Professional Documents
Culture Documents
Chapter 4
Chapter 4
CHAPTER IV
43
CHAPTER IV: PRESENTATION AND DISCUSSION
graphical representation of the overall structure of the network. Figure 4 shows that the
main connection is the internet service provider (ISP). The ISP is connected to the
backbone switch located at Civil Engineering faculty. The backbone switch is connected
to the switches of the CEA where the routers are connected. See Appendix A for the
44
CHAPTER IV: PRESENTATION AND DISCUSSION
Table 3 shows the summary of the scanned result in monitor mode of the
Mechanical Engineering Department. The data gathered shows the WLAN security
protocol, the SSID also known as the network name, the MAC address, authentication,
the equipment used, or the routers used of the said WLAN and their location. See
suite.
According to the data gathered, the most used Wireless Local Area Network
security protocol is the WPA2 with an authentication of PSK which means their network
requires a key or password. Table 3 also shows the MAC Address of the Wireless Local
Area Network of College of Engineering and Architecture Department. For the SSID, the
Architecture, Civil Engineering and Computer Engineering Department has short cuts
SSID based on the name of their department. However, for the Electrical Engineering
Department, since they do not have their own network, according to Ma’am Pauline Roa
a faculty member of the Electrical Engineering Department, they are using the PSU
WLAN having a SSID of PSUWifi. The same goes with the Mechanical Engineering
Department having no own network according to Engr. Ryndell Casem a faculty member
of Mechanical Engineering Department, they are also using the PSU WLAN having a
45
CHAPTER IV: PRESENTATION AND DISCUSSION
Based on the data gathered, TP-Link is the commonly used router brand for the
departments also used D-Link and Tenda. Actual photo of the equipment shown in
Appendix D. See Appendix E for the location of the said routers and the detailed
connection to the backbone switch. Full specifications of the said wireless routers are
shown in Appendix F.
Hardware Devices
According to Kevin Beaver (2018)[21], there are many tools, and each one is
designed to perform a particular test; nevertheless, there is no tool that can test for
everything. In this research study penetration testing for Wireless Loal Area Network, the
hardware devices used were selected based on its accessibility, versatility, performance,
portability, and prices. The researchers will utilize these devices for penetration testing.
Table 4 shows the comparison of the devices that can be used for the penetration
testing. The first column shows the actual name of the devices which includes the, ESP32
Wi-Fi Penetration Tool, USB Ethernet Adapter LAN Turtle SD, Alfa AWUSO36NHA
USB Wi-Fi adapter, Raspberry Pi 4B and the Wifi Pineapple Mark VII +AC Tactical.
The second column shows the accessibility of the hardware devices in terms of their
interfaces. In the third column shows the versatility of the devices when it comes to
penetration testing. In the fourth column shows the performance through the processor
and RAM used of the hardware devices. The fifth column shows the portability through
46
CHAPTER IV: PRESENTATION AND DISCUSSION
their size and weight. The last column shows the price of the hardware devices in peso.
Alfa Command Wireless network It uses the Length: 8.5 Php 2,378
AWUS036NH Line Ineter- monitoring Atheros cm (3.35 in)
A USB Wi-Fi face Wireless AR9271 Width: 2.0
adapter penetration testing chipset. sup- cm (0.79 in)
Network Height: 1.4
ports IEEE
troubleshooting cm (0.55 in)
Range extension
802.11 b/g/n
Remote access standards and
38 grams
Network mapping can operate on
(1.34
both the 2.4
ounces)
GHz and 5
GHz frequency
bands
47
CHAPTER IV: PRESENTATION AND DISCUSSION
The researchers selected two devices to be used for penetration testing. First, the
major factor that the researchers considered was accessibility. It is very convenient for
the researchers to use a device having a Graphical User Interface (GUI) since it is no
longer hard for them to memorize codes and commands. One more thing is the
researchers are looking for a device that is capable of capturing information from
networks. Wide range devices are also considered in selecting the hardware device.
Therefore, the researchers selected the Alfa AWUS036HHA USB Wi-Fi adapter that will
be used for the reconnaissance. The Wifi Pineapple Mark VII +AC Tactical will be used
The Alfa AWUS036HHA USB Wi-Fi adapter is one of the best things you can use
with Kali Linux for wireless pen testing (very popular among Kali Linux users). It's small,
has a great range, and costs very little. Setting up is easy because the drivers are already
built in. The Alfa AWUS036HHA USB Wi-Fi adapter must be plugged in to the PC in or-
48
CHAPTER IV: PRESENTATION AND DISCUSSION
der to be used (Cyberpunk, 2018)[35]. Therefore, the researchers decided to use the Alfa
AWUSO36NHA USB Wi-Fi Adapter since Alfa AWUS036NHA is one of the most well-
known for monitoring mode wifi adapters (KaliTut, 2021)[34]. The researchers used this de-
vice for reconnaissance. The Alfa AWUSO36NHA USB Wi-Fi Adapter was bought by the
researchers in Shopee Philippines and was imported from Malaysia, the device cost is Php
2428 including shipping. The Alfa AWUSO36NHA USB Wi-Fi Adapter is shown in Fig-
ure 5. See Appendix H for the quick start guide and the hardware setup of Alfa AWU-
The researchers used the device Alfa AWUSO36NHA USB Wi-Fi adapter as
shown in Figure 5. The Alfa AWUSO36NHA is a high-gain USB wireless adapter that al-
lows you to connect to wireless networks from your desktop or laptop computer. It sup-
49
CHAPTER IV: PRESENTATION AND DISCUSSION
ports the 802.11n standard and has a maximum transfer rate of 150 Mbps. The adapter
comes with an external antenna that can be adjusted and rotated to improve signal strength
and range. This device supports the Aircrack-ng suite, that was used for the reconnais-
sance phase of the researchers. Aircrack-ng is a suite of tools used for penetration testing
and network security assessments. It is commonly used to test the security of wireless net-
and networking organizations. It is an easy-to-learn and use application that also delivers
versatile tool that, depending on the user's intention, may be useful or deadly. The wi-fi
50
CHAPTER IV: PRESENTATION AND DISCUSSION
Pineapple is regarded as one of the riskiest services available give numerous possibly in-
hacking tool may be purchased by anyone for a little price (NI Cyber Guy, 2021)[25].
The researchers used the Wifi Pineapple Mark VII +AC Tactical for the Penetra-
tion Testing. The Wifi Pineapple has a web interface through which users can configure
the device, execute attacks, and monitor handshakes. The Wifi Pineapple Mark VII +AC
Tactical comes with a Wifi Auditing Adapter called MK7AC as shown in Figure 6. It is
connected to the Wifi Pineapple via USB port. It was built for Wifi Pineapple Mark VII
only that allows user to scan 5G networks. The said device has five (5) antennas, three (3)
for the Wifi Pineapple and two (2) for the wifi auditing adapter.
The Wifi Pineapple was purchased by the researchers directly from hak5
shop via a relative. It was pre-ordered and must wait forty-five (45) days and another ten
(10) days for the delivery to the Philippines via LBC. The device costs $199 excluding the
tax and the shipping fee. The Wifi Pineapple Mark VII +AC Tactical is shown in Figure 5.
Modules
The Wifi Pineapple Mark VII +AC Tactical is a device equipped with various
modules, including Recon for reconnaissance. Within the Recon module are two (2) sub-
to acquire network passwords. Additionally, the device has a PineAP module that contains
an "EvilWPA" module capable of initiating a fake access point attack. Moreover, down-
loadable modules such as "Evil Portal", "HTTPeek", and "MDK4" can be installed on the
51
CHAPTER IV: PRESENTATION AND DISCUSSION
device to enhance its attacking capabilities. Overall, the Wifi Pineapple Mark VII +AC
Reconnaissance
The reconnaissance phase is the first step in any cyber-attack, where attackers
gather information about the target network. This process involves identifying critical
details such as the Service Set Identifier (SSID) or network name, Basic Service Set
Identifier (BSSID) or Media Access Control (MAC) address of the network, number of
clients connected to the network along with their respective BSSIDs, the type of routers
and devices used by clients. Moreover, during the reconnaissance phase, attackers can
also identify the security protocols implemented by the network. One important security
protocol is the Management Frame Protection (MFP), which adds an additional layer of
also includes identifying the presence of Wi-Fi Protected Setup (WPS) on the router.
WPS is a feature that simplifies the process of connecting to a secure wireless network
determining the channel strength of the network. Different channels have different signal
strengths and understanding this can help attackers optimize their attacks. Lastly, the time
of the reconnaissance is also important because it can impact the accuracy of the data
52
CHAPTER IV: PRESENTATION AND DISCUSSION
vulnerabilities. This information can then be used to plan and execute further attacks on
the network.
To begin the attack, the attacker must first connect to the network of the WiFi
Pineapple. The WiFi Pineapple has both wired and wireless connectivity options, but it is
recommended to use a wired connection to avoid disconnection from the attacking device
to the WiFi Pineapple. To establish a wired connection, a Type-C cable can be used to
connect the attacking device to the WiFi Pineapple. This will be connected as an Ethernet
connection, providing a stable and reliable connection for the duration of the attack. See
Appendix J for the wired connection of the attacking device to the wifi pineapple via
type-c cable.
53
CHAPTER IV: PRESENTATION AND DISCUSSION
The “Wifipineapple” is the secured network of the Wifi Pineapple. “Pinya” is the
open network of the Wifi Pineapple. “Pineapple_3050” is the wired connection of the
Wifi Pineapple and it is connected via ethernet. The Wifi Pineapple works either of the
during the hardware setup and can be changed whenever the attacker wants to change it.
See Appendix K for the changing of SSIDs of the network of the Wifi Pineapple. See
is the default IP address of the Wifi Pineapple shown in Figure 8. The port number 1471
is the default port number used for the web interface of the Wifi Pineapple. This IP
address and port number can be accessed in any web browser as long as the device is
54
CHAPTER IV: PRESENTATION AND DISCUSSION
connected to the Wifi Pineapple. Attacker will be redirected to the web-based User
Once the attacker has been redirected to the web-based User Interface of the WiFi
Pineapple, they will need to enter the password to gain full access to the operating system
of the device shown in Figure 9. The default username for the WiFi Pineapple is "root,"
and this account provides the attacker with complete control over the device's functions
and customization options. The default password for the WiFi Pineapple is
"Pineapple123," and it was set during the hardware setup of the device. It is important to
note that changing the default password is highly recommended to ensure better security
and prevent unauthorized access by other attackers. If the attacker wishes to change the
Pineapple.
55
CHAPTER IV: PRESENTATION AND DISCUSSION
After gaining access to the operating system of the WiFi Pineapple, the attacker
should look for the "recon" module located in the left navigation menu of the home page.
Clicking on this module will redirect the attacker to the recon page, as shown in Figure
10. To start the scanning process, the attacker must first select the time duration of the
scan. Selecting "continuous" will provide real-time updates on the scanned networks and
clients. However, it is also possible to set the scan duration to 2 minutes, 5 minutes, or 10
minutes based on the attacker's preferences. Once the desired time duration has been
selected, the attacker can start the scanning process by clicking the "Scan" button. This
will initiate the reconnaissance phase of the attack, allowing the attacker to gather
important information about the target network and its connected clients.
56
CHAPTER IV: PRESENTATION AND DISCUSSION
After a few seconds of scanning, networks will then appear including the
necessary information needed for the attacks shown in Figure 10. Scanned networks can
be expanded to show clients connected to the networks after pressing the “+” and will be
scaled down using the “-”. The information of the clients such as the BSSID and the type
of device used by the clients will be shown Figure 11. Note that in the scanning of
Lastly, to check if the scanning really works, get a phone, and try to connect to
the target network. Click on the network to see the BSSID of the phone shown in Figure
12. Check the BSSID of the phone to see if it is included in the scanned clients. If the
BSSID is included in the scanned clients, try to disconnect and then reconnect to the
network to see if the continuous scanning is updated. Attackers will then know that the
57
CHAPTER IV: PRESENTATION AND DISCUSSION
Deauthentication Attack
The Recon page of the Wifi Pineapple allows users to conduct various attacks,
including deauthentication attacks. This type of attack forces client devices to disconnect
legitimate messages sent by the access point or router. Deauthentication packets used in
attacks are designed to mimic legitimate messages that are transmitted by an access point
or router in order to disconnect a client device. When the targeted client device receives
these fake deauthentication packets, it will assume that it is being disconnected from the
to note that deauthentication attacks are not possible when clients or networks use
58
CHAPTER IV: PRESENTATION AND DISCUSSION
Management Frame Protection (MFP) or when they are on a restricted channel. MFP
exchange of frame signatures between the client and access point, making it difficult for
attacker's primary objective is to obtain the password of the target network by capturing
handshakes. This can be achieved by utilizing the Capture Handshakes feature available
on the device. Once handshake capture feature has been enabled, the attacker can proceed
to deauthenticate all clients within range of the target network with a single click through
the Deauthenticate All Clients function shown in Figure 13. This method streamlines the
process and enables the attacker to quickly disrupt the connectivity of all devices within
the network, increasing the chances of password cracking and unauthorized access.
59
CHAPTER IV: PRESENTATION AND DISCUSSION
In deauthenticating clients there are two options, deauthenticating all clients and
deauthenticating single client. If the attacker wishes to focus on a particular client, they
can use the Deauthenticate Clients function to achieve this goal by clicking on the desired
target client and click “Deauthenticate Clients” as shown in Figure 14. The
deauthentication attack will result in sudden disconnection from the network, rendering
their device temporarily useless. This time, capturing handshakes still up so, if the client
that was deauthenticated will try to reconnect again, the wifi pineapple will still capture
the handshake.
that can be connected to the target network and will act as a target client. Using either the
"deauthenticating all clients" or "deauthenticating single client" method, the target client
should be disconnected from the target network, as shown in Figure 15. Once
disconnected, when the device is reconnected to the network, the WiFi Pineapple will act
60
CHAPTER IV: PRESENTATION AND DISCUSSION
reconnection. Specifically, the information that will be captured is the password of the
network. This process demonstrates how easily a hacker could gain access to sensitive
Once the client/s reconnect to the network and start transmitting data, the Wifi
Pineapple device will capture handshakes as shown in Figure 16. The attacker will be
notified of the captured handshakes, which are saved in two different file formats: 22000
and pcap. These files can be downloaded and used for password cracking using brute
force or dictionary attack techniques to gain access to the network. Brute force is a
61
CHAPTER IV: PRESENTATION AND DISCUSSION
method of guessing a password by trying every possible combination until the correct one
is found. Dictionary attacks, on the other hand, use pre-existing lists of commonly used
Credential Harvester
A Credential Harvester is designed to collect personal data including usernames
and passwords. The aim of a credential harvester is to trick people into providing their
login credentials or other sensitive information on a fake website or login page that looks
just like a legitimate one. Once the user enters their info, the credential harvester captures
it and sends it to the attacker's server. A range of unlawful activities, such as financial
fraud, identity theft, and unauthorized access to online accounts, can then be carried out
62
CHAPTER IV: PRESENTATION AND DISCUSSION
The internet is commonly used by people. In order to use social media, participate
in online classes, or play online games, one requires a reliable internet connection. Most
students and employees are making use of the free wireless networks that are available at
Pangasinan State University's Urdaneta Campus. However, the large number of users on
these free wi-fi networks may cause the internet connection to sluggish. As a result of
these, some users will find another free wireless network that they are familiar with. All
the free wi-fi that is available in PSU provides a webpage that a user requires to agree to
certain terms and conditions, enter login credentials, or provide other information before
Furthermore, this will be the advantage of the researchers to get the credentials of
the people in PSU. They will provide a free wireless network having the SSID that the
users are familiar with. If the users try to connect to it, a fake webpage will be displayed,
and the users will be forced to put their credentials. To do this, the researchers use Wi-Fi
Pineapple that can perform a man-in-the-middle (MITM) attack that can intercept
communication between two parties to steal sensitive information. See Appendix L for
the full installation of Evil Portal module. To do this attack, follow the step-by-step
The first step in carrying out a credential harvester attack using the Evil Portal
module is to access the module through the Wifi Pineapple interface. This can be done by
clicking on the "Module" tab located on the left-hand side of the navigation page. Once
the module page is opened, search for the "Evil Portal" module and click on it to access
its interface. Figure 17 shows what the Evil Portal module button looks like. The
63
CHAPTER IV: PRESENTATION AND DISCUSSION
module's interface provides various options for customizing the attack, such as selecting
Once the attacker accesses the Evil Portal module and browse through its
interface shown in Figure 18. The attacker will come across the Portal Library. This
library contains numerous portals created by researchers which are essentially fake
webpages imitating popular sites such as social networking platforms, e-commerce sites,
and fast-food platforms. The researchers have imported these portals into the library, and
they can be used for testing purposes. For more information on how these portals are
added to the Evil Portal library, check out the corresponding section in the appendix M.
Overall, the Portal Library is a valuable resource for cybersecurity researchers to simulate
64
CHAPTER IV: PRESENTATION AND DISCUSSION
Figure 18. Interface of the Evil Portal with the Portal Library
To deploy the fake webpage, you need to activate a web server. This can be done
by clicking the “Web Server” button in your chosen software or platform. This button
will allow you to access the portal that you will use to host the fake webpage. After
activating the web server, the attacker can now activate the Portal by clicking “Activate”.
In this attack, the researchers used the PSU login. However, there are bunch of portals
that can be activated as shown in Figure 19. Portals will depend on the environment of
the target since the researchers’ target is in PSU. Click the “Preview” button to see the
65
CHAPTER IV: PRESENTATION AND DISCUSSION
Figure 19. Start the Web Server and Activating the Portal
Activating the portal requires starting the web server. This is because the web
server is responsible for hosting and serving the portal's content to users. Without a
running web server, the portal cannot be accessed by anyone. It is important to note that
attempting to activate the portal without starting the web server will result in failure.
Therefore, it is crucial to ensure that the web server is running before attempting to
activate the PSU-Login portal. To see the fake webpage of the PSU Login, click the
“preview”.
66
CHAPTER IV: PRESENTATION AND DISCUSSION
After activating the webserver and the portal, start the attack by clicking the
“start” button of the Evil Portal shown in Figure 20. This time, the attack is running and
whoever connects to the open network of the Wifi Pineapple will be redirected to the fake
webpage of the PSU Login. Take note that this attack requires an internet connection for
the Wifi Pineapple to access the fake webpage. See Appendix N for the internet
connectivity of the Wifi Pineapple. In addition, successful attacks can lead to the theft of
sensitive information.
In client's perspective, first the client is connected to the open network of the Wifi
Pineapple as shown in Figure 21. Upon connecting to the open network, the client will
then be redirected to the fake webpage of the PSU Free Wifi which asks for email
address, phone number, and a password. Since the Wifi Pineapple is connected to the
internet, the open network has internet. The objective of the attacker is to capture the
67
CHAPTER IV: PRESENTATION AND DISCUSSION
information that the PSU Free Wifi is asking. This attack can easily be executed in PSU
From the attacker's viewpoint, upon the target clicking on the sign-up button on
the fake PSU Free Wifi page, the evil portal or credential harvester will capture all the
information entered by the target. By revisiting the evil portal module in Wi-Fi
Pineapple, the attacker can observe that any credentials entered by the target are
immediately notified to them as shown in Figure 22. To view the information, click the
“View Log” button. With access to this sensitive information, the attacker can potentially
use it for various malicious purposes such as identity theft and fraud.
68
CHAPTER IV: PRESENTATION AND DISCUSSION
If the "view log" button is clicked, the attacker can access the client's email
address, password, and mobile number that were entered shown in Figure 23.
Furthermore, the information reveals the BSSID of the client and the IP address of the
fake network. The Wifi Pineapple would continue to record data from clients for as long
as the attack remains active. Once the attack has been captured, the attacker would
receive a notification.
69
CHAPTER IV: PRESENTATION AND DISCUSSION
Fake Access Point attack is the type of attack where an attacker sets up a rogue
Wi-Fi access point (AP) with the same name and characteristics as a legitimate AP in
order to trick users into connecting to it. Once connected, the attacker can intercept
information such as login credentials, credit card numbers, or other data that's transmitted
over the network. Fake access point attacks are particularly dangerous because many
people automatically connect to any available Wi-Fi network without checking whether
70
CHAPTER IV: PRESENTATION AND DISCUSSION
it's legitimate or not. This makes it relatively easy for an attacker to set up a fake access
This is a type of attack that can be done while on the Recon page of the Wifi
Pineapple. This can be done when the fake access point will be configured as same with
the target network and will set random password. Once the attack enabled, clients will not
be able to connect to the legitimate network unless the attack disabled. This attack also
captures handshakes from the clients which contain sensitive information about the
network.
To do this, first, click on the target network. Click on the “Clone WPA/2
AP”. It will be redirected to the configuration of the fake access point as shown in Figure
24. It will automatically copy the SSID and the BSSID of the target network. Next, enter
a random password depending on the encryption of the network. The encryption of the
fake access point must be the same as the target network. The fake access point should
not be hidden and disabled. To start the attack, click the “Capture Handshake”.access
point.
71
CHAPTER IV: PRESENTATION AND DISCUSSION
There is one other way of configuring the Fake Access Point, located at the
PineAP module of the Wifi Pineapple. PineAP can be used to create rogue access points
(APs) and capture network traffic, probe for client devices, and perform deauthentication
addresses, SSIDs, and other information from nearby Wi-Fi networks, allowing for more
targeted and effective attacks. PineAP module is located at the left navigation bar of the
Wifi Pineapple page just above the recon module. Upon clicking the PineAP module, it
will then be redirected to the home page of the PineAP as shown in Figure 25. Click the
72
CHAPTER IV: PRESENTATION AND DISCUSSION
Figure 26 shows the PineAP Evil WPA feature of the Wifi Pineapple. This allows
attackers to configure the Fake Access Point manually. First, enter the SSID and the
BSSID of the target network. Next, enter a random password. Then select the encryption
that the target network has. Lastly, enable the attack and capture handshakes then save
the configuration.
73
CHAPTER IV: PRESENTATION AND DISCUSSION
client or deauthenticate all clients as shown in Figure 27. Clients will be disconnected
from the target network. Clients will not be able to connect to the network unless the
attack disabled. When clients try to connect, they will need to enter the password again
and when they enter the password the Wifi Pineapple will capture the handshake.
74
CHAPTER IV: PRESENTATION AND DISCUSSION
The captured handshake of the Fake Access Point is in pcap file format shown in
Figure 28. These captured handshakes are downloadable and can be cracked using brute
force or dictionary attack. Captured handshakes are located at the recon page of the wifi
75
CHAPTER IV: PRESENTATION AND DISCUSSION
that allows you to intercept and modify HTTP traffic between clients and servers. The
intercepting all HTTP requests and responses that pass through the WiFi Pineapple's
network interface. One practical application of HTTPeek is that it can be used to identify
browser and a web server, you can examine the contents of requests and responses,
including cookies, headers, and other data, and look for potential security weaknesses.
76
CHAPTER IV: PRESENTATION AND DISCUSSION
If a user accesses an unsafe website, or one that does not employ HTTPS,
HTTPeek can record and show all HTTP traffic in plain text between the user's browser
and the website's server. As a result, any private information sent via an HTTP
read by hackers with access to the same network. The researchers came up with the
concept of utilizing HTTPeek in Wi-Fi Pineapple to see if the users of free wireless
network in PSU are accessing any unsecured websites. See Appendix O for the full
The first step in carrying out a HTTP traffic analysis attack using the HTTPeek
module is to access the module through the Wifi Pineapple interface. This can be done by
clicking on the "Module" tab located on the left-hand side of the navigation page. Once
the module page is opened, search for the " HTTPeek " module and click on it to access
its interface. Figure 29 shows what the HTTPeek module button looks like. Once inside
the interface, users can begin carrying out HTTP traffic analysis attacks.
77
CHAPTER IV: PRESENTATION AND DISCUSSION
After accessing the HTTPeek module through the Wifi Pineapple interface, the
next step for an attacker is to click the "Enable" button in the HTTPeek interface shown
in Figure 30. This will activate the sniffer feature of the tool and allow the attacker to
intercept data being transmitted over unencrypted HTTP connections. Once the sniffer
usernames, passwords, and session cookies sent over these unencrypted connections.
Furthermore, images loaded by the client in a http webpage will also load using this
78
CHAPTER IV: PRESENTATION AND DISCUSSION
After enabling the sniffer, start the capturing process. Click the "Start" button and
will start the capturing of HTTP traffic on the wire and displaying it in real-time shown in
Figure 31. This functionality is essential for network administrators to monitor network
administrators can analyze data packets transmitted between devices, detect suspicious
immediate notifications of any abnormal network behavior, allowing for prompt action to
be taken to prevent any negative impact on network performance or security. Overall, the
ability to start capturing HTTP traffic in real-time is a critical feature for maintaining
79
CHAPTER IV: PRESENTATION AND DISCUSSION
From the client's perspective, the first step is to connect to the open network of
the Wifi Pineapple, which is illustrated in Figure 32. If the client is already connected to
the open wireless network and happens to visit an unsecured website by accident, it can
pose a significant security risk. For instance, the client visited http://shippingchina.com/
-- an example of an unsecured site that offers online selling, shopping, and logistics
services in China. This website contains numerous images that are typical for online
marketplaces, but also displays Chinese characters that may be hard for non-Chinese
speakers to understand.
80
CHAPTER IV: PRESENTATION AND DISCUSSION
shown in Figure 33. The attacker can intercept various types of data such as unsecured
URLs, cookies, post data and images from the targeted client. The attacker can continue
to capture this data until they disable the attack. This means that if the client continues to
browse unsecured sites, the HTTPeek module will keep providing information to the
attacker about what the client is accessing over HTTP or unsecured networks.
81
CHAPTER IV: PRESENTATION AND DISCUSSION
easily access and gather different types of sensitive data being transmitted between the
client and the website. For instance, the attacker can obtain the URLs of the sites the
client visits, any information the client enters on the site, such as login credentials, and
even images that the client loads from the unsecured site. This type of attack can continue
without detection unless the attacker stops it. As long as the client continues to use
unsecured sites, the attacker will be able to gather more information using HTTPeek
module.
Figure 33. Attacker’s Perspective while the Client is Accessing HTTP Site
The attacker can also gain login credentials if the target carelessly visits an
unsecured site that asks for login credentials as shown in Figure 34. This time, for
aimed at helping security professionals and enthusiasts to learn and practice web
82
CHAPTER IV: PRESENTATION AND DISCUSSION
application security testing techniques. If the client entered his/her username and
From the attacker's point of view, they can intercept and obtain login credentials
when a client accesses an unsecured website like vulnweb.com. As shown in Figure 35,
the attacker can capture the login information and use it to gain unauthorized access to
the user's account. To elaborate further, an attacker can use various methods to intercept
the data transmitted between the client and the website, such as using a network sniffer or
setting up a fake Wi-Fi hotspot. Once the attacker gains access to the login credentials,
they can use them to log in to the user's account and perform malicious activities such as
83
CHAPTER IV: PRESENTATION AND DISCUSSION
transactions.
Beacon Flooding
Beacon flooding is a type of wireless network attack that aims to disrupt the
frames. This type of attack can be carried out using the MDK4 module, which allows the
attacker to broadcast multiple networks with random SSIDs or a single SSID. The MDK4
penetration testing tool used for testing and securing wireless networks. The goal of this
attack is to create congestion on the network, causing legitimate users to experience slow
the attacker can render the target network unusable and compromise its security. It is
84
CHAPTER IV: PRESENTATION AND DISCUSSION
from such attacks, such as limiting the number of beacons that can be received from a
single access point. See Appendix P for the installation of the MDK4 module.
The first step in carrying out a beacon flooding attack using the MDK4 module is
to access the module through the Wifi Pineapple interface. This can be done by clicking
on the "Module" tab located on the left-hand side of the navigation page. Once the
module page is opened, search for the "MDK4" module and click on it to access its
interface. Figure 36 shows what the MDK4 module button looks like. This interface
provides the attacker with various options for configuring and executing the attack, such
as selecting the target network, setting the duration of the attack, and choosing the type of
attack to carry out. It is important for network administrators to monitor their networks
regularly and take measures to prevent unauthorized access and attacks such as beacon
flooding.
"Beacon Flooding" option from the list of available attacks shown in Figure 37. It is
85
CHAPTER IV: PRESENTATION AND DISCUSSION
important to note that this attack requires both input and output interfaces to be set to
monitor mode, which can be achieved by using the "wlan3mon" interface for both.
Furthermore, it is essential to continuously scan for any potential targets during the
attack, as this helps to identify vulnerable devices that may be susceptible to the attack.
This scanning process also ensures that the input and output interfaces remain in monitor
Figure 37. Setting Attack Mode and Input and Ouput Interfaces
The "Attack Options" feature allows the attacker to specify the SSID of the
networks shown in Figure 38. This feature can also be used to specify arbitrary SSIDs. It
should be noted that only one attack option can be used at a time for this type of attack.
By providing the ability to select specific or random SSIDs, the attacker can customize
their attack strategy according to their specific objectives. The ability to choose from
multiple options enables attackers to launch more effective attacks and potentially
compromise the security of targeted networks. After setting up all the necessary
86
CHAPTER IV: PRESENTATION AND DISCUSSION
information about the attack, the attacker can start the attack by clicking the “Start”
The output provides information on the success of the attack, including whether
the targeted network(s) have been compromised shown in Figure 39. By analyzing the
output, the attacker can determine the effectiveness of their attack strategy and adjust as
necessary. The ability to monitor the progress of the attack in real-time enables the
attacker to make informed decisions and optimize their approach for maximum impact.
The output can also be used to gather valuable information about the targeted network,
such as the types of devices connected and the security measures in place, which can be
87
CHAPTER IV: PRESENTATION AND DISCUSSION
The client's experience with fake networks can be frustrating and confusing.
These fake networks often appear in the Wifi connectivity settings as multiple networks
with the same SSID, but with different security settings shown in Figure 40. The attack
opens three networks with same SSID “PSUWifi” however, it has different security
setting. This can make it difficult for clients to determine which network is the real one.
The constant refresh of these fake networks every five seconds can add to the confusion
and create a sense of distrust towards Wifi networks in general. Ultimately, the presence
of fake networks highlights the need for increased awareness and security measures when
88
CHAPTER IV: PRESENTATION AND DISCUSSION
packets to a wireless client, causing it to disconnect from its current access point. This
can be used to force a client to connect to a rogue access point set up by the attacker.
disconnect entirely, it causes the client to disassociate from its current access point
to another access point and can also be used to gather information about the client's
89
CHAPTER IV: PRESENTATION AND DISCUSSION
connection habits. MDK4 is a tool used for Wi-Fi penetration testing and it has a feature
that allows for the deauthentication and disassociation of wireless clients from access
points.
the network. A common scenario is when the attacker uses the mdk4 tool on their Wi-Fi
access point, causing all connected devices to lose connectivity to the network. However,
this attack will not allow clients to connect to the network, unless the attack stops. See
The first step in carrying out a deauthentication and disassociation attack using
the MDK4 module is to access the module through the Wifi Pineapple interface. This can
be done by clicking on the "Module" tab located on the left-hand side of the navigation
page. Once the module page is opened, search for the "MDK4" module and click on it to
access its interface. Figure 41 shows what the MDK4 module button looks like. This
interface provides the attacker with various options for configuring and executing the
attack, such as selecting the target network, setting the duration of the attack, and
90
CHAPTER IV: PRESENTATION AND DISCUSSION
After accessing the MDK4 module interface, the next step in performing a
deauthentication and disassociation attack is to select the attack mode shown in Figure
42. This can be done by choosing the "deauthentication and disassociation" option from
the available attack modes. The input and output interfaces should also be specified, with
"wlan3mon" being selected for both. It is important to note that reconnaissance should be
turned on during the attack process. This is necessary because the input and output
91
CHAPTER IV: PRESENTATION AND DISCUSSION
Figure 42. Choosing the attack mode and the input/output interface
After choosing the attack mode and setting up the input and output interface, enter
the necessary data for the chosen attack. The Attack Options #1 and #2 can be a client or
a network. Number 1 are the unaffected clients or. Attack Option networks while number
2 are the unaffected clients or networks. These files are saved under the cabinet module.
See Appendix Q for the configuration of the cabinet module. Attack options number 4 is
the channel of the target network. The channel of the target is shown in reconnaissance.
After setting up the necessary information about the attack, activate the attack by clicking
92
CHAPTER IV: PRESENTATION AND DISCUSSION
Figure 43. Setting Up the Attack Option and Starting the Attack
that aims to disconnect clients from the network. Figure 44 is a visual representation of
this attack, demonstrating how clients are disconnected from the network. The figure
shows that once a client is disconnected from the network through this method, they will
not be able to reconnect unless the attack is deactivated. This makes it an effective attack
for disrupting wireless networks and causing inconvenience or potential harm to users
93
CHAPTER IV: PRESENTATION AND DISCUSSION
Dictionary Attack
A dictionary attack is a type of cyber-attack where an attacker uses a list of words
The idea behind the attack is that many people use common words, phrases, or
predictable patterns in their passwords, making it easier for an attacker to guess them by
simply trying a large number of possibilities until they find the correct one. Dictionary
attacks are a popular method of password cracking because they can be automated and
can quickly try many different combinations without requiring much effort on the part of
the attacker. The researchers used the hashcat tool for cracking passwords. Hashcat is a
popular password cracking tool that uses GPU acceleration to perform brute-force attacks
and dictionary attacks on hashed passwords. Take note that this attack was done without
94
CHAPTER IV: PRESENTATION AND DISCUSSION
The process of cracking passwords requires the use of specialized tools such as
hashcat-6.2.6, which is readily available for download. The first step in initiating the
cracking process is accessing the properties of the hashcat-6.2.6 folder and copying its
location, as demonstrated in Figure 45. It's worth noting that access to hashcat-6.2.6 is
essential before proceeding with the cracking process. See Appendix R step-by-step
procedure on how to download it. While hashcat in Kali Linux is also suitable for
with the command prompt, which requires less memory usage than the Kali Linux
Once the attacker has accessed the properties of the hashcat-6.2.6 folder and
copied its location, they can start the cracking of passwords using the command prompt.
The directory must be changed by typing "cd" before pasting the folder location and then
typing "\hashcat-6.2.6". After changing the directory, the attacker can initiate the
95
CHAPTER IV: PRESENTATION AND DISCUSSION
command shown in Figure 46. This time the researchers are using the captured handshake
during the deauthentication attack. The researchers are using rockyou.txt wordlist which
Figure 46. Command used for the cracking of Password using hashcat
After entering the command, it will take four minutes before it is cracked
shown in Figure 47. The cracking of a password using hashcat is dependent on the
specifications of the laptop used. The time taken to crack a password can vary
significantly depending on the complexity of the password and the power of the hardware
being used for the cracking process. In this case, the researchers used an Acer Aspire E15
Intel Core i5 8th generation processor with 12 Gb of RAM, which took four minutes to
crack a password. The program displays the progress of the cracking in both percentages
and exact numbers, given that rockyou.txt wordlist has 14,345,935 common passwords.
Overall, the speed and success of password cracking using hashcat will always depend on
96
CHAPTER IV: PRESENTATION AND DISCUSSION
it often involves the use of specialized tools like hashcat and wordlists such as
rockyou.txt. Figure 48 depicts the outcome of using these tools to crack a particular
password, along with its corresponding hash value. The figure suggests that the password
was successfully cracked, as evidenced by the plaintext version appearing next to the
hash value. This serves as a cautionary tale for the importance of selecting strong
malicious actors.
97
CHAPTER IV: PRESENTATION AND DISCUSSION
to guess a password or encryption key through trial and error. It is a method that hackers
use to gain access to a system or data by trying every possible combination of passwords
until the correct one is found. Brute force attacks are often automated using software
programs that can try thousands or even millions of passwords per second, depending on
the complexity of the password and the processing power of the attacker's computer.
While such attacks can be successful, they can also be time-consuming and resource
intensive.
To do the brute force attack, repeat the process in dictionary attack shown in
Figure 44 and 45 except for the command used. This time the researchers used the
has a combination of five characters with three-digit numbers and different special
characters.
Figure 49. Command used for the cracking of Password using Brute Force
98
CHAPTER IV: PRESENTATION AND DISCUSSION
Password strength directly affects the time required to crack them, which varies
highlights the time required to crack a password with a length of thirteen possible
combinations. It shows that cracking such a password can take up to 50 years using an
ASUS X407U Intel Core i3 7th Gen processor with 8 Gb of RAM. However, it is
important to note that the time required for a brute force attack is dependent on the
specifications of the device used, and stronger devices can crack passwords much faster.
99
CHAPTER IV: PRESENTATION AND DISCUSSION
The security protocol of the wireless local area network at CEA of PSU-UCC has
been analyzed for vulnerabilities, and the results are presented in a Table 5. All these
networks utilize WPA2-PSK as their security protocol and are possible to receive various
Attack, Fake Access Point Attack, HTTPeek, Beacon Floodiing Attack, Deauthentication,
and Disassociation Attack. See instructional material for the detailed process in
100
CHAPTER IV: PRESENTATION AND DISCUSSION
infiltrating the Wireless Local Area Network security protocols using these modules.
These attacks can be executed using either built-in or downloadable modules that can be
easily installed in Wifi Pineapple. Although the networks share the same security
protocol, the only difference is their respective passwords, which means that they are
one network's password, CpEDept, was successfully cracked using a dictionary attack
with the rockyou.txt wordlist - a widely available and frequently used list of common
passwords. In brute-force attack the researchers were not able to crack any of the
cracked This is because the attack would need to consider all possible combinations of
uppercase and lowercase characters, numbers, and special characters that may be used in
the password. Additionally, the length of the password would also play a significant role
101
CHAPTER IV: PRESENTATION AND DISCUSSION
PROBLEMS ENCOUNTERED
During the penetration testing proper, the team encountered several technical
difficulties while working with the wifi pineapple. One of the major problems they faced
was in cracking of passwords, the researchers were not able to crack the passwords of the
networks except for the CpEDept. Second, when connecting the attacking device to the
wifi pineapple. The attacking device was not able to connect due to high CPU usage.
Another challenge the team faced was capturing handshakes during the attack. The
researchers found out that SSIDs are automatically added to the SSID Pool during
scanning. To resolve this, the researchers disable the automatic add SSID to the SSID
Pool. The wifi pineapple device was unable to deauthenticate clients, which made it
difficult to capture the handshakes. The researchers solved this by resetting the Wifi
Pineapple. The researchers also experienced issues with starting the listening process
during HTTPeek attacks. They observed that they were not able to initiate the listening
process, which hindered their progress. This problem was solved by clearing all the
102