Scribd Logo
Upload

Welcome to Scribd!

  • CEHv10 Module 16 Hacking Wireless Networks

    Uploaded by

    Андрей Скворцов
    144 views32 pages
    Hacking Wireless Networks

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Hacking Wireless Networks

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    144 views32 pages

    CEHv10 Module 16 Hacking Wireless Networks

    Uploaded by

    Андрей Скворцов
    Hacking Wireless Networks

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    of 32
    CEH Lab Manual Hacking Wireless Networks Module 16 ods 16 Hocking Votes Nears Hacking Wireless Networks WiFi ir daneiped on IEEE. 802.11 standards and is widely wid in wirdbss camamunicaton, It provides wirses acs to applications and data tronghout a radio network Lab Scenario \Wirdess nerwork technology is becoming increasingly popular, but at the same time, leas many seeuiy issues. A wireles local area seswork (WLAN) allows workers 10 access digial resources without being wethered w their desks, However, the ‘convenience of WLANs also introlunesseeiy concems thitdo not exist na wited ‘world, Connecng toa network no longer requires an Eshemet cable, Instead, data packets ate sitborme and avalable toanyone wit aii to intercept and decode therm. Several reports have explained weaknescs in the Wired Equivalent Privacy (WEP) Algeithon by 02.1 x standatd to enrypawicles da, "To be an expert ctbical hacker and penetration tester, you must have sound laowledge of wirdese concepts witdess enayption, and their related cheats. Asa secuy sina, yoo mat oust Your companys wes peter fom sacking, Lab Objectives “The chjecive of thisab sw protect the wireless network fom snacks In hia ab, you wil lam how tn Capture and Analyze Wireless Network Traffic Crack WEP by using various tools Crack WPA by using various tools Lab Environment = this ab, you will ce a web browser with an Inmet conneeson. ‘demonstrated in * Windows 10 running as vital machine ‘his ab are 1 Kaliinux running as viral machine ‘available at ae Lab Duration ‘TooteiceHvI0 Module 16 ‘Time: 35 Minutes Hacking Wireless . Networks Overview of Wireless Network “Wireless network” sefers o any ype of computer neqwork commonly associated ‘with telecommunicatons, whose interconnections between nodes are implemented without the Use of wires. Witeess telecommunicatons neworks sre generally implemented with some type of remote information transmission system that wees electromagnetic waves such as radio waves forthe carer, The ienplemecatiom walt place a he physical level or layer ofthe network. ‘GittabMem Pye ttw—~~SCSCSCS*C*SCSCSSC gd Cems CO Em Eiji Rowe epctone ah Mode 16 Hacking Wiens Neto Stet” Lab Tasks ‘Overviow Pick an onpinimaion that yo felis worthy of your atention. "This could be an ‘educational insttution, a commercal company or pechaps a ponproft charity. Recor de labs as ou in Wiles Neworis are UT Packet Sing sing Micrott Network Monitor nl Wireshark + Ceackng a WEP Newwork with remake + Gading aWPA Nawork wit Arorackng Lab Requirements Before you sa perfriog any abs i tis modal, you Ive wo configu your ecvironment so that you can conneet your machine wo a wirdess network. You wll feed virdess neswork adaptor and an access pont for demo purpose, Inthis ab we have use Linksys 802.1 g WLAM adapor and GEMLaks asthe access point for demonstration purpose. CEHLabs acess point has been configured with AEP and WPA encryption as pr the lab requirements of Lab 2and Lab 3, ‘© Fintlogin to Windows 10 virual machine and then plug inthe WLAN suiptor. Removable Devices window pops up, cick OK to proceed 3s shown inthe sreenshor. ‘¢ Now rightclick your VM's tb in the vmware mens bar and ike Removable Devices > Linksys 802.11 g WLAN > Connect (Disconnect ‘rom Hest) 2s shown in the sereenshot. Gramm ——SSCSCS~*~*«U ade 16. acing Wrlass Nenu: ‘+ Now in yourvimusl machine open Metwork and Sharing Center an click (Change adapter settings. Note: You can find Network and Sharing Center option in dhe Control =e Erstad come yoo Ee engage mat mereemge 1 nthe Network Connections window rst disable your wired nework Jnterface (here Ethermetd) by selecting the network itetae, ight-c on ‘and dick Dteable. Note: f popup appears, click Yes 1 = tender Recor al ‘+ Now select your wires interface (ure WHF 3) and click Connect To Sortonthensete ss om ee a ee Mapper aol ope tac Me Moai 16 Mocking Woes Metwors 1+ Settings winsow appears with WET stings being shown as defini select, ‘your wireless itefice and dic Connect ss show inthe sereenshot. GIR Gemabgtdcnten (GaGa pele C gd mc Cop BO WiipcTeead pened Pet '* In this way, you can connect a wicless network to your viral machines. Repeat similar tepe if you ate using the witelessnerwole with other vir smachine. ‘Note: You can use the adaptor for only oe vewual machine st. time Lab Analysis, ‘Avalyze and document the results rete to this ab exercise, Proside your opinion ‘onyour trger’s security posture and expostre, PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Gate ealesae ied ag Come CaO Tighe tno Repeal Peed Mole 16 -Nacking Wess Networks WiFi Packet Sniffing using Microsoft Network Monitor and Wireshark Micro Network: Monitor is a packet analyzer which enables capturing, viewing, and anasying network data and dphering mtr prac Lab Scenario Wireess networks canbe open t acive or pasive attacks. These stacks include DoS, MIT, spoofing jamming, war driving, nctwork hijacking, packet sniffing, and many ‘more, Passive aces that ake place on wireless netwtoris are common and se dlfcut to deter since the amackcr usally jst cole information. Active attacks Jnappen wien aacker has gxbered information about te neswork afera succes ppatsve etack. Sniffing isthe act of monitoring the network tac using legitimate network analysis tools. Hackers can use monitoring tool, including AroPee, Eihered, TCPDamp, or Wireshar, to monitor the wiles newworks. These tools allow hackers 0 find an unprotected network that they can hack Your wireless ‘swore can be protec aginst this ype of atack by using strong encryption and authentication mathods In this ab we use Microsoft Network Monitor, 2 too hat can siff network usiog 2 witless adapter, Because you are the aca hacker and a penetration tester of an ‘organization, you need to check the wireless security and evaloare weaknestes present in your organization. Lab Objectives "The cbjetive ofthis lab is to capeate andl aalyze witless packess in a seswodk ‘crea PT "oie aig an Gane Cap “tis peat Se Roe ore 16 -Hacing Ween Network Lab Environment Core ——_TOeste ib you wi cet: Gmonetrsedin + Ranchi in Window 40 machine eebae 1 dealin aga ea ec zoos 4 dent coon swindon ws plot Tooweeiei0 Module 16 Lab Duration ecking Wrlose Meow “Tne: 10 Minne Overview of Network Monitoring Anesork mottring stem ges you il overs of wha’ gig on in your emroth al ea A ected moot ha te aly manage ie ss er cn alo manage dat on spe devs sch suche ruc eval, Se Leang tote ove coset sa pen ey 0 ow fc nome nyo ‘ator nttoaoca and os hat kd of anand ican de om het. By knowing abou alte reve oer, ips yout oulieoct our fumerk nl « goal amount of dn 0 bull your hte gow pln for Jour evocingnbarear Lab Tasks TITRTE TT 1 Navgueo start All Apps > micron Metwork Montor 34 ad ‘lick Moreoet™ Network Menltr 24 to lame the appicaton, The {Launch Werosat esion main window appears ts shown inte scecbot ‘Network Monitor ee ea aamdvenctone ‘care eno aa —______ aig pd Someone "Exjpctowwel upctoet way cena Moat 18 Hocking Wireless Network 2. Inthe Select Networks window on the bottom-ef, check only the ‘wireless interface (rete WEES) and leave the other options unchecked. Thasxz 3 Nowdlck the Mow Capture burton presen in the menu ba, 2s shown, SS in the screenshot. ‘Open anew ‘capture 1B Micrsoh Newark Merit 34 File View Toole Help 13 Ops Rer ge GL 4 pC emp GiiiiabMimad hei ——S~SCS*~*~*SCS*S*CR Comme Cn hy “Pigierioncs apmsesone cy ae Moule 16 Nackng Wess Networks 5, Capture Settings window opens, double-click on the wifi adapter (here WEF! 3) in che soloet network adaptors to capture section. Ltery Krwmoe | Briaey » ssh Wier 2 chats secceepct note re Popetes | u (esto fase 7RC ts er POR Meme ST #2 te ‘Gases CT 6, Notwork Interface Configuration window opens click Seanming Options bution. letwork Interface Configuration x ws Description: Compact Wireless-G USB Network Adapter a BBv9 Adcress: 10.0.0 [PVG Adcress: fe80::e4e:7062:1c7F:7P3e% 13 Hardware Adcress: 68-7F-74-67-08-6 Permanent Address: Media Type: wif ‘State: Stopped ¥ (Gem) [a GUE ee Sia ae ag od Gennes mm Mote 16. Mackng Wrioes Netw 7. WIFI Scanning Options window appears, ick the Switch to Monitor Mode checkbox and click Apply button as shown inthe sreenshoe. 1B wi Scanning Optom = x te rae gm ade aptargnnent me, Chang edo eee es (obo dtaat cance Seecrasote: WiRd ‘rpg Sain Ne Moe brea your rd ata econ Reena LedMbde mare crmmcet Oseletateye andre @sen oneyet andere) aeons Sees AGE. emigre in GEM we SSCS*~*~*~*S*SCS*S*S a Gs Ca ER “igh aural pms ey ee Mole 16 Hacking Wen Network 8. Now etose she Scanning Options window by clicking the exoss bution ‘on the tide bar. Note: Do not press the Close and Return to Local Mode barron of your stings willbe reset, TB vers scocing Optore esp he ror coun ne apterein mnt nete Ceara the wow neste a ee ea baal beds Scat: WF owen tent Hae AS en irre (Oselec alae and ard @ sen anya) nderwrate) Peay Ganz ig com odieeraieaives | [a] ICEL 4 1 Songer noe wn Desrpin:Canpact ree USB Nbc epee Bee kaees a {Preheat osc 3 Farenore Asean 687790) Pemaercadacte Me ICU Namek aera GEHL Ml Tica tigen Gone Cap KEM hiipa hecrel egeactons acd Meh Modi 18 Nocking Wicess Networks 10, Close the Capture Settings window by clicking the Close button as given in the serenshot, ies Missetine 2 daria — secre cre epee | GP Hou (leat acm RA ROT ees? A #2 tow Chena emt ew rare tee ene Es BTaTE T_T Click Start in the menu bar to bepin your neswork monitoring, come Bene i | ein ERY GLASS epee ‘ca Men Pie "ila Hang and Gnncmemns Cpr | Tac koenes peactont Sey eet Modo %6- Mocking Wao: Networks 12. ‘The application stats capuring packets and displays them inthe Frame ‘Summary window. You can see the number of captured packets atthe ‘bottom as shown in the screenshot. THEGTie 13. Keep the packer apne running for afew minutes and then lick the =a ‘Stop button in the menu bar UR 4 Sy hep pc Gaia iea bee TE ing nd Crane CO Toren epee ese Mode 16 Hacking Wren Metro 15, Save Aa widow appear, select a locaon and input the flesame (here Deoktop and toet) and click dhe Save bution Sere Seontoe (Gaia Tatan “Qmcouetaee Ocean tome Ostenttms frame ange e185 Gos Sects “iad Hating nd Cnc oO Km instead epic ch Mode 6 -Hacking Woes Networks 16, Now launch wireshark, The wiresharc main window appears, as showin the following sereenshor Denotes ‘eo i ate piace in Een Came pusasiosr 17, i the witeshark main window, click Fle > Open to view the saved packer capture file for analysis. Zech SLATE ep toch Dowpmae sa Segoe por Spt Pct sett pe ein Fo pon mets Es Open ‘GeiiabNed Peed ——~SSCSCSC*~S*SCSCSSSC ga nem Co Oy Ee “Siigetcnral Ryman Pett edule 16 Hocking Wien Nets 18, Wireshark: Open Capture File window appears, select the testeap fle and dick Open, Deterrent pereemny Se Dieta on Deana ope paceapaclita peciecns Opa te 19. The testcap file opens in. Wireshark window showing you the details of the packet for analss, Here you can sce the witless packets ‘captured which were otherwise masked to look lke ethemet traffic, IER. ph ‘Gavin yea ——~—~CSC~*S*SCSCSCSCSC Ce ao A ‘tip tecvat Resets Sch Pots odie 16 -Nackng Wess Networks 20, You cam access the saved packet capture file anytime, and by issuing packet fitesog commands inthe Fier field, you ean narrow down the packet search in an attempt to find packets containing sensible Information. 21, In real time, auackers enforee packet capuure and packet filtering techniques 10 eapeute packets conaining passwords (only for websites implemented on HTTP channel), perform attacks such s session Injaekiag, and 50 on. Lab Analysis ‘Analyze and document the ssuls slated to this ab exercise Provide your opinion ‘of your trge’s security posure and exposure, PLBASE TALK 70 YOUR INSTRUCTOR IF YOU HAVE QUESTIONS “Gav Labi Byes —~—~SCSC~S~*S*S*SCSCSTSC dC in tocrl Rapes See edule 16 Hacking Wren Networks Cracking a WEP Network with Aircrack-ng Airraceng is an 802.11 WEP aud WPALPSK hepe-racking prgram that rece ks one enough data packets have ben captured. 4 impplemonts th standard FMS attack. abng with some optisiaton like Kor attacks ond te altnew PTW? tac, thus making tbs attack mach faster than those using atber WEP racing tals Lab Scenario [Neswork administmtors can take steps to help protet thei wirdess network Fm ‘outside threats and auacs. Most hackes wil pos deals of any loops or expla online, and if they finda security hole, attackers will descend in droves to test your wires actvork witht WEP is wed for wireless networks; alvays change your SSID from the defal before you setaly cooncet the wireless router to the access poet fan SSID broadcast i ‘noc disabled on an access point, the we ofa DHCP server to automaticaly assign IP address to witdess dies should aot be used, becase war deivig tools ean easly detect you inteznal IP ade if the SSID broadeasts ae enabled and the DHCP is Doing sed ‘As an ethical hacker and penetraon tester ofan organization, your IT director will assign you the ack of testing wicless security, exploiting the Baws io WEP, and ‘racking the keys present in your organization's WED. In this lab, we discuss how WPA keys ae cncked sing standard stacks suchas KoreK ard PEW, Lab Objectives “The objective ofthis ab sto protect wre network from attackers Ta this ab, ou wl eam how to: * Caack WEP using various took © Capeure network tfc Analyze and detect wise tfc ‘GaN La Mem a "ie Hating nd Gomes Cori “ilies tenet epee) Pe rare Wireless Adapter Modo 18- acing Weelene Neto Lab Environment “Toexccut this ab, you wil ned ‘+A Windows 10 vital machine manning = Kali 1+ Before suing this lab make sure that the Wireless Access point is ‘configured in WEP Encryption in Windows 10 machine nx viral machine 1 Thistab reques wiseloss neswodk adapter intaled on your machine. [you don'chave hls adapter, please do not proceed wo telab, Lab Duration ‘ie 15 Mites Overview of WEP (Wired Equivalent Privacy) Encryption WEP isa scotty protocol dein! by the 82.1 sandal was designed to provide «witless LAN witha level of seeutity and privacy compatable toa Sisad LAN, WEP uses a 24-bit initlization vector (FV)vo erm steam cipher RCA for confidently, and the CRC-32 checksum for integry of witless transmission, It has sigafcantviloerablities and design flaws and can be eaily raced Lab Task 1, Lanoch Rat Linux vial michine and login a roottoor. 2, Open terminal window fom the taskbar. and press Enter. To find the 3, In a terminal window type alrmon-ng wireless adapter 4, Now pur the wireless adapter into monitor or promiscuous mode, 10 do this type airmon-ng start wlan0 and press Enter. Tied Hating sd Guiomar Cops Ba hiineiew hgeasetrs sar oes Moe 1 - Hacking Wiles Network, 5. By issuing this command alrmon will change the interfice mime as ‘wlandmon as shown in the screenshot 6. Use alrodump-ng to get the lst of deteced access points, and also alist of connected clients (stations) 7. Typeairodump-ng wanomon and press Enter. By suing this command wwe can sce all the avalable Access Points (APS) and elients within our range. 8, In thielab we are choosing CEHLabs to perform the WEP cracking, 9, Before proceeding, check i the injection auack can be performed on the Testor Wireless ogee Doviee Packet Injection 10. Now, open a new terminal window and type alreplayng 9 -¢ CEMLabs “3 20:E5:2A:64:30:00 wlanOmon sid press Enter. Motil 16 Hacking Wen Netw 11. In the above command, whete 4. Bis for Injection Test b. -@ CEHLabe is Wireless Network Name 0 20:65:20:64:6(00 is the MAC addiess of the Access Point 4. wlanOmon isthe wiscess interface name 12, While performing this process you should receive message as Infection fs working! a shown in the sereensho View Seuch_Tern_Hep ICU ay sin 13. Next, star aitodump-ng to capture the Intalization Vector (1) fom the AP, 14, By running this command sitodump-ag wil capture the IVs generated from the specific Aceoss Point. 15. Open anew terminal window and type alredump-ng ~Besid 20:65:28:64:28:00 <7 -w WEPerack wlandmon and press Enter. |, ~besid 20:85:24:64:30;00 is the socess point MAC adress, This eliminates extraneous traffic b. -©7 is the channel number for CRHLabs network c. -w WePemek is the name tobe prefix forthe file which contains the IVs 4. wlanOmon isthe terface name, Bras 16, Nex, we need to generate trafic between the AP and the staion. Open onaegua anes another terminal type alteplay-ng 3b 20:65:20:64:38:00-h ie {40:98:C0:97:36:30 wlanOmon 201 press Enter ‘CRI Lab Manat w hia Hasting ond Coanmmevone Copy £6 ame Modo 16 -Mocking Wace Networks 17, Je wil generate ARP traffic in che neework, The reason for choosing the ARP request packets is because the Access Pines will usually rebroadcast them and this will generate the new IV. Sa FIGURE 26 spl og ening ee fate 1&The source MAC address shouldbe associated with the access point in ici ‘order to accept the packet. The source MAC address, which is used 10 inject the packets has no connection with the Access Point; 20 the AP usually ignores the packets and sends outa DeAuthentication packet in 4 clear tent, In order to create «fake authentication, we need to associate ie with the Access Point. 19, Next, use aeeplay-ng to do a fake authentication with the access point, '40:98:00:97:26:20 wlandmon and press Enter 4, -A’means fake suthenticstion . Oreassocation timing in seconds © -@ CRHLabs is che wireless newwork name 4. 20:65:28:64:98:00 i the access point MAC address fe -h 40:98:60:97:96:90 is our can! MAC addess £.wlanOmon isthe wiclss interface name ig Gamera Modo 16 - Hacking roe Nears 20, Switeh back to the terminal where atodamp-ng is mining. Wai til the ‘number of captured packet reaches the range of 15,000-20,000. Press {tie to stop the capture 21. Now, launch the airerck-ag to tecoxer the WEP key from the capture Gras fle, Type atrerack-ng WEPerack-01.cap aod press Enter. 22, By issuing the hove command aircrack-ng willerace the WEP key of the Moai 16 Hacking Wrens Metwors 25, Now we will be connecting the CEHLabs access point. ‘To do this rawvigate to the tp tigheside corner of the desktop and eck che down, arrow icon as shown in the sexeenshot, and cicle Wi-Fi connectivity to search for avalable Access Points 24, Ie will display the available Access Points, click CEHLabs access point from the list. As soon as you click on the CEFLabs Access point it will prompt you For the Authentication pop-up, 25, Type the key that you have cracked in the Task 6, and click Conmect g Passwords or encryption keys ae required to access the wreless network “CEHLabs Moai 16 Hocking Wrens Motors 26, Once you click Connce: button on the Authentication required pop-up, yom will be connected to the GEMLabs access point as shown in the screenshot. 27. Ae ascher uses this key to connect to the access point and then enters the respeatve nerwork, Once he/she enters the network, he/she can use scanning, tools to scan for open devices, peeform vulnerability analysis, snd thea start exploiting them Lab Analysis Docunent the BSSID of the tet wiles network, connected cine, and recovered WED key, Analy: vasous Arecrace a atacks and the respecve dia pact geerion me, Intemet Connection Required Yes No Platform Supported Ei Classroom Bitabs ‘atta Mt Pa Bika Hang nd Gomera Gh yO Bing teed Rint cy oe Modo 16. Mocking Wires: Network Cracking a WPA Network with Aircrack-ng Airrackng is am 802.11 WED and WPACPSK heyroracking program that recovers ks once enough data pacts bave ben captured. 1s plement the standard PMS attack along nit ome optimization lke KorK attacks and the albnew PTW attack thus making ths attack much fase than thoe sing otber WEP ercking seal, Lab Scenario [Nerwork administrators can take steps ta help protect their wireless network from outside threats and stacks. Most hackers will post deails of any loops or explcits online, and if they nd a secur hole, stacker wil descend in droves totes your vwicess nerwork with it WEP is sed for wireless neworks; lays change your SSID from the default before you actualy connect the wiles router to the acces point If an SSID broadeat is ‘ot disabled on an access point, the use of DHCP server to automatically assign IP addeess to wirdess dents should noe be used, because war cvig tools can asly deter yous internal IP addes ifthe SID broadcasts are enabled and the DHCP is being used [As an ethical hacker and penetration tester of an onpnizaton, your TT director will fsign you dhe tsk of testing wireless secur, exploiting the flaws in WED, and cenicking the keys present in your organizaon’s WEP. In this lb, we discuss bow [WPA Keys are cracked using standard atacks such as KoreK and PTW. Lab Objectives ‘The objective ofthis ab sto prone wirdess network fom sticker. 1 this ab, yo wil en ow to *Ceack WPA using vious tools Capture nerwork tffic Analyze and detet wireless tie Maa "ine igen Ganesan Capri Mage noon apeactons sacs Med Into Monktor Modo Nelo 16 Hacking Wrtos Netw, Lab Environment "Toexecute this ab, you wll ea: A Widows 10 vita machine running ‘+ Kali Zit virtual machine 1+ Before starting this lab make sae that the Wireless Access point is ‘configured in WPA Encryption in Windows 10 machine 1+ This lab requires wireless network adapter installed on your machine, ‘you don’t have this adapter, please do not proceed withthe lab Lab Duration ‘Time: 10 Minutes Overview of WPA (W-Fi Protected Access) Encryption WPA isa security protocol defined by 802.11 standards it uses a Temporal Key Integsty Protocol (TKIP) that ulzes the RCA stream cipher eneryption with {28-bit keys and 64-bit MIC integrity check to prove stronger encryption, and authentication, WPA uses ‘TKIP to eliminate the weaknesses of WEP by including perspacket mixing fanctions, message integrity checks, extended initialization vectors, and re-keying mechanisms, WPA2 is an upgrade to WPA, ic includes mandatory support for Counter Mode with Cipher Block Chaining Message Awthentication Code Protocol (CCMP), an AES-based ‘encryption mode with strong security. Lab Task 1, Laanch a Kali Linux vttal machine and login 8 roottoor. 2, Open terminal window from the taskbar. sod press Enter, ‘To find the 3. In a temninal window type alrmen-ng wireless adapter 4, Now put the wirles adapter into monitor or promiscuous mode, to do this ype alrmoneng start wian® and press Enter Mods 16 Nocking Wireless Networks By issuing this command sirmon will change the interface mame as ‘wlandmon as shown in the screenshot. a ory Use sirodump-ng to gt the ist of detected access points, and also a list of connected cients (stations) 17. Type alredump-ng whanomon and press Enter. By issuing this command) wwe can sce al the avaliable Access Points (APs) and cleats within our range A. In this lab we are choosing CEHLabs to perform the WEP cracking cates kets from the AP. 9. Net eat damp ag cpa the pec 10. Sams -e fw Wylie wensiesorol pct miter Teave adm sensing il indo, gp tla 0

    You might also like