ISA 564, Laboratory 5 Wireless Exploitation &...

Security Lab, ISA 564, Constantinos Kolias, Angelos Stavrou

Laboratory 6

of 16

ISA 564, Laboratory 5 Wireless Exploitation & Defenses

PURPOSE In this lab you will explore ways to perform wireless attacks and implement potential defenses. SOFTWARE REQUIREMENTS: Kali Linux v.1: http://kambing.ui.ac.id/iso/kali/kali-1.0.9/ REFERENCES:

1. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html 2. http://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-psk-

passwords-using-aircrack-ng-0148366/ 3. http://tools.kali.org/wireless-attacks/fern-wifi-cracker


Laboratory 6

of 16

Inspecting & Modifying Wireless card parameters

Basic tools To retrieve a list of interfaces (even the inactive ones) use command: ifconfig –a

Typically, wireless interfaces are represented as wlanXX In case the wireless interface is reported to be DOWN (disabled), then we should enable the interface using the command: ifconfig <interface> up (<interface> is the wireless interface like wlan1 above)


Laboratory 6

of 16

To display the characteristics of the wireless extensions of the interfaces on our system you can use the command: iwconfig

In the case of our example the only wireless interface is the wlan1

Changing the wireless transmission channel To change the channel of the card use the command: iwconfig <interface> channel <channel number> After doing so, if you run the iwconfig command again you will notice that the card is set to 2.412 GHz which corresponds to the frequency of the first channel.


Laboratory 6

of 16

Changing the transmission power The region of the device is an important setting which indirectly dictates the strength of the signal in which the card transmits. Different countries have different legislations regarding the maximum strength of the signal of a wireless card. For pen testing purposes it is to the best benefit to have a card set to the maximum supporting power. To get the current region you need to type the command: iw reg get (see figure in the next page)


Laboratory 6

of 16

To change the region and with that the transmission power of the card us the following commands: ifconfig <interface> down iw reg set <region code> ifconfig <interface> up iw reg get


Laboratory 6

of 16

A comprehensive list of region codes can be retrieved here: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Changing the operation mode Typically, wireless cards are set to managed mode, so they can function as clients to infrastructure based networks. Monitor mode allows cards to read all traffic including packets that originate from non-associated networks. To set the card in monitor mode one can rely on the tool airmon-ng of the aircrack suite airmon-ng start <interface> Task: Set the card in monitor mode listening to a specific channel only.


Laboratory 6

of 16

Changing the mac address It is possible to change the MAC address of the NIC card using the following commands: Ifconfig <interface> down macchanger –m <new mac address> <interface> Ifconfig <interface> up

Analyzing Traffic When a wireless card is set in monitor mode it captures all packets from the air interface. It is possible with the right tools to view, analyze and store these packets.

The airodump-ng tool To view a list of all the APs in the area and the STAs connected to each one airodump-ng <interface in monitor mode>


Laboratory 6

of 16

Note: by default, airodump-ng forces the card to hop among channels. Keep in mind that to achieve this, the card spends only a portion of time on each channel. However, when listening to a channel all packets transmitted to the rest of the channels will evade the monitoring. To restrain the monitoring to a specific channel airodump-ng <interface in monitor mode> -c <number of desired channel> This is usually done when the attacker has located the victim AP or STA and wishes to capture as many packets as possible for further analysis. Airodump has the capability of saving all packets on the disk. airodump-ng <interface in monitor mode> -c <number of desired channel> -w <name of file>


Laboratory 6

of 16

Note that airodump-ng saves packets only relevant to WEP key cracking or pen testing. Therefore, the created file will not contain all the packets in the channel. For more information on the capabilities of airodump-ng tool visit: http://www.aircrack-ng.org/doku.php?id=airodump-ng

The Wireshark tool It is possible to associate wireshark’s output with a wireless network interface thus, gaining insight to the packets of the live capture. Moreover, one can apply different kinds of filters regarding various fields of the packets (e.g. their type and subtype). This can be done by inserting the mnemonic and the desired value in the filter input field. Alternatively, filtering can be achieved by locating a packet with a desired attribute and setting it as an example filter. Moreover, it is possible to combine multiple filters by applying the standard C operators (e.g., ==, !=, >, <=, !, &&, || etc.). This process is described here: [video 001]. Task: Insert the necessary filters so that only frames of subtype: beacon that advertise the SSID “WIRELESSLAB” are displayed. To have a rather visual representation of various aspects of the capture it is possible to create IO Graphs. This process is described here: [video 002]. Task: Create a graph that displays the total number of captured beacon frames per time unit, versus the total number of captured beacon frames that have SSID “WIRELESSLAB”. The former should be represented with color black, while the latter green. Some of the most important filters for wireless capture can be retrieved from here: https://www.wireshark.org/docs/dfref/w/wlan.html https://www.wireshark.org/docs/dfref/w/wlan_mgt.html The subtype codes of 802.11 frames can be retrieved here: https://supportforums.cisco.com/document/52391/80211-frames-starter-guide-learn-wireless-sniffer-traces


Laboratory 6

of 16

Assignment 1: Create an open network that supports whitelists as its sole protection mechanism. Add some MAC addresses to the list. Attempt to connect a client that is not included in the list to that AP. Using wireshark and monitoring the corresponding packets what do you notice? Propose a methodology for evading this rudimentary security measure.

Availability Attacks It is possible to reduce the availability of a wireless network or cause denial-of-service (DoS) against specific clients by forging and transmitting specific management (in most cases) frames. This steams from the fact that in 802.11 networks management frames are transmitted unencrypted.

Deauthentication attack This attack is based on the transmission of deauthentication frames. It is considered the easiest and most effective way of creating a DoS attack against all or specific clients of the network. The aircrack suite has tools that automate this process. To unleash a deauthentication attack against all clients connected to a specific AP, first one has to know the MAC address of the victim AP. This can be easily done via airodump-ng or wireshark. Then, by using the -0 (or --deauth) option of the aireplay-ng tool one can cause a flood of deauthentication frames to be transmitted. Use the following command (see also figure in the next page): aireplay-ng --ignore-negative-one -0 <packets to be sent> -a <AP MAC Address> mon0


Laboratory 6

of 16

Notice that you can insert 0 instead of a predefined number of packets and the process will carry on indefinitely. Task: by using the --help option of the aireplay-ng tool find the appropriate options that allow the card to transmit deauthentication packets against a specific client. Another tool that can unleash a deauthetication attack is mdk3. Actually, the specific tool follows a deadlier methodology (but at the same time more obvious to intrusion detection systems) for this attack. To execute a deauthentication attack with mdk3. Type the following command: mdk3 <interface> d


Laboratory 6

of 16

Assignment 2: Examine the effects of a aireplay-ng based deauthentication attack and a mdk3 based one, using wireshark. Deduce signatures for the two flavors of attack. Create a wireshark capture that contains both of these attacks. Save the capture and export it to text. Create a rudimentary IDS that analyzes the corresponding text file and is capable of reporting when and which of the two types of attacks occurred.

Beacon flooding attack To cause a beacon flooding attack of random SSIDs and MAC address, with mdk3 mdk3 <monitoring interface> b


Laboratory 6

of 16

To cause beacon flooding attack but with the beacons containing a specific SSID use the following command: mdk3 <monitoring interface> b –n <SSID> Some useful options for the specific testing mode are -f for reading SSIDs from a file -v for reading MACs from a file -a for showing that WPA protection is supported -h for confining the beaconing in a specific channel -m use valid MAC for the hypothetical AP form OUI database -s for setting the beacon transmission speed Task: Generate a beacon flooding attack with just the -n option. Look at the list of available wireless networks on your OS. Do you see the fake AP? If not give a possible explanation why this happens. Using the right options try to make the attack more effective.


Laboratory 6

of 16

Cracking the Key of WEP Protected Networks It is possible to crack the key of a web protected network due to a) inability of WEP to protect against replay of frames, b) the insecurity of the crypto algorithm RC4, as well as c) the existence of weak IVs that can reveal information about the key itself.

PTW attack It is considered a trivial multistep process that can be completed by the tools of the aircrack suite. Initially, the attacker must capture a handshake and store it. Airodump-ng is able to create the corresponding files if the –w option is used. To see this, use the following command: airodump-ng --ignore-negative-one --bssid <AP MAC address> -c <channel number> -w <name of the files> <interface> To actually capture a handshake, the attacker must be present while a valid authentication procedure takes place between a client and the AP. This rarely happens but by deauthenticating clients of the AP it is certain that most of them will automatically attempt to reconnect to the AP. To see this, use the following command: aireplay-ng --ignore-negative-one -0 3 –a <AP MAC address> <interface> Cracking WEP typically relies in capturing and using IVs. The only type of frames that contain IVs are data frames. These are generated only when the client is actively using its connection e.g. streaming a video. Even so, the amount of IVs is rather large. To increase the number of generated IVs the attacker can capture an encrypted ARP request message and replay it continuously thus producing a flood of ARP response messages. To see this, use the following command: aireplay-ng --ignore-negative-one -3 –b <AP MAC address> -h <MAC of a connected client> <interface> For this command to have effect the client must remain associated with the network.


Laboratory 6

of 16

Once new IVs are generated the airodump-ng tool will store the needed information in the *.cap file. At a next step the aircrack-ng tool can be used on that file (either online or offline) to to crack the key. The entire process can be seen in the video 3 posted online. Also, you can use this command: aircrack-ng <name of the *.cap file> Task: crack the WEP key using a KoreK attack rather than a PTW by using the right options of the aircrack-ng tool. Assignment 3: Using various aireplay-ng options achieve a ARP amplification so that the key cracking can be achieved faster. * *For help: http://www.aircrack-ng.org/doku.php?id=arp_amplification

CaféLateattack Café late is a method of cracking the WEP key which does not require neither the client nor the attacker to be in the coverage area of the AP. To be achieved first the client must set up a fake AP, mimicking the characteristics of the victim AP airbase-ng -c 1 -a <AP MAC addresss> -e <Desired ESSID> -L -W 1 <interface>


Laboratory 6

of 16

By default, multiple clients may be lured and connect to that AP. Once successful, the attack will generate a flood of ARP request packets which in turn will trigger and ARP response thus multiple IVs. These can be captured with the airodump-ng command: airodump-ng --ignore-negative-one --bssid <AP MAC address> -c <channel number> -w <name of the files> <interface> Finally, using the aircrack-ng tool the cracking process can take initiate. To see this, use the following command: aircrack-ng <name of the *.cap file> Task: Using airbase-ng options unleash the Hirte attack variation. Assignment 4: Using various tools and options options of the aircrack suite achieve a fragmentation attack. Observe the traffic generated during this attack and compose an effective signature.

ISA 564, Laboratory 5 Wireless Exploitation &...

Documents

Transcript of ISA 564, Laboratory 5 Wireless Exploitation &...