as p o ss4 > te
Capture Options
Start a capture *ith detailed options
Profile: Default
11 2
10. The W ire s h a rk : C a p tu re In te r fa c e s window appears. By default, die AirPcap adapter is not 111 ninnuig mode. Select die A irp c a p U S B w ir e le s s c a p tu re a d a p te r n r. 0 0 check box. Click S ta r t
Wireshark: Capture Interfaces
Description 1 0 |,,t" AirPcap USB wireless capture adapter nr. 00 PI
N ote: Wireshark isn't an intrusion detection system. It does not warn you when someone does tilings on your network that he/ she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on.
1]
Stop
Options
Close
C a p tu rin g W ire s h a rk
fro m
A irP c a p
USB
w ir e le s s
c a p tu re
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
[/T |C a p tu rin gfro mA i-P c a pU S Bw ire le s sca p tu rea d a p te rn r. 0 0 :\V \a irp c a p O O [W ie sh a rk1 .8 .2 (S V NR e v4 4 5 2 0from /trunk-...1 I x
File Edit Vie* 60 Capture Analyze Statistics Telephony Tools internals Help
K < u a tt * 1m h x a < a 1a 4
Wireshark can capture traffic from many different network media types - and despite its name - including wireless L A N as well. W hich media types are supported, depends on many things, such as the operating system you are using.
ifsln e i a s i H
[ Expression,... Clear Protoccl 802 .1 1 8 02 .1 1 Appl( Save
Broadcast
Bro ad ca st Bro ad ca st Bro ad ca st (e 4 :d 2 :6 c :4 0 :fe :2 7 Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st 4 5 :c 9 :c 7 :6 a :0 4 :0 9 Bro ad ca st Bro ad ca st Bro ad ca st
802.11
8 02 .1 1 8 02 .1 1 802 .1 1 (8 0 2 .1 1 8 02 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1
164 164 322 109 164 322 3707 164 322 132 109 164 91 3838 164 322 164
Info Be a c o n f r a m e , Be a c o n f r a m e ,
S N 4 0 3 1 , FN=0, Flags S N 4 0 3 2 , FN=0, Flags Beacon frame, SN264, FN=0, Flags=. Be a c o n f r a m e , S N 1 7 5 3 , FN=0, Flags Be a c o n f r a m e , S N 4 0 3 3 , FN=0, Flags Be a c o n f r a m e , SN=265, FN=0, F l a g s 802.11 B lo c k A c k , F la g s = o p m .r m ft Beacon frame, 5n4034, fn=0, Flags Be a c o n fr a m e , Be a c o n fr a m e ,
f?
SN266, FN=0,F l a g s S N 1 6 4 2 ,F N 0 , F l a g s -
Deacon frame,
Be a c o n fr a m e , Be a c o n fr a m e ,
e
E
Boacon frame,
Plags-
'
(2 5 9 7 6 b i t s )
on i n t e r f a c e
O O O O 06 Ob 0 0 1 0 6b c3 0 0 2 0 c9 cc
0030 91 86 004 0 d5 5b
0
49 63 ef 10 cb
54 c8 13 fO e6 28 c3 aO 98 86 b4 2f 84 20 b3
48 2b 91 4e 05
8c d9 75 ac fO
65 69 5f 6e 39
71 93 b2 8d 52 44 87 fa 5d 68
5e fl 3d 16 c7
k. ] . c . . ( + .z . ___
. [ .z ............. b9]h.
Profile: Default
12. Wait while Wireshark captures packets from AirPcap. II die F ilte r T o o lb a r option is not visible on die toolbar, select V ie w -> F ilte r T o o lb a r. The Filter Toolbar appears.
N o te : Wireshark doesn't benefit much from Multiprocessor/Hvperdiread systems as time-consuming tasks, like filtering packets, are single direaded. No mle is widiout exception: During an update list of packets 111 real time capture, capturing traffic mns 111 one process and dissecting and displaying packets runs 111 another process, which should benefit from two processors.
C a p tu rin gfro mA irP c a pU S Bw ire le s sca p tu rea d a p te rn r. 0 0 : \Y \a irp c a p O O [W ire s h a rlc1 .8 .2 (S V NR e v4 4 5 2 0from/tru n k-... I ~ I r x
internals Help
m u t
/ Main Tco bar / Filter Too bar Wireless Toolbar <Status Bar Packet L i*
? 4
r Expression..
0. 0.
ax
Save
4>
m m
Gear Apply
*
Wireshark can open packets captured from a large number o f other capture programs.
Packet Qetails
/ Packet Bytes lim e Display Format I Name Resolytion ! */ Coloriz Pckt List Auto Scroll in Liye Capture Q Q Q E Zoom In Zoom Qut Normal Size Resize All Columns Displayed Columns Expand Subtrees Expand A l Collapse All
Protocol Length 164 St 802 1 1 e : 6f 6 b 18 802 1 1 109 164 St 802 1 1 164 802 1 1 St n _ f 2 45 Oc 802 1 1 30 104 St 802 1 1 164 St 802 1 1 St 164 802 1 1 164 St 802 1 1 164 802 1 1 St 802 1 1 322 St 802 1 1 109 C tr l * * St 164 St 802 1 1 C trl * St 802 1 1 322 Ctr1+= f e 27 (8 0 2 1 1 3707 164 St 802 1 1 S h ift *Ctrl+R St 802 1 1 322 o u S h ift *Right Ctrl* Right C trl * Left C trl * Space 3247 b y t e s c a p tu r e d
(2 59 76 b i t s )
on i n t e r f a c e
Flags: ....s .F T
Colorize Conversation Reset Coloring 1-10 ^ Coloring Rules... Show Packet in New Window
5 71 93 5e 9 b2 8d f l f 52 44 3d e 87 fa 16 9 5d 68 c7
Profile: Default
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
-> W ire le s s T o o lb a r.
kD Capturing from A irPcap U S B wireless capture adapter nr. 00: \\.\airpcap00 Statist cs Telephony Jools Internals Help
* 5 ik [M]S
' Expression
0 I & 0
Save
0 2.1 1C h an S ta tu s3r
] * Wireless Toolbar
Packct List P 3cket Details Packct Bytes
Clear Apply
| v [ D r i v e r [v] W ire le s sSetings-. D ecryp tio nK e y s ... 802.11 164 Beacon frame, SN-4025, FN-0, Flags-......... e:6f:6b:18 802.11 109 Beacon frame, 5N-1628, FN-11, Flags........ St 802.11 164 Beacon frame, 5n=4026, fn=o, Flags ......... St 802.11 164 Beacon frame, SN-4027, FN-0, Flags*......... n_f2:45:0c 802.11 30 Deauthentication, 5N-1780, fn- 4, Flags-.. st 802.11 164 Beacon frame. SN-4028, fn- 0, Flags-......... 164 Beacon frame. SN-4029, fn- 0. Flags-......... St 802.11 st 8 0 2 .11 164 Beacon frame, SN-4030, FN-0, Flags-......... st 8 0 2 .11 164 Beacon frame, SN-4031, TN-0, Flags-......... 802.11 164 Beacon frame, sn- 4032, FN-0, Flags-......... C trl * * st .St 802.11 322 Beacon frame, 5N-204, fn- 0, Flags-........... C trl * 109 Beacon frame, SN-1753, FN-0, Flags-......... St 802.11 C trl* St 164 Beacon frame, SN-4033, fn- 0, Flags-......... 802.11 322 Beacon frame, SN-265, FN-0, Flags-........... St 802.11 c:40:fe :27 (802.11 3707 802.11 Block Ack, Flags-opm.RMFT st 802.11 164 Beacon frame, SN=4034 , FN=0, Flags=......... 322 Beacon frame, SN-266, FN-0, Flags-........... st 802.11 S h ift R ig h t C trl-Right 3247 bytes captured (2S976 bits) on interface 0 C trl*L e ft _ R.FT Flags: _
st
Protocol
Length Info
O Wireshark is a network packet analyzer that captures network packets and tries to display that packet data as detailed as possible.
Jim D isp layF o rm at N am eR eso lu tio n C o lo ri7eP acket list A uto S c ro ll in L iy eC ap ture
200m n
IT . .. eq. a 5 71 93 5e 9 b2 3d f l k. ] . c .. ( +.Z . . . . f 52 44 3d ....................u . a _ rde 87 f a 16 ........... / N... n... 0030 C trK R 9 5d 68 c7 . [ . z ............... b 9 ]h . A irP capU S B.v ire le s scaptureadapter n r. O ): ... P a c lc e ts : 12 98 6D isp layed 12986M arked :
OODO
0 0 1 0 0 0 2 0
_ .H .
P ro file :D efault
'
s o u rc e
and
d e s tin a tio n
r t3 )Capturing from AiiPcdp USB wireless capture adapter nr. 00: \V\airpcapOO
ile dit View (jo Cooturc Analyze Statistics Telephony Tools Internals Help
m u
Filter
* 9t *
6 3 3 ^ ^ ^1 || ^ ^ ^: 0
|~ v| E x p re s s io n ... C lear A pply S a v e
v FCS Filter All Frames Destination None
jv ]
<fl__________________________________________________
S 3
282 13.0160930 Netgear_30:ab:3e 283 13.0370690 Netgear_32:7c :06 284 13. 0411940 e2:55:e5:27 :bl:cO 285 13.1184520 Netgear_80: ab: 3e 286 13.1394870 Netgear_32:7c :06 287 13.1836990C0mpex_65:be:f5 288 13.1891990 Netgear_ae: 24: cc 289 13. 2208270 Netgear_80:ab:3e 290 13. 2400780 Netgear_32:7c :06 291 13. 2898380 2c:db:ef:e6:aa:64 292 13. 3233130 Netgear_80: ab; 3e 293 13. 3443830 Netgear_3z:7c:06 294 13.4257280 Netgear_80:ab:3e 295 13. 5282000 Netgear 80:ab:3e ?06 13. S4907?ONetgear_?2:7c:06 297 13. 6304580 Netgear_80: ab: 3e 298 13. 6514 500 Netgear _32: 7c. 00
Broadcast Broadcast ( e4 :d2 :6c:40:f e:27 Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast 45:c9:e7:6a:04:e9 Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast B r oadcasl
802.11 802.11 C802.ll 802.11 802.11 802.11 802.11 802.11 802.11 802.11 802.11 802.11 ou2.11 802.11 802.11 802.11 802.11
164 Beacon frane, SN=4033, FN=0, Flags 322 Beacon frame, SN=265, FN=0, Flags E 3707 802.11 Block Ack, Flags=opm.RMFT 164 Beacon frame, SN-4034, fn- 0, Flags322 Beacon frane, SN=266, FN=0, Flags C 132 Beacon frane, sn1642, fn=o , Flags 109 Beacon frane, SN1756, fn=0, Flags 164 Beacon frane. SN=4035. FN=0, Flags 91 Beacon frane, SN=267, FN=0, Flags= E 3838 Acknowledgement (No data), SN-915, FN-3, Flac 164 Beacon frane, SN-4036, FN=0, Flags322 Beacon frane, SN=2btt, fn- u, Flags104 Beacon Trane, 5n-4 us/ , fn- u , Flags-................ 164 Beacon frane. SN-4038. FN-0. Flags-.................. 322 Beacon frane, SN-270, FN-0, Flags-............... B 164 Beacon franc, SN-4039, FN-0, Flags-............... 322 Beacon frane, SN-271, FN-0, Flags-............. .. C
Frane 293: 322 bytes on wire (2576 b its), 322 bytes captured (2S76 bits) on interface 0 + ieee 802.11 Beacon frane, Flags: ............. IEEE 802.11 wireless lan management frame 00 60 00 82 00 0000 de32 1104 840b 2a01 ff 7c 00 16 00 ff 06 09 24 2f ff ff cO 10 4b 75 30 48 01 00 ff 96 73 6c 30 ff 31 75 03 18 4C60 8e64 6d20 0101 0100 de 00 57 05 00 32 00 4c 04 Of 7C 00 52 01 ac 06 00 01 02 02 .................. L 2 |. L'. 21. . . . 1. d_ _ d....... Kj sum W L R .
0 0 0 0 0 0 1 0 0 0 2 0 0030
80 4c 64 08 0040 00
.... S O H1........
Profile: Default
F IG U R E 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
m m
a *
Expression... Clear Apply | v | FCS Filter All Frames |v|N on e WirelessSettings...DecryptionKeys... | v ] Channel Offset |0 Destination Protocol Info
4992 90.885184 2a:13:4C:al:CC:la C7:0 : 80: 13 IEEE 802.11 Fragnented ieee S02.ll frame 4993 90.885677 IEEE 802.11 unrecognized (Reserved frame), Flags . . . p . m . . 4994 90.985558 Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN=2080, FN=0, Flags BI=100, unrecognized 4995 91.049792 ab:76:13:1c:e6: 3f f f :57:a6:9:1EEE 802.11 (Reserved frame), SN2851, FN0, Flagso 4996 91.087908 Netgear_ae:24:c c Broadcast IEEE 802.11 Beacon frame, SM=2081,PN0, Flags BI 100, 4997 91.497565 Netgear_ae:24:c c Broadcast IEEE 802.11 Beacon frame, SN-2085,FN-O, FlagsBI-100, 4998 91.600033 98:14:34:f c :48: cc Broadcast IEEE 802.11 Beacon frame, SN=3733,FN=7, Flags BI1]8896 4999 91.70239* Dlg1talG_02:e8:d5 Broadcast ieee 802.11 Beacon frame, sn2087,fn- 0, Flags B1100, 5000 91.704757 f 8:a f:ed:3d:6c:62 f9:ea:f9:f IEEE 802.11 ( no data), SN3864, fn=15, Flags ...P.M Null function Data, 802.11 SN-2916, fn- 0, Flags-.p F. 500191.705380 bl:7c:25:46:el:dl e6:61:a IEEE:13 5002 91. 804794 Netgear_ae:24:cc Broadcast IEEF 802.11 Beacon frame. SN-2088,FN-0, FlagsBT-100, 5003 91.907138 Ntgear_a:24:cc Broadcast IEEE 802.11 Beacon frame, &N-2089,F N ^-O , FlagsBI-100, 5004 92.112081 l c :12:30:8b:24: f 5 f f : f f : f f :3 IEEE 802.11 Beacon frame, SN-1151,FN-2, FlagsBI-55820 802.11 5005 92.246059 MonHaiPi _0a:72:8a 8:2c:b0:5d IEEE Null function (no data), SN-2733, FN-0, Flag>-.. . P... 5000 92.246276 horiHalpr_o. ieee 802.11 Acknow le d g e n e n t, F la g s 5007 92. 316789 Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN-2093,fn- 0, FlagsBI-100, 5008 92. 319258 91:6c: 5c: 32:50:d2 4d: 22: e: 24 IEEE 802.11 Qos Data + CF-P011. 5N-1B31, FN-15, Flags-.p.PR..T L 5009 92. S2164S Netgear_ae:24:cc Broadcast IEEF 802.11 Beacon frame. SN-2095,fn- 0. FlagsBT-100, + Frame 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) S IEEE 802.11 Acknowledgement, Flags: ............. Type/Subtype: Acknowledgement (Oxld) Frame control: O xO O D J (Normal) 0000 d4 00 00 00 2c b O 5d 80 ab 3e 6a 3e 19 81
......].
PioHIc; Default
AiP.ap LSBv
T lie latest version is faster and contains a lot of new features, like A PR (Arp Poison Routing) which enables sniffing on switched LA N s and Manin-the-Middle attacks.
AirPcap USB wireless capture adapter nr 00 Wireshark
[d< t yicw 20 cptjrc Analyze Statistics Telephony Tools tJelp
U i
&
Opengecent Merge...
cw .0 b a
ClriW 1rnc! Offset: [0
|n|n| < 3 .q ! 3 1
kpressicn [ v j FCSFilter All Frames Protocol Clear Appf/ [v^None Info
yt b
& ib
Control wrapper. Flags-.pm.R.f . IEEE 802.11 Broadcast IEEE Beacon 802.11 frane, SN-353, FN-0, Flags BI-100, S Beacon frane, SN-3 54, FN-O, Flags . . . . f f :ee:1:93IEEE 802.11 61=12530 f f :f6:54:d'IEEE Beacon 802.11 frane[Ka1formed Packet] xport B I 5 ,100 broadcast ieee Beacon 80 frane, 2 .11 5n=356, fn=0, Flags . . . . Data, 802.11 SN357, FN1 , Flags=opmP.. FT d4:fa:cb:c.lEEE rint._ Beacon frane, SN358 , FN0, Flags BI 100, S Broadcast IEEE 802.11 Beacon frane, sn361 , FN0,Flags . . . . BI 100, S d4:aa:01:4 IEEE 802.11 E Quit Ctrl*Q f : b 8 : c l Beacon 802.11 frane, SN364 , FN=0, Flags BI. 1.0 . .0 , S / o u x jz o v.w a v a mw w c t jw a i_ iw .2 4 :C C B r o a d c a s t IEEE B r o a d c a s t IEEE Beacon 802.11 frame, SN=335, FN=14, Flag5=... , BI= 200, 7641 267. 835429 Netgear_ae: 60: ce Data, 802.11 5n3037, fn3, Flags=.p. . . . F. 7 6 4 22 6 7 .8 7 7 9 4 60 1 :5 4 :2 9 :0 1 :0 0 :4 4 IPv6mcaSt_HEEE Broadcast IEEE Beacon 802.11 frane, sn369 , fn0, Flags BI 100, S I 7643 268.038309 Netgear_ae: 24: cc Beacon frane, SN370 , fn0, Flags BI 100, S I 7644 268.143787 Netgear.ae:24:cc Broadcast IEEE 802.11 Beacon frane, SN372 , fn0. Flags . . . . BI 100, S I Broadcast IEEE 802.11 7645 268. 345546 Netgear_ae: 24: cc B r o a d c a s t IEEE Beacon 802.11 frane, SN=375, FN=0, Flags . . . . BI 100, S I 7646 268. 652782 Netgear_ae: 24: cc Null function 802.11 ( no data), SN-36, FN-0, Flags-. .. PR. .T 7647 268.661651 HorHai Pr_0a: 72 :8a 2c:bO:5d:8'IEEE Null function 802.11 ( no data), 5N-36, fn-O, Flags . .. pr. . t [ I 7 6 4 82 6 8 .6 6 2 1 6 0n o m a 1 p r_ 0 a :7 2:8 a 2c:bO:5d:8'IEEE 7649 269.164812 48:09:39:1a:ce:d4 ff:ff:lb :f-IEE E Beacon 802.11 frane, SN-3746, FN-O, Flags-... BI-36936 Frane 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) - ieee 802.11 Acknowl edgernent, Flags: ............. Type/Subtype: Acknowledgement (Oxld) 0 0 Frame control: O xO O D 4 (Nornal) :24:cc 1:02: cd b : 24:ec 1:24: C C C trl+P p:f8:41 :24:cc 00D0 d4 00 00 00 2c bo 50 80 ab Je 6a 4e 19 81
....... j
> ) >
nam e,
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
|jj.
Recent places
**
Name
aircrack-ng-0.9-airpcap
K
Desktop
Lbranes
'V
Computer
Network
< 1
III
>
A
_^J
( Captured Vpackets
Selected packet (" Marked packets (" First to last marked c Range 1 r Remove Ignored packets 7649 0 0 0 0
Displayed
0 0 0
L a b A n a ly s is
Analyze and document the results related to die lab exercise. Give your opinion on your targets security posture and exposure.
P LE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Tool/Utility
Information Collected/Objectives Achieved Used Adapter: AirPcap USB wireless capture adapter nr .00
Wireshark
Result: Number ol sniffed packets captured by Wireshark in network, which include: Packet Number, Time, Source, Destination, Protocol, and Info
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Q u e s t io n s
1. Evaluate and determine the number of wireless cards supported by die wireless scanner. 2. Analyze and evaluate how AirPcap adapters operate. Internet Connection Required 0 Yes Platform Supported
0 Classroom 0 No
!Labs
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
C r a c k i n g
W E P
N e t w o r k w i t h
A i r c r a c k - n g for W i n d o w s
A ir c r a c k - n g re c o v e rs keys is an 8 0 2 .1 1 W E P and W P A -P S K have be en k e y s c ra c k in g p r o g r a m c a p tu re d . It im p le m e n ts th a t th e
o n ce e n o u g h
d a ta p a c k e ts
s ta n d a r d F A I S
th e a ll- n e w P T W
W E P c ra c k in g to o ls .
I C O N K E Y
L a b S c e n a r io
'/ V a l u a b l e in fo rm a tio n
> >
T est your k n o w le d g e
W e b e x e rc is e
c a
W o r k b o o k r e v ie w
Network administrators can take steps to help protect their wireless network from outside tinea ts and attacks. Most hackers will post details of any loops or exploits online, and if they find a security hole, they will come 111 droves to test your wireless network with it. WEP is used for wireless networks. Always change your SSID from the default, before you actually connect the wireless router for the access point. If an SSID broadcast is not disabled on an access point, die use of a DHCP server to automatically assign IP address to wireless clients should not be used because war dnving tools can easily detect your internal IP addressing it the SSID broadcasts are enabled and the DHCP is being used. As an etlncal hacker and penetration tester of an organization, your IT director will assign you the task of testing wireless security, exploiting the flaws in \\EP, and cracking the keys present 111 WEP of an organization. 111 tliis lab we discuss how WPA key are cracked using standard attacks such as korek attacks and PTW" attacks.
&
Too ls
L a b O b je c tiv e s
tins lab, you will learn how to: Crack WEP using various tools Capture network traffic Analyze and detect wireless traffic
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
L a b E n v ir o n m e n t
m V is it B a c k tr a c k
A irc ra ck-n g
M o du le 1 5 H a c k in g W ireles s
Tins tool requires Administrative pnvileges to ran A client connected to a wireless access point This lab requires AirPcap adapter installed on your machine. If you dont have this adapter please do not proceed with the lab
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w
Airplay filter options: -b bssid: M AC address, access point.
o f A ir c r a c k - n g
A wireless network refers to any type of computer network that is w ir e le s s , and is commonly associated with a te le c o m m u n ic a tio n s network whose in te rc o n n e c tio n s between n o d e s are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of r e m o te information transmission system that uses e le c tr o m a g n e tic w a v e s , such as radio waves, for the c a rr ie r, and this implementation usually takes place at the physical level or layer of the network.
L a b T a s k
TASK
N e tw o rk
C rac kin g a W EP
1. Launch
A irc ra ck-n g G U I
from
by double-clicking A irc ra c k -n g
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
a iro d u m p
window.
x
airodump-ng 0.9
airodump-ng 0.9 < C > 2006 T hom as d'Otreppe Original work: Christophe Devine
To confirm diat die card is in monitor mode, run the command iwconfig . You can then confirm the mode is monitor and the interface name.
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber ->
4. Type the Airpcap adapter index number as 0 and select all channels by typing 1 1 . Press E n ter.
airodump-ng 0.9
tewJ Aircrack-ng option: b bssid Long version bssid. Select the target network based on the access point's M AC address.
airodump-ng 0.9 - < C > 2006 T hom as d'Otreppe Original work: Christophe Devine usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber -> 0 Channel<s>: 1 to 14. 0 = a ll -> 11 (note: if you specify the sane output prefix, airodump w ill resum e the capture session by appending data to the existing capture file ) Output f ilename pref ix ->
For cracking W P A /W P A 2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up W PA /W PA 2 key processing.
C a p tu re
and press
E n ter.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
airodump-ng 0.9
I~ I
airodump-ng 0.9 - < C > 2006 T hom as d'Otreppe Original work: Christophe Devine
Aircrack-ng completes determining the key; it is presented to you in hexadecimal format such as K E Y FO U N D ! [BF:53:9E:DB:37],
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber -> 0 ChanneKs): 1 to 14, 0 - a ll 1 1< <note: if you specify the sam e output prefix, airodump w ill resum e the capture session by appending data to the existing capture file> Output filename prefix ->| capture | <note: to save space and only store the captured W E P IUs, press y. The resulting capture file w ill only be useful for W E P cracking) Only write W E P IUs <y/n) >
6.
Airodump option: -f <msecs> : Tim e in ms between hopping channels.
Type y
111 O n ly w r it e W E P IV s
Press
E n te r
airodump-ng 0.9
airodump-ng 0.9 - < C > 2006 T hom as d'Otreppe Original work: Christophe Devine usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K now n network adapters: 1 AirPcap U S B wireless capture adapter nr. 00 Network interface index num ber 0 < ChanneKs): 1 to 14, 0 = a ll -> 11 (note: if you specify the sam e output prefix, airodump w ill resum e the capture session by appending data to the existing capture file ) Output filename prefix -> capture <note: to save space and only store the captured W E P IUs, press y. The resulting capture file w ill only be useful for W E P cracking) Only write W E P IUs <y/n) <
7. After pressing y it will display Wi-Fi traffic; leave it running for few minutes.
8.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
1 1 B S S ID B8:A3:86:3E:2F:37 1C:7E:E5:53 :04:48 4C:60:DE:32 :3B:4E 4C:60:DE:32 :7C:06 80:A1:D7:25 :63:13 80:A1:D7:25 :63:10 80:fll:D7:25 :63:12 80:A1:D7:25 :63:11 <J4:44^9:F9 :4q:nn |0 e 9r z& z m 9c B S S ID B 8:A3:86:3E 2F:37 1C:7E:E5:53 A4:48 1C:7E:E5:53 A4: 48 1C:7E:E5:53 04:48 1C:7E:E5:53 04:48 94:44:52:F2 45:0C 94:44:52: F 2 45:0C 94:44:52:F2 45:0C 94:44:52:F2 45:0C 94:44:52:F 2 45:0C 00:09:5B:AE 24:CC 00:09:5B:AE 24:C C
<|
L - ll
rH
P U R Beacons It Data C H M B E N C E S S ID -78 5 0 1 48 W E P ? S A A C H I -80 5496 2146 1 1 48 U P A D Link_DIR-524 -80 181 1 6 48 U P A Ithey Ithey 0 11 48 W -81 5 E P ? K usum W L R -77 13 0 1 54 O P N 78 21 0 1 54 W E P ? G 0 E -80 12 0 1 54 O P N 78 18 0 1 54 O P N 1 99rh4 1 HANTFn 1 4R IJPA -10 53036 224385 11 54 W E P N E T G E A R S TA T IO N P U R Packets E S S ID 00:24:2C:38:39:96 -75 1 S A A C H I AC:72:89:6B:BD:B3 -81 38 D Link_DIR-524 29 D-Link_DIR-524 30:69:4B:C7:F9:F7 -84 D0:B3:3F:12:O1:FF -79 7 D-Link_DIR-524 E0:F8:47:95:05: D 6 -82 421 D-Link_DIR-524 4C:ED:DE:02:5B:BF -80 2 G A N T E C 4C: E D :D E : 94: C E: El -80 5 G A N T E C 00:26:82:CF:09:C2 -80 16256 G A N T E C 50:01:BB:58:05:27 -76 1 G A N T E C 00:23:15:73:E7:E4 -73 293 G A N T E C 1C:66:AA:7C:F0:79 -81 213 N E T G E A R 04:54:53:0E:2C:OB -33 125920 N E T G E A R
III
F IG U R E 2.6: Airodump-ng Channel listing window
>
airmon-ng is a bash script designed to turn wireless cards into monitor mode. It auto-detects which card you have and run the right commands. Airodump-ng is used for packet capturing o f raw 802.11 frames and is particularly suitable for collecting W E P IV s (Initialization Vector) for the intent o f using them with aircrack-ng.
andclick A d v a n c e d
Aircrack-ng GUI
O p tio n s x
Arodump-ng ] Airdecap-ng | WZCook | About Choose. () W E P Key size 1 128 v | bits Use wordlist Use PTW attack
O W PA
Specify ESSID
I
1 2 3 4 5 6 U8 -
1 1 BCD characters
Multithreading bnjteforce
1 1 Numeric (Fntz'BOX)
Launch
c a p tu re , ivs
N o te : Tins is a different file from the one you recorded; this file contains precaptured IVS keys. The path is D :\C E H -T o o ls \C E H v 8 M o d u le 1 5 H a c k in g W ire le s s N e tw o rk s \A irP c a p -E n a b le d O pen S o u rc e to o ls \a irc ra c k -n g -0 .9 -a ir p c a p
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
To save time capturing the packets, for your reference, the tile (tins c a p tu re .iv s tile contain more than 200000 packets) is at D :\C E H -T o o ls \C E H v 8 M o d u le 1 5 H a c k in g W ire le s s
N o te : c a p tu re .iv s N e tw o rk s V A irP c a p -E n a b le d O p en S o u rc e to o ls \a irc ra c k -n g -0 .9 a irp c a p .
Aircrack-ng GUI
Airodump-ng
Aircrack-og Filename(s)
j Airdecap-ng [ WZCook
Key size 128 v
About Choose 1
"D:\CEH-T0 0 ls\CEHv8 Module 15 Hacking Wireless Networks\AirPcap Enabled Open () W E P bits Q Usewordlist Q
Iff ll To put your wireless card into monitor mode: airmon-ng start rausbO.
Enctyption
O W PA
@ Advanced options Specify ESSID Specify BSSID Fudge factor Disable KoneK attacks 2 Key search filter
A
m n2 3 4 5 6 7 8
tZ J
Multithreading biuteforce
1 1 Numeric (FritzlBOX)
Launch
You may use this key without the in your wireless client connection prompt and specify that the key is in hexadecimal format to connect to the wireless network.
13. If you get the enough captured packets, you wiil be able to crack the packets. 14. Select your target network from
B S S ID
and press
E n ter.
* I
Opening D:\CEH-T001s\CEHv8 M odule 15 Hacking Wireless NetworksSHirPcap -Enabled O p e n Source tools\aircrack-ng-0.9-airpcap\capture. ius R ead 231344 packets. 00:09:5B:AE:24:CC 94:44:52:F2:45:0C Index num ber of target network ? 1 W E P <231233 IUs> W E P <111 IUs>
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
Aircrack-ng 0.9.3 K B 0 1 2 3 [00:00:06] Tested 1 keys <got 164492 IUs> byte<uote> B F < 42> B 9< 15> 4B < 13> 41< 12> F F < 9> 53< 40> C 9 < 32> 34< 20> flF< 19> B 4< 19> 9E < 40) D 8 < 28> 64< 23> 88< 23> E 4< 18> D B < 143> 9?< 46> 33< 33> 43< 29> 38< 27> K E VF O U N D ! [ BF:S3:9E:DB:3? J Decrypted correctly: 100X depth 0/ 1 0/ 3 0/ 4 0/ 1
Aircrack-ng can recover the W E P key once enough encrypted packets have been captured with airodump-ng.
C:\Users\fldninistrator\Desktop\aircrack-ng-0.9.3-win\airerack-ng-0.9.3-win\bin>
L a b A n a ly s is
Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.
P LE A S E
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Tool/U tility
Aircrack-ng
Q u e s t io n s
1. Analyze and evaluate how aircrack-ng operates. 2. Does die aircrack-ng suite support Airpcap Adapter?
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
Sniffing t h e N e t w o r k O m n i P e e k
U s i n g t h e
N e t w o r k A n a l y z e r
O m n iP e e k is a s ta n d a lo n e n e tw o rk a n a ly s is to o l u s e d to s o lv e n e tw o rk p ro b le m s .
I CON
/ V a lu a b le
KEY
L a b S c e n a r io
in fo rm a tio n
T est your k n o w le d g e
w
m
W e b e x e rc is e
W o r k b o o k r e v ie w
Packet sniffing is a form of wire-tapping applied to computer networks. It came into vogue with Ethernet; tins mean that traffic 011 a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic address to other stations. Sniffing programs turn off the filter, and thus see everyone traffic. Most of the hubs/switches allow the inducer to sniff remotely usmg SNMP, which has weak authentication. Usmg POP, IMAP, HTTP Basic, and talent authentication, an intruder reads the password off the wire ni cleartext. To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing die network, and DNS poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis of wired and wireless networks. 111 tliis lab we discuss wireless packet analysis of capuired packets.
L a b O b je c tiv e s
The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits.
L a b E n v ir o n m e n t
111 tins lab, you need:
A d va n c ed O m n iP e e k N e tw o rk A n a ly ze r N e tw o rk A n a ly ze r
You can also download the latest version ot O m n iP e e k from the lnik http: / / www.w1ldpflckets.com
N e tw o rk A n a ly ze r
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
la te s t version,
111
Run diis tool 111 Windows Server 2008 A web browser and Microsoft .NET Framework 2.0 or later Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven installation steps to install OmniPeek Administrative privileges to mil tools
L a b D u r a t io n
Tune: 20 Minutes
O v e r v ie w
You can download OmniPeek Network Analyzer from http://www.wi1dpackets.co
o f O m n iP e e k N e t w o r k A n a ly z e r
OmniPeek Network Analyzer gives network engineers real-time visibility and expert analysis of each and even7 part of die network from a single interface, which includes Edieniet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11 a/b/g/n.
L a b T a s k s
m.
TASK
S ta rt ^All P ro g ram s )
W ild p a c k e ts
A n alyzin g W EP P a c k e ts
2. Click V ie w
: = J< ;
sa m p le file s.
- Monitor Tools Window
E c h V ie w C a p tu r e S e n d
Start Page x j
H e lp
B ,,
& O a SI
it,;a a a ja f e 1&
W ild Pd cke t 6 m n iP ee k
N ewCapture
Recent Files WsP.att Pacxet Exa-noba.pxt W^Apd Recent Capmre Tem plates he r#e*at t#nput Documentation (flWWPWWT* \A o w r tf Cerwj Staled Godo vtevr iMtaiBdH nsiructoi* me L** Sude CnrCrgire O efcirg Started Quide
View O m niEngines
f$
Start M onitor
H U
Location C\Progom= i09 (x86)\WidPac*ate\OmPMk Dnc\aanptoe\AEP pkl CAProgrem Filoa (x8)'V/JdPactaUVOmP881Dnc\a#nplaVPecl> t Exam ple#, p k t C.XProgrwn (x8)'V/kJPacH\0Pt Dno\*anplM\APA.pkt I oration
Resources Lg1 r a 1 !e2Q uQ -m a jvow attapfe *toe I WUPBCcmcttwsa Events E H ] Vow Het.vok rol^ais 6po *hit# papers, and m oro L iiiJ
yutt
Technical Support vfevr :echc3l euosort reaouc6 3 f9r W ildPacket3produels WMFBCttts :ecfncaisuooort mP63< Sjppcrted harcv/3rs L'iiil>
^ 1 3
E Z D
C 2 D
I 4
J } None
_ rj
[F d ic p, press FI
Select W E P .p kt
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
P
F I. Edit v *w C *x e Send Monitor Tool! Window Help W lld P .. kt ! S ^ n lP e e k
^ O m n iP e e k
gives n e tw o rk en g in ee rs realtim e vis ib ility and E x p e rt A n alysis in to e v e ry p a rt of th e n e tw o rk fro m a sin g le in te rfa c e , including E th e rn e t, G ig ab it, 1 0 G ig ab it, 8 0 2 .1 1a/b/g/n w ire le s s , V o IP , and V id e o to re m o te o ffic es.
: - te p, press Pi
AlPiOcS. nc
154C Tied: Boulevard. S AotrU C e e fc . 2jlfoma 25( 9*2 0
4. It will open W E P .p kt 111 die window. Select P a c k e ts from die left pane.
11
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
1 Fit
Ed*
View.
Capture
Send
Monitor a
Tools
Window
Help 9. ! n _ ! - E n u i l i A l
I i sSSID * 3 a f f a l = : A l : 32 :31 * B a r m s : A 1:52:: 31 =lags *? ? *? *? Wf i* 'lit Wf Wf W f Wf p *p *? *p 9 *? *P P Channel 1 1 Signal Data Rate 1 % 170 1 % 1.3 100( 1 103t 1.0 1001 100* 100 lo o t 100% lo o t lo o t lo o t lo o t 1001 lo o t lo o t lo o t lo o t lo o t lo o t lo o t lo o t lo o t 1001 lo o t lo o t pacms: 2003 13.9 12.0 9.0 6.0 8.0 6.0 6.0 6.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 21.0 13.0 12.0 9.0 See 113 113 : 1 113 74 71 74 74 74 71 74 74 113 US 115 115 115 113 115 115 115 115 71 74 74 74 _L Duration 000:4c a;M.cr.e ^ -I
Dashboards vott &voeo Aodex Zyirosss Capture = dde3 *s Expert b: Web Server* Cteru *A*? Vokc ft Video C9I *** Vkuak r ?w m j c 3C^tt SLdlbUcs SDllK Prctacos Sumvtry V/irdesi | ALAN Signal <1 Fj flap, press Fl
< . *> i n i a d @ 1 h i 1 !- 5 3ack: Source Destination 1 * B u f f a l o :A l: 32:31 },}Ethernet B ice dce rt 2 * B u f f a l o :A l: 82:31 9 Ethernet Broadcast j> B u ffa lo :A l: 32:31 S * B u f f a l o : A l : 82:31 * B u f f a l o :A l: 32:31 * B u f f a l o ( A lt 82: 31 * B u f f a l o :A l: 32:31 * B u f f a l o : A l: 32:31 *B u r ra io :A 1 :8 2 :3 1 * B u f f a l o : A lt 82!31 * 3 u f f a l o ! A ll 32131 * B u f f a l o : A l : 92:31 * aurra1c:A1:52:31 * B u f f a l o :A l! 82 !31 * B u f f a l o 1A l l 32131 * B u f f a l o : A l: 82;31 *.-*u S S a lo :A l:3 2 :3 l * B u f f a l o :A ll 82131 * B u f f a l o :A l: 32:31 * B u f f a l o :A l: 82:31 *3 u rra 1 0 :A 1 :s 2 :3 1 * 3 u f f a l o : A l: 32: 31 * B u f f a l o : A l: 82:31 * B u f f a l o : A l: 32:31 *B u rra 1 0 :A 1 :8 2 :3 1
8 9 10 :: 1: 13 14 : U 1 1: 20 21 22 21 2* 2S 2c 2 2:
!Ethernet Srcsdcast * 3 u f f a l o : A l : 3 2 :31 Ethernet B rcedcart * 3 u f f a l o : A l : B2 * L .te o n ie c h : 55: C2: CC * 3 .1 r r a l2 : A 1 :22 i ^ I te o n 7 e ^:.c. e :c;-: * * a ffa L ? :A L :3 2 11 teoniech:EE:C3:CC * 3 a f f a l o : A l : 32 Ij{|11teonTech:SS:03:CC * 3 u f f a l o : A l : 32 lj|)l.teon7ech:S5:C 3:C C * 3 a f f a l : : A l : 22 p 1 :te o a l cn :5 5 :c2 : * 5 a r ra 1 5 :A i:5 2 S > 1 1 te o n T ch :5 5 :C 3 :C 3 * : a f fa lD :A l:32: i|L 1 tc o a T c c h :E E :C 3 s C 3 * : af f al oAl 92 J|l-teoa7ech:55:C3:OC * 3 u f f a l o : A l : 52 Ip E i& e rn e t srcaocast *9 u rra 1 9 :A 1 :s 2 : *jE th#rn#t 816 * *>i i f f a l ' r i l : 12 JpEthcract Sreadcaat * 3 a f f a l s : A l : 22 S E th eia et &:cedcaat * 3 a f f a l ; : A l : !2 I^ E lh e r& e t S:CeOCat * 5 a f r 3 1 3 : A l: 52 )Ethernet B re isra a t tp < : r r l? r il: 2 ]^Ethernet Srcadceet * 3 a f f a l o : A l : 22 ^ E th ern et Ezceocaat 4 3 i f f 1 1 ; : A l: 12 SJElheraei BlCcOCaSt * 3 j f f a l 2 : A l : 52 ^ Ethernet Brceocast * 5 j r r a i o : A l : : 2 *1 1te on 7e ch:5S :03 :0C * 3 a f f a l o : A l : 32 1011teon7ech:5S:C2:C C * 3 u f f a l o : A l : 32 * 1 .te o n ie ch :5 5:0 2:C C * 3 j f f a l = : A l : 52 3 1
Wf Wf
.................
6.
[Z"Om niPeek C o n n e ct m a n a g e s an o rg an iza tio n s O m n ip lia n c e and T im e L in e n e tw o rk re co rd ers, and provides all th e co n so le c a p a b ilitie s o f O m n iP e e k E n terp ris e w ith th e e x c e p tio n of lo c al c a p tu re and V o IP ca ll p la y b a c k
v ___Suit
le
Edit
View
Capture
Send
Monitor
Tools
Window
! u> . :a !l J il al. * * ai
W E P .p k t
WEP put - Packet 3 x
i\T S E -
Help
W ild
icketi O m n iP r fk
. 4J2EB3HQDQ
&"
0x00000000
0 x 0 0 0 0 0 0 0 0 1 0 0 1
45 115 14:29:38.441934700 G 5 2 1.9 Mbps 1 2412M31 602.11b
9T is e rta s f:
9 Eata Pare: j# Channel: 9 S ic r a l L a val: f ic c ! ast: j- 9 Noise L e ve l: j *- Seise d2c: B T~ 802 .11 m e Eeader
| I - version:
< T ipe : I- 9 SuLtyte: ! B J r a c C on trol Plag3:
j i-
1-9
1 0 0 0 0 0 0 0 0[1 ]
. .0
0 .............. A cfl-s c ric c c rc e r .0 ............ Ken-Protected Fras9 .........W o . . . 0 . . . . Fcvcx Management - a c tiv e r s ia --- 0 ... 7/1 15 15 net .......... 0 .. le s t o r Vnfragjcntsd Franz ...........0. Kcc
Ncre D ata
a R~-Transvissioa
FF CA Cl 07
FF 42 00 00
FF FF FF 6C 1 63 00 2A 01 OC 43 00
FF 00 63 53 00 DD 00 00
16 6C 18 00
01 61 00 00
AL ?4 S O 00
7. Close the tab from the top and select different options from the nglit pane; click G raphs.
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
F
Edit View Capture Send Monitor Tools Window Help
fcl H
Start
: !3 ft J _!j g)
WlEP.pkt x
f:4
fe S1; j!
~ O m n iP e e k E n terp ris e also provides ad v a n c e d V o ic e and V id e o o v e r IP fu n c tio n a lity including sig nalin g and M ed ia an a ly s e s of v o ic e and vid eo , V o IP p la y b a c k , vo ic e and video E x p e rt A n alysis, V isu al E xp e rt, and m o re
j5k| 5 1 * 0 3
t te n ro rt
C a p tu re
= acte3 Dashboards vwoe & vceo Aadex
^n > < r / j X 0 U a
Acdcs Cbun; Conpersons Appicetion _ayer Protocols by 3ytc5 Zppicstion Layer P oto:ols by 3ackets ARP An^\ss 0oacast$ CO fTpgredto Total Eert Events Boert VoP -H.323 Cal Erors E>oert V0P - RTP Brcrs Boert: Y 0P - SIP Errors Ex>ert 'jireess Clent -^ slcal Errors Ejoert N re bs ReossociaticnDeried G^cbfc =our Pert Ublirabor (bts/3] G^abfc =our Pert Uttli2attor (perc);! Gigabt! TtvoPytLttuaton (bits/s) C-KXbt: Twopytutiiraron Cpercent) . Networklltlixeto! (bits/s)
E r r e dP o tD C Q ls
* b :
Web Cterts A0es
'f :
:: ::. : :c't:
V okc a V id e o C a ls
StdlfeliLS
M iflM
SurMnory V/irdes*
* 9 0 1
rteip, press F1
rc R eacts arrl Reoies TCPAravs* TCP V3LCP \-0lP ^Votocos v/b Protocoe woto Jftlc v/rdess: Access Potns bv Trust WfrdaK Access Points vs. Clents V/rdes* Assccobons arc Reeojoaoto-i: V/rrittQ 3 tes to/frorr Dutroubor Syote V7rtes: Cierts ay Trust v/rdess: Data 'vpes v/rdess: acke: Trees V/rdess; 3adcts to'fron Dstnbubon Sv: V/rdess: ^cbe Req vs. ^rcbe Rso V/rdess: ^eres PacKrts: zcXX) Duration 000:40
8.
Now traverse through all the options 111 die left pane of the window.
L a b A n a ly s is
Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.
PLE A SE
TA LK
TO
Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Tool/Utility
Information Collected/Objectives Achieved Packet Information: Packet Number Flags Status Packet Length Timestamp Data Rate Channel Signal level
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
Signal dBm Noise Level Noise dBm 802.11 MAC Header Details
Q u e s t io n s
1. Analyze and evaluate the list of captured packets. Internet Connection Required 0 Yes Platform Supported 0 Classroom !Labs No
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.