Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cehv8 Labs - Module15: Hacking Wireless Networks.

1 499 vues

Publié le

Cehv8 labs
Module15: Hacking Wireless Networks

Download here:
CCNAv5: ccna5vn.wordpress.com
CEHv8: cehv8vn.blogspot.com

Publié dans : Formation
  • Soyez le premier à commenter

Cehv8 Labs - Module15: Hacking Wireless Networks.

  1. 1. CEH Lab Manual Hacking Wireless Networks Module 15
  2. 2. ICON KEY E Valuable information .7 Test your knowledge D V'eb exercise Q Workbook review Erools demonstrated in this lab are available in l): CEH- Too| sCEHv8 Module 15 Hacking Wireless Networks Modu| e15—l-lacklngwlrelessfletworks Hacking Wireless Networks IV/ ‘-1:/ i / It (/ eve/ oped on IEEE 802. 77 . tfrI/ /(/ mr/ .s' mm’ 13‘ 117'/ iefir / /red / '11 ll '/ I19/err r0//1//1// //imfio/ I. I1‘p/ '0v/ '1/e. H)'i/ re/ e.t. t array; to 1523])/ imfio/ I.r mm’ (/1117: (I(‘I‘0.l’. !’ (1 India / M/71'or, €. Lab Scenario Wireless network technology is becoming increasingly popular but, at the same time. it has many security issues. A wireless local area network allows workers to access resources without being tethered to their desks. However, the convenience of V'LANs also introduces security concerns that do not exist in a wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone with ability to intercept and decode them. Several reports have explained weaknesses in the Wired Equivalent Piivacy ("EP) algorithm by 802.113: standard to encrypt wireless data. To be an expert ethical hacker a11d penetration tester, you must l1ave sound knowledge of wireless concepts, wireless encryption, and their related threats. As a security administrator of your company, you must protect the wireless network from hacking. Lab Objectives The objective of this lab is to protect the wireless network from attackers. In this lab, you will learn how to: ' Crack "EP using various tools ' Capture network traffic ' Analyze and detect wireless traffic Lab Environment In the lab you will need a web browser with an Internet connection. ' This lab requires AirPcap adapter installed on your machine for all labs Lab Duration Time: 30 lIinutes Overview of Wireless Network A wireless network refers to any type of computer network that is wireless and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. ‘C"ireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves such as CEH Lab Manual Page 819 Ethical Hacking and Counterrneasures Copyright © EC—Cou. ncil All Rights Reserved. Reproduction is Suictly Prohibited
  3. 3. Modulo15-l-lackInglIllIrolossNotworks radio waves for the carrier. The implementation usually takes place at the physical level or layer of the network. _'l'ASK 1 D °V°"Vie"" Pick a11 organization that you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity. Recommended labs to assist you in Wireless Networks: ' "iFi Packet Sniffing Using AirPcap with V'ireshark ' Cracking a ‘"EP Network with Aircrack—i1g for "indows ' Sniffing the Network Using the OinniPeek Network Analyzer Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s secu. i:ity posture and exposure. PLEASE TALK TO YOITR INSTRl‘CTOR ll’ YOU IIAVE Ql'1iS’l‘lO, 'S RELATED TO THIS LAB. CEH Lab Manual Page 820 Ethical Hacking and Counterrneasnres Copyright © EC—Cou. ncil All Rights Reserved. Reproduction is Strictly Prohibited
  4. 4. ICON KEV E7 Valuable information Test your knowledge E "eb exercise Q V'orkbook review CEH Lab Manual Page 821 Mo¢h| o15-I-lacklngwlnlossflotwovlts WiFi Packet Sniffing Using AirPcap with Wireshark T/ ye A/ '/‘Prrp rldqbfe/ ‘ / It (1 US B 1/wire I/ MI, 1) 120/ mm’ in fmgge/ /1‘ 11'/ '1‘/9 I‘/ Je A/ '/Pap r/ river. r mm’ IV/ '/1Prr5t> / ibmr/ 'e. r, {I/ /01) L! ‘ ape/1 fat/ er fa / /10// ifar 802. 7 711/g frrfiir in / /10/1/"for / //ode. Lab Scenario Wireless networks can be open to active and also passive attacks. These types of attacks include DoS, lIITM, spoofing. jamming. war driving, network hijacking. packet sniffing, and many more. Passive attacks that take place on wireless networks are common and are difficult to detect since the attacker usually just collects information. Active attacks happen wl1en a hacker l1as gathered information about the network after a successful passive attack. Sniffing is the act of monitoring the network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AixoPeek, Ethereal, TCPDun1p. or ‘V"ireshark, to monitor the wireless networks. These tools allow hackers to find an unprotected network that they can hack. Your wireless network can be protected against this type of attack by using strong encryption and authentication methods. In this lab we discuss the V"ireshark tool, which can sniff the network using a wireless adapter. Since you are the ethical hacker and penetration tester of an organization. you need to check the wireless security, exploit the flaws in "EP. and evaluate weaknesses present in ‘C'EP for your organization. Lab Objectives The objective of this lab is to help students learn and understand how to: Discover VEP packets Ethical Hacking and Countenneasnres Copyright © EC—Cou. ncil All Rights Reserved. Reproduction is Strictly Prohibited
  5. 5. Erools demonstrated in this lab are available in D: CEl-l- Too| s¢El-Iva Module 15 Hacking Wireless Networks Modu| e15—l-laoklnglllllrelssslletworlts Lab Environment To execute the lab, you need: Install AirPcap adapter drivers; to install navigate to D: CE| -I-ToolsCEHv8 Module 15 Hacking Wireless NetworksAirPcap -Enabled Open Source tools, and double—click setup_airpcap_4_1_1.exe to install V'hen you are installing the AirPcap adapter drivers, if any installation error occurs. install the AirPcap adapter drivers in compatibility mode (right—click the AirPcap adapter driver exe file, select Properties-) Compatibility, in compatibility mode, and select WindoMn1) Wireshark located at D: CEl'| -ToolsCEI-lv8 Module 15 Hacking Wireless Networ| tsAirPcap -Enabled Open Source tooIswireshark-win64- 1.AA. exe Run this lab in Windows Server 2012 (host machine) An access point configured with VEP 011 the l1ost machine This lab requires the AirPcap adapter installed on your machine. If you don’t have this adapter, please do not proceed with this lab A standard AirPcap adapter with its drivers installed on your host machine V'inPcap libraries, ‘Vireshark, and Cain & Abel installed on your host machine Administrative privileges to run AirPcap and other tools A client connected to a wireless access point Lab Duration Time: 15 lIinutes Overview of WEP (Wired Equivalent Privacy) Several serious weaknesses in the protocol have been identified by cryptanalysts with the result that, today, a ‘C’EP connection can be easily cracked. Once entered CEH Lab Manual Page 822 Ethical Hacking and Coumerrneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  6. 6. TASK 1 Configure AirPcap Q You can download AirPcap drivers from http: //www. airdemon. net/ nverbed. html Q The AirPcap adapters can work in monitor mode. In this mode. the AirPcap adapter captures all of the frames that are transferred on a channel, not just frames that are addressed to it. Module 15 — I-lecklng Wlreless Networks onto a network, a skilled hacker can modify software, network settings, and other security settings. Wired Equivalent Privacy (V'EP) is a deprecated security algorithm for IEEE 802.11 wireless networks. Lab Tasks Download AirPcap drivers from the site and follow the vizard—driven installation steps to install AirPcap drivers. 1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop. I w rm. -.< Sewnv ; t lj’ FIGURE 1.1: Vindows Server 2012- Desktop view . _. Click the AirPcap Control Panel app to open the AirPcap Control Panel window. I41IHIvH‘. Ir.1tiv ‘ FIGURE 1.2: Windows Server 2012 — Apps 3. The AirPcap Control Panel window appears. CEH Lab Manual Page 823 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  7. 7. Module 15 — I-lacking Wireless Networks ' AirPcapContro| Panel : D‘ X l Settings Key; Interface AirPcap USB wireless capture adapter nr. 00 V I Blink Led 7 L; The Muld-Chamlel Model: AirPcap Nx Transmit: yes Media: 802.11 a/ b/'gr'n Agregator can be configured like any Ital Basic Configuration AirPcap device, and therefore can have its own - d: u_nw, °‘L FCS Chukmg Channel i243? MHz [BG 8] v E Include 802.11 FCS In Frames mdyackfl mmmg Extension Channel l0 V SC“. |.llgS. Capture Type 392, 11; Radio 7 Fcs Filter in Frames v i Help Reset Configuration 3 Apply ‘ Cancel FIGURE 1.3: Ai. rI’cap Control Panel window 4. On the Settings tab, click the Interface drop—down list and select AirPcap USB wireless capture adapter. 5. In the Basic Configuration section, select suitable channel, Capture Type, and FCS Filter and check the Include 802.11 FCS in Frames check box. AirPcap Control Panel * ’‘ Settings Key; Interface AirPcap USB wireless capture adapter nr. 00 V Blink Led I”B’{5i° ‘ Model: AirPcap Ni-r Transmit: yes Media: 802.11 a/ b/g/ n Configuration box settings: Channel: The channels 3 asic Cmfigulalion available in the Channel list l)OX (ltptlld IIPOII Illf , sdcckd adaplul 53”“ Channel 2412 MHz [BG 1] V‘ nclude 802.11 FCS In Frames channel numbers 14 in the 2.4GHz and SGHZ bands overlap and there are Extension Channel 0 V V ir= qu= -we M miter mu 3 (channels) that do not have C channel numbers, Each available channel is given by its center frequency. élp Fl eset Configuration Uk Apply Cancel FIGURE 1.4: AirPcap Control Panel window 6. Now, click the Keys tab. Check the Enable WEP Decryption check box. This enables the WEP decryption algorithm. You can Add New Key, Remove Key, Edit Key, and Move Key UP and Down. CEH Lab Marlual Page 824 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  8. 8. Module 15 — I-lacklng Wireless Networks 7. After configuring settings and keys, click OK. AirPcap Control Panel * Settings In Basic WEP Cunligulalinn C°“fig“m"l°“ Sfldngst nable WE F’ D ecryptinn Extension Channel: For 802.1 In adapters. one can K A use the Extension Channel eys dd New Key list to create a “vide" Fl K channel. The choices are -l emove ey (the preceding ZOMHZ 1 frequency band), 0 (no Edl Key extension channel). or +1 M K U (the succeeding ZOMHZ trequencylnand). ‘ Move Key Down ‘ channel or the additional T frequency band is called the extension channel. Hgp Flesel Configuration‘ Apply Cancel J FIGURE 1.5: AirPcap Control Panel window 8. Launch Wireshark Network Analyzer. The Wireshark main xvindow D RPPEQIS. _ T A S K 2 The Wireshark Network Analyzer [Wneshavk l.8.2 (SVN Rev 44520 from/ trunk-1.8)] Capturmg the . 9.. E. .. go ; ... ... 5.. .,“ 3.. ... .“ 1.r. ..h. ., M r. ... ... H. .. packets ‘_ Li ‘J 9 ' s . . . M 'l , . :9 E-npresslcn I ( . Iaw-w. ;mum. -+iu. ,.m . 'l'<s4’u; r~4Ufiflfivl1.3114‘-: E'-"1|lir~: I1-All!1| . ; l I HE: I m 3 Interface List Open 1} Website op. napms. ;». :a: r.. 'ec‘¢ I ‘mun n'nIe: t;sub; r:l ? °"°"R“"'" A User’: Guide ' . ash" ‘iv . .. ... . 53:‘ ‘°" can d°‘V“l°“d Chxu (re : - '"c'I ~= a~mm 1-mm: mm mp sun Samp| ¢ Capmrgs I “ x M ' D" "W Wncshuk mm. ‘ “ “ AIIPKBP Usa wnrelesuafllureadiptevnr so a. "‘”'“°“'“'"""“”"‘"“"““”‘”"“‘ 5"“""V Imp: //Ww“"w““hmk'°‘g' . - Dun: mlF| '_(OAt}OA£3‘-JCSC-AUC-9f-IE-{DEB} , "”°“ ‘“”“""“"‘ ""‘“"" ""°“°‘ p I-Illcroselt(orponnen* . D=mwvr_(a. =cnc97-. yo |7.. I~. L D/ ‘l. /‘. :tK r. .«. v r‘, -.. n.. v.. ~n. ... ,.Mur H gmr Capture Options '_N S: a'i: ::'.4'én'! ~d¢a>é¢= p00r-3 m Readytn load or capture Nu Packets Profile: Default FIGURE 1.6: Wireshark Network Analyzer main Window CEH Lab Mairual Page 825 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibiteri
  9. 9. Q The following are some of the many features W/ "ireshack provides available for UNIX and Windows. I Capture live packet data from a network interface. I Display packets with very detailed protocol information. I Open and Save packet data captured. I Import and Export packer data from and to a lot of odaer capture PIOgIIlIIS. I Filter packets on many criteria. I Search for packets on many criteria. I Colorize packet display based on filters. I Create various statistics / ) Note: Wireshark isn't an intrusion detection system. It does not warn you when someone does things on your network that he/ she isn't allowed to do. However, if strange things happen, Wueshuk might help you figure out what is really going on. Modu| e15—l-lacklngwlrelossflotworlts 9. Configure AirPcap as an interface to V" ark Select capture -) Interface. .. (Ctrl -I-I). You can also click the icon on the toolbar. file gain _new fin A_uu| yu gmasacs Telephorvx Innls [Internals flelp asgsizuauu -van seem Ulzlwwn flgprions. .. (mat 1 _ DE A V S ism crmr W5” 3' 9°-’ 3" Q Step cum Q Eestar (ma I Capturefvllers. .. Filter: ost Popular Network Protorol Analyzer ¢>. ,;.1—. -» —- ‘M T 9 Interface Ust E°"°" ope-upvw-ovsyupturoah °”"‘ ““‘"" in User‘: Guide YM um: Gu-6| new moon « nnabd; Q Website Lwnnofnuumn-vrnacu Vmllnlpranrnmmn (roan: Ilcornnq pxuu; a Start Choouromovmove-nnvfaetslntzvwvlflonrmnitart 0 Sample Captures Ar-¢hasoruMtIMIz9MFI<vmVI‘k£ovme-uh Securlty wonkmhwremuvkisseemdynpodxh *1“ AirPcap usa wndess capture adapter M. 012 . ai A E1DanceN9r_(oA5oAr57-scsc-acre-sraz-ram E Mlrtesoft (orporltimr DevkeNPF_(82C18C97-r K! n. .u. a, on. rznz r r. ... ... u.. . n-. :.. nor " ( I ) a Capture Options swuuouue-mueuudoooom FIGURE 1.7: Vireshark Network Analyzer with interface option 10. The Wireshark: Capture Interfaces window appears. By default, the AirPcap adapter is not in running mode. Select the Airpcap USB wireless capture adapter nr. 00 check box. Click Start. IP Packets Packets/ s 2154 15 none none ‘D 5] Microsoft Corporation feN: :3d78:efc3:(874:6f57 575 NONE E Renltek PC| e GBE Family Controller Stop FIGURE L8: Wireshadr: Capture Interface 11. Automatically, the Capturing from AirPcap USB wireless capture adaptor nr. 00 - Wireshark window appears, and it starts capturing packets from AirPcap Adapter. CEH Lab Manual Page 826 Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  10. 10. Q Wireshark can rapture tmfic from many diffnaat netwofi media types » and despite its name - including wireless LAN as well. Which media types are supported, depends on many things, such as the operating system you are using. Q3 Wireshadr can open packets captured from a large number of other CIPIIIKC PIOgIIflIS. CEH Lab Manual Page 827 Morldoifi-Hao| dnglMro| ossNo¢unr| |s Eie Edit mar 50 Q-rm-re Av-am: imisms Tdevtwnx look Anna-at Bela IUUUU IBXEB Q4-0031 GIQQEIIISFNB my-. '%E: pvun'on. .. Clur App», Srve Fn-moccl Lulgth mo 802.11 164 Beacon frale. 802.11 164 Beacon fraae. 1102.11 322 Beacon frane. 802.11 109 Beacon frane. Broadcast 802.11 164 Beacon frale, SN#033, FN=0, Flag Broadcast 802.11 322 Beacon frale. SN-255. FM-0. Flags : c0 (e4:d2:6c:40:fe:27 (802.11 3707 502.11 Block Ack, Flags-opvI. RvIF‘r 2B5 13.l15452ONElgear_50‘fl).3e Broadcast 502.11 154 Beacon frane. SN-4030, FN-O. Flags-. . 286 13.1394B70Netgear_3 7<: o6 Broadcast 802.11 322 Beacon fraee. SN-266. FN-0. Flags ZB7 13.1a36990coepex_6B f5 Broadcast 802.11 132 Beacon fraee. SN-1642. FM-0, Flags- Bro-dcasr Boz.11. 109 Beacon frale, sn-1755. FN-0, Flags- Broadcast 802.11 164 Beacon frane. SN-4035. FN-0. Flags- Broadcast 302.11 91 Beacon fraee. SN-267. FN-O, Flags-. 45:c0:o7:6a:04:o9 302.11 3B38AckmnrledgeII1IvK (No data), su-015. ru—3. Broadcast 802.11. 164 Beacon fraee. SN-4036, FN-O, Flags- Broadcast 802.11. 322 Beacon traee. sN-Z68. FN-0. Flags Broadcast 802.11. 1.64 Beacon Fran, su-4037. FN—O, Flags- I to Frame 1: 3247 bytes on wire (25916 hits). 3247 bytes caatured (25976 bits) on interface 0 [21 use Ioz.1.1 unrecognized (Reserved frame). Flags: .. ..Ir. FY Time Source 278 12. 8113270 Netgear_aO : H): 279 12. 9136860 Netgear_a0:d): 2B0 12. 9347200 Me-tgear, _12:7c: 231 12. 9844520 Netgear_ae : 24: 282 13. 0160930 Netgear_80:1): 28) 13. 037(fi90 Nelgear_3 7c: 234 13. 0411940 22:5 . .27. Demnnon Broadcast Broadcast Broadcast Broadcast sN-4031. FM-0. Flags- SN-4032, FM-O. Flags- sM=2s4, rN= o, Flags SN=1753, FN=0, Flag 238 1). 1891990 Nelgear_le : 24 zcc 239 13.220827!) Netgear_60:ab: Be 290 13.24oo780uetgear 3 7:206 201 13.2a9n3Bo2c: d . .o6. :54 292 13.3Z33130Netgear_50:ab.3e 293 13. 3443530 Netgeu-_32:7e:06 294 13.42$72!oNatgBar_B0:ab: !a B6 on 6b (3 :0 cc 91 B6 16 of 49 5a 5d 83 63 f0 Badf of :3 aa b2 10 86 d5 Sb be 5: ch B4 . -1 r. ‘ 7‘ 2: an 52 usauiasapn. n¢apmm. az_ ca 13 e6 25 a0 98 b4 2f 20 B3 :27 7.2 AB ac fd cc 2!: d9 Sa 1: D1 75 15 So 4e ac ca ab 05 ft) 12 52 S‘ ,2» 5! . nn 7.. .1 .422 pm Padcas4isoespoye24asMataeo ES 69 SF 6e 39 71 93 So b2 ad f1 52 4.1 341 B7 fa 16 5d BB c7 Profile Déiult FIGURE 1.9: Wneshuk Network Analyzer window with packets captured 12. Wait While W/ iresllark captures packets from AirPcap. If the Filter Toolbar option is not visible on the toolbar, select View -) Filtor Toolbar. The Filter Toolbar appears. Note: Wireshark doesn't benefit much from Multiprocessor/ Hyperthread systems as time—consuming tasks, like filtering packets, are single threaded. No rule is without exception: During an “update list of packets in real time” capture, capturing traffic runs in one process and dissecting and displaying packets runs in another process, which should benefit from two processors. IS QQQEI Ulfiélfl I Clear Apply Protocol length Mo 0502.11 164 Beacon frame. 5»-4015. FN-0. Flags- 5172.11 109 Beacon frame, 5»-1628. FN-11. Flaas-. 802.11 164 Beacon frame. Sn-4026, FN-O, Flags- Bo2.11 164 Beacon franc. 5»-A027, FM-0, Flags-. . 802.11 30 oeauthenticatlon. SN-1780. F944, Flags 502.11 164 Beacon frane, SM-4026, FN-0. Flags- B02.11 164 Beacon frame. S»-4029. FN-0. Flags- ao2.11 164 Beacon frame. S»-4030. FM-0, Flags io2.11 154 loacorl fun-, s»-4031. cu-o, Flags- 502.11 164 Beacon frane. SM-4032, FM-0, Flags- Boz. u 322 Beacon fru-e, SN-204. FN-0. Flags 802.11 109 Beacon frame, SN-1753. FN-0. Flags- st 802.11 164 Beacon frane, SN-4033. FN- st 302.11 122 Ioacorl frano, s»-265. rm-o, Flags . c:40:fe:27 (802.11 3707 802.11 Block Ack. Flags-oym. fl4IFY st B02.11 164 Beacon frane. SN-4054, FN-0, Flags- st Bo2.11 322 Beacon frane, SN-266, FN-0, Flags-. I 3247 bytes captured (25976 hits) on interface 0 rlags: .. ..R. F‘I’ Save SK 5! r_f2:45 :01: st st st 5! st st st AmnS(nl'IIli1e(aptIn Q Zoornln Q lnommr (1 uonulsie E R&nAICohmns Disphyaicnlunns EgJBndSI. l1treeS g. p—. uI cuwefl Cololiu Collvusdinn C Chlo- CM»: u Shiltv CtIl+R > Sm. Right con nag» cm. Len > ‘(eset (alumna l~1D I Coloring Iules- cmspm . am Padcet in New flindow . e Selord FIGURE 1.10: Wueshuk Network Analyzer window with interface option Ethical Hacking and Coumenneasures Copyright © by EC—Couucfl All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. .L; l V1resharlt is a network packet analyzer that capmres network packets and tries to display that packet data as detailed as possible. r x ‘.43:-. One possible alternative is to run tcpdump, or the dumpcap ll[il. i[_' that comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze these packets by running V1rcshark with restricted privileges on the packet capture dump file Module 15 — I-lacking Wireless Networks 13. Now select View -) Wireless Toolbar. The Wireless toolbar appears in the window. 5 Capttlmg from AirPcap LSB wuclcss (apturc adapter nr. no 1.aIvp(ap03 [Mrc5ha1k 1.8.2 (SVN Rev 44520 from / flunk l; l1 " 1 3 A g .7 Mamloolbzr . -V, J. .7 rate. » Taobar 'EjFfl". . :21 De(r/ p:1o' Keys. .. 41.911. Irfo 164 109 164 164 3C 154 I54 15-1 15.: 164 32? us 154 322 1737 164 322 “gr E'‘’'”‘'‘"" .7 51.11.5311. pm. i no. 1 .7 1=. (1c¢; ..« . 7‘retoeo :70 1 5: so: 11 U1 1 .7 vinannaas ¢.6F:6b:18 502 11 272 1 ~’ "'<'1=<"o*<= :1 502 11 2/3 1 st 2302 11 274 1 1'"“"F"‘ ‘°"“" : r1_t2:45:0e 302 11 275 1 Nil“! ‘(CXOIIKIQFI 5‘ 11 175 1 .7 («1.. ... :mr1.<1 <1 11:17 11 17; : Am S: Ir| |1'lI)_eC)p1ul: “ 39 :7 st 2 :79: , (yawn n cm. st 1302 11 250 1 :1 502 u . 7 c 1.. [U1 1 N; °“3‘S' _" 51 av: 11 282 1 ~ — """ 1° “'‘'= 51 302 11 283 1 _ _ st 302 11 PM ‘ , R: s1.eAIILelu'nr5 smr: ..u1.x C,40:f%.7 (807 H 235 1 D$D| a)edCo| u'n11s ' gr 1102 11 296 1 I > at so: 11 Expat: /ll cnI.1z. g1.1 ‘” ' “'"'° C: llIp5e7_| | : u1.1=rx . rear 9 Flags: .. ..R. rY 9111.1: cu. m1..1.u1 v . V, . ooao as 5 71 93 Se 0010 sh ' §”""'9 ‘"5" 9 b2 ad F1 0020 :9 F 5: :4 3d 0030 5,; Sha~Faekc1rNewW1ndow 9 7 fa 16 0010 ds 1 1 9 5d as :7 7.. ... . . . 1 .1 K) n z. .vn. .¢111§ 1n.1m. m.. v- arafiarnv an v. ... .1;-1;w nap . .y. ,1 l‘n17i~I. ‘l. vI7a.1-1 aeaeon aeacun aeacun Beacon frame, fr Ame. r1 ame, frame, ceau: hert'ea1t1an. SN-1780. H-1. Flag Beacon saarnn Beacon ccaeon Deacon E2-Lun Beacon Beacon Beacon F02 . Z1 Eoaeon Eeaeon frame. framn, frame. frame 1 frame. I! arue. frame. frame. frame. frame. frame. sN—4u2$. sN=162a. sn-41720. SN-AUU 1 rm-u, r1ags r~=11, Flag m-U, I-Tags-. . rn-0, Flags s-. SN-4028. . <n. An7a. 511-4030. : N—4oJ1. ru-0. 5114032. M-O. sn-zoa, 1-u-1), Flags- sn-1'>J. FN-U. Flags SN-4033. FN-0. Flaqs . . . SN-26$, FM-D. Flaqs- . . . . . . e FN-0. FN-O. cu-0. Non Ark, r1ags= opm. RMFT so-41134, £N~D, Flags 511.256, ru. o, Flags. 3247 bytes captured (25975 hits) an interface a bum. n.1..1o FIGURE 1.1 l: Wireshark Network Analyzer window with wireless toolbar option 14. You will see the source and dosfna ‘on of the packet captured by '"iresl1ark. L1 c.1,1t1mg 11.1 1 rI! PLdp uss NI 1-:1-. -as capluve: adapter 111.00. . .3.o. .p:1o 1w. 011.111 1.82 (wt Rev 44520l1u111/l1u11|L-. _. - " ' [nle [An 5: ‘I 1. 0141 Mar Time 282 13. 0160930 Netqear_B0:ab:3e 590Net9§ar,32 c 05 oau94oe. :ss: es:2. : b1.cO (eA: d2:6c: A0-Fe:27 (902. 184520 Neegear_E0 ab:3e 39-1870 Netgear_3Z 63€990C0"DEX_65!DC: f5 891990 Ne(: Jear_ae: 24 1 1:: 2o52.‘o>1et; ear, so ix‘-no Netgear_32: 8)E]!01e: dt: :ef: 292 13. 3233130 NeLgeaI_B0. 283 13.0 284 13 285 13 256 13 287 13 288 13 289 13 290 13 :91 1) 29-1 13.425': so~et:1tar_e0 29513.S2BI000Ne(aear B0 ; .1ar~. ~n »m9=ar_z7« 29: 13.613-xsso Nctgcar_50: 295 13.651-X500NeLgea1_32. 70512 5.. .. ge 1 ; ..«. ..= gun, “ ; mm. c. Telephony 131:1, 1.2.-M1. . .1‘. ’.? ‘~; ‘— . ‘~«. c. 1 SoJr(e Dest1nal1on Broadcast Broadcast 131- oadcase broadcast Bf‘ UEGCSSE Broadcast aroadcast Broadcast 45:e9:e7:6a: Dl: c0 51 Udll. s>L r. .o6 ab: 32 Sr oadeast ar oadcast Hr nadrast Br oadcasr a. .1¢IJLasl An. ‘ 50: 1 1 B02 . 802. 801. E02 . 802 . 802. 80:. 60:. E03 . E0.‘ . 80). .11 5:1: P'oIue: | 802 . 802 . 11 11 11 11 11 11 11 11 I1 11 11 ll 11 I) ll L: n;tl' 164 322 37C? 164 322 1 32 109 164 91 Jane 11.1 161 164 177 16-1 322 ' 1.7‘. [71 ” Dunr-inn Kev: .. nf: Beacon Beacon B02 11 aeacon lieaculi Beacon Beacon Beacon Beacon Frame, Frame. Frame, Frame, frame, frame, frame. frame, Acknowledgement (No data), 511-915, 64.3‘. beacon 1'1 awe. Beacon frame. Beacon frame. nurm Frans. Deacon franc. seatuu 1'1.-1:. su=1033, FN=0. Flags SN=265, FN=0. Flags Block 1:1, :1 ags= opm. rwrr 511-1031, FN-D. Flags 5N= Z66, FN=0, Flag: . 511-1e42, FN-D. Flags-. . 511-1756, FN-0. Flaqs-. . su-I035. FN-0. Flags-. . . . sn=267. eu=0, Flags: . E r'| ag 511-1036, cu-o. ='lag>- . . . . . . SM-463.‘, FN-0. Haas-. . SN-4038. FN-0. =1a0s-. . <11-?7(‘1, rum, :1.: g<. 5M-4019. rN-O. r1ag: sn-271. an-0. F149,. . Frame 29:: 322 bytes on wire (2576 bits). 122 bytes eaptured (2375 mu) cn interface 0 . 1221 502.11 Bedcuvl (rave, I-lags: . . . . . . .. . 1225 51.12.11 mreless LAN management frame . [Malformed racket: 1222 BC: 11] 11020 :10 J1. 12010 5c 0020 0c 0030 82 0040 ac O: .1»D. a,11:R »~l‘FlK<€ captive adapts’ n» m- 00 32 7.: fl‘ ff ff H‘ ff 7!. L0 13 96 31 Be 64 00 . ‘b 75 T3 75 6d 20 52 so #5 5c 03 01 01 01 0:: 30 1a 01 ac . -m 7»: .- n1 7“ . . 4: ou do It Far| rsV<‘1.7Q4‘l ricpla/ ad :2:u1m. r17.. + r> Zrnfile‘ lla‘a|1|t FIGURE 1.12: Wueshark Network Analyzer window with 802.11 channel captured packets . DF. 15. After enough packet captures, stop V'ireshark . CEH Lab Manual Page 828 Ethical Hacking and Countermezisures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  12. 12. Module 15 — I-lacking Wireless Networks Lu} capxunng «Sm AirPcap .150 w reless captu1cadap! e1nv. co —7l1rcshar( gag gm 7.. .. go gmm gum: gm-«. <; Telephony you help Erma: T: ::: .:-- . .-‘*3- ; »am". . J11 nun. v Explusor. .. (lea: Appty E<l)Z. llL'Ia‘Ine| :Z~ll£LHJ 11 v"(. hanne|0Vfset: U B’ ‘ r v 5 . .1 yr Mr H0 Tvme SQ: e Desunamn P'm0c0I | n‘o “ 4992 90.865184 Zi :4c: a.I. :c(:1a 13:8U! C7:0‘lEEE 80Z. ll Fragmented IEEE 802.11 frame 4993 90.88567’? 1:: : 802.11 Unrecognizec [Reserved frame), rIags— Broadcast IEEE 802.11 Beaccn F-acne. sv-208). FN-0. Flags-. . "81-100. . zf ff: s7:a5:o1m: 807.11 IInr0(ngn1'74=c (Reserved frame), 94-7851, su-<1. :1.-age-n 4994 90.985558 Net0Qar_ae 4005 01.040792 ah:76:12: 24 4996 91.l)8"<. i08 Netgear_ae. ‘cc sroadcas: 1:: : 802.11 Beacen hams, SM-2081, cu-0, rTags- . 01-100. 4997 91.497565 Netgcar_1e '<c Broadcast 1:1: 002.11 Beaccn F—. -rue, 50-2005. m-0, rTag5- 01-100. 4990 91.60C)(3} 94.14:: -x. f broadcast 1:: : 002.11 s: a:uv Pane, 5‘-3733. FN-7, FTags- 01-6s95[ L > Broadcast 12:: 002.11 0ea: cn f-ame. sv-200*. FN-0, rTags- 01-100. 2 r9:ea: f9:f IEEE 802.11 Null funztion (No data). SN-3864. FR-15. Fags-. ..P. N 1 13:e6:61:a IEEE 802.11 Data. SN-2916. = K-0. 513115-. D.. ..F. 4999 91. ’Uz—94 o'g1(a1(. 0 5D(X) 91."0l 5.‘ f8’ ' 5001 91. ’05380 bl sun; o1_Aru‘m >4er7sar as. Hrnadrasr IFFF R0111 nna. -rn f-am. sv-MAR. . RV-100. 5003 9]. 00”]? ! N4tg6ar_an‘ ‘cc Broadcast [iii 802.11 Baaccn fume. SM-2089. 31-100. 5004 138‘. 14:13 0: 5 FFIFHFFIJ IKE: 802.11 ueaccn fcamc. SN-1151. I‘N- . r'lag5- BX-55820 5005 92 -‘M59 nuuIelP: _0e.7 . e 2u. :bo;5u: a«1:: : 802.11 Nu'| '| (un. LivH (flu due) >000 9.‘ demo Norma1vr_u.1u. : 002.11 AcI<'1cw‘eJ9enen1. Hags- . . 5307 92. 315789 NOK; Ear_ie 4‘ Broadcast IEEE 802.11 Beaccn Pans. S‘! -2093. FN-0, F lags-. . . . . . . . . 61-100. 5008 92. 319255 9‘. . . Z 2J:4d:22:e'1EEE 802.11 005 Data 4 (F-Pall. SN-1131. FN-15 Flaus .9 PR. .Y 5000 02.171641 Nurjear 40.74 t’ nrnadrasr IFFF Rn? .‘H nnarrn f-am. W-2003. FN- . Elaqh . M-100. . Frame 1: 1: bytes cn M72 (11: 01(5). 14 uytes captured (112 nus; — use 802.11 Acknouledqervert. Flags: — Type suhtwe: Acknowledgement (oxldi . rum mm-a1~ oxoam (mrmn) 0030 (14 DC 00 00 2( DC Ed 83 94-2733. =5-o. F'| ag: - r. .. lb 3e 60 3e 19 81 4:. ;. .»_. ..Lm. ... =.. ,,, ... ... ... ... ... ... x:. p. ... ... :oom. ,.. .., .u. m..1.. ... ..c = ... .;: 5.. ... . FIGURE 1.13: Stop wixeshuk packet caprutc 16. Go to File from menu bar, and select Save. Aumap USB wnexe» muluv: adaplev u on A w. cum: rm LI‘ -I~hc1M,5”. u5ioni5 Lam gm. ,1. gm. .. gm. “ fimm-<1 Telephonz 55.1; Help fast: -1 and contains alot of 9"” ’'''‘'l 33 1 1 x ‘3 ‘J 1:2 1- ‘ix '1 r‘ '4 ‘m r’ m It . Openfiecen > uevfeam.1es. l1ke APR Mew . g, .,, ,._. .., . c. .. 1,, ” A1 l’o'so1 Routin -- - . . - . ( I I , _g) " 9"“ “’ "’ 1r*ndCflset: n v rcsrmu I-| |:v: mes ~ None « V'ur: lessSet11n: I5.. D2cNp! IMKns. . wluch enables smfhug on r *1 ‘ . ~1 Mr C""5 Desllnmun Fvnnxol mo 5“'“5h°d LAN5 and M31" mpg; 0.h. rnn. s 15:: Ec2.11 control urapoer. r1a<: s-.0n. n.I= . m_, _hC_. fidd]c atmcks_ . nrnadrau 155! RC7.“ neamn Frane, <N-Ii}, FM-0, =1Ag<-. , B1-100, < mesa ' 9a: fF: e:-1-1:: : scz 11 seacon Frame, su-354, ru-0, Flags . , 81-12s3[~ E ’ fF: F6;54.dIIEEE 5C2.1!. 0ea<on Franefiialformed Packet] ““"' muadcasl 11:: 0c2.11 season rune, >N=3S6, mxo, I-'| ags- . . . . . . 01-100. : ‘ pn, “ (“,9 d4:fa: cD: c.1EEE 8c2.11 oata, sv-357, no-1, rugs-opm>. .rT ' . Broadcast 12:: ac2.11 Beacon frane. sn-358. FN-0. Flags-. . 01-100. 5 6 Quk 3.1.: F 8:c1 d4:aa: o1:4 15:: 802.11 eeamn Frane, sn-361, m-0, Flags-. . 51-100. < 75.5 2-. .. ... s.. ~=1ge. ... _a. sroadcas: 1:: : 902.11 Beacon Frame. SN-364. cu , Flag . . 01-100, s 7541 251835429 Netgear_ae: Iroadcast 1:: : 802.11 neacon Frame, 5u= )35, rn=14, F1ags- . 51-200, 7542 207.e77945o1:s4:z9 1Pv0rnLasl_I1EhL 002.11 var. .. sv-3037. m-3, Hag: -.p. ... r. 7543 268.c383)9 Netgeauae Broadcast 1:: : 502.11 Beacon frane, sn-309, FN=0, Flags-. ., 01-100, s 7644 26s.1417i7Ne1qear, ae 24.cc Broadcast 15:: ac2.11 Beacon frane. 571-170. F -0. F130 . 01-100. s 7545 26R. ldSfi. |6~t-Irgc-ar_a0:2A: c( Broadcast 15:: RC2.11 apamn fr. -ma, s , Flag . 51-100. < 7545 268.ESZ‘7i2 uetgeagauzazcc Broadcast 1:: : 8c) 11 Beacon Frane. s . =1ag . . , 01-100, s 7547 268.E61631H: :rnaivr_Oa:72:8a 2c: bD:5d:8-II: I:I: 8c: .11 Null Fu'Ict‘o'1 (No data). an-:5, rN-0, I'1ag: - wn. .r 7645 200.c5:150n. unaIv-,0 21:00:: 0-11:1 052.11 ~u11 fu*vLL'o'I (nu dala). :N-30, m-0, l-'ldg: - van. .- /1749 209.1u40124s: u9:59 rr: rr:1n: rv1::5 BCL11 seacon rrane. sn-3/40. rv-0. Flags-. . 01-31:93: . rranc 1: 14 byte: on vain: (112 bits), 14 byte: captured (11: 8-2:) — 11:: 002.11 ALl'I1.w'eLlgeIIe'Il. I-lags: E Type smzype: Ackrvcmledgament (uxm) . rrame Control: oxoon: -4 (vernal) own 0-1 on uo 102: no 1c 50 ab seoa .1219 81 .1. . >;>. . I 1 rd; c- Usevs 2.Nvw. ' . ippL. u | .ac1|" Ficlrets 75/l9[': p|a. 'ed ‘6'9l. ‘|-vked C‘K‘I(ppéc : mm. neaauc | FIGURE 1.14: Save the captured packets 17. Enter the F e name, and click Save. CEH Lab Manual Page 829 Ethical Hacking and Coumenneasures Copydght © by EC—Counc. i] All Rights Reserved. Reproduction is Suictly Pxohibited
  13. 13. Module 15 - I-lacking Wireless Networks Wireshark: Save me as ’‘ Seven ' A. rPcao—En/ med Oven Soucelools —- «> C} v Name ‘ um modified Type ~ aucvack-ng-0.9-aupcap 13 192912 2:44 PM Fclelolder Peoevt places Des? » Lubrane: Cowvxrer . (.3. Hetwovk ‘ “‘ Fie name [Packa caoture T‘ [ Save Saveastype lNneahavk1coo. nc bocwrpcarmy: Cancel [ Help J mam Range -" Gaptued Dsvlayed ? Aanacka: 7549 “ Seleaedvacka 1 ’ flange n FIGURE 1,15: Save the Captured packet file = n -33.‘; : ":93 .1 Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. I’l. |.l I l. K l‘() ()l R l. ll{l (Ll()R I] ()l lI'l'. Q1 l. lI() l{l. l.ll. l) l() IIIIS I. lS Used Adapter: AirPcap USB wireless capture adapter nr.00 Wireshark Result: Number of sniffed packets captured by Viresl1arl; in network, which include: Packet Number, Time. Source, Destination, Protocol, and Info CEH Lab Manual Page 830 Ethical Hacldng and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  14. 14. Module 15 - I-lacking Wireless Networks - _ . . 3S~. .3.'. S 1. Evaluate and determine the number of Wireless cards supported by the wireless scanner. 2. Analyze and evaluate how AirPcap adapters operate. . ... ..-. ... - . ... ..-. .-. ‘.. .. : ... ... n.. . | ZlYes IZINO l Platform Supported l I2! Classroom El iLabs CEH Lab Nlauual Page 831 Ethical Hacking and Countermeasures Copyright @ by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  15. 15. Modu| e15—l-| ackIngWlrelessNetworks Cracking a WEP Network with Aircrack-ng for Windows A/ 'm7m€—/ {g is (Ill 802.11 IVEP mm’ lVPA—PSK kgnr 1‘/ nnéi/ {g prqgm/ H I/ Jm‘ rer0m'. r 0// re e/ /0// ‘g/ J I/ (I/ /I przrkztr / Jaw been rrpf/ /mi If 1'/14>/ e/I/0// tr Ibe . rfa/ /I/0/ri’ EMS (I/ fzmé along 11 77/7 . r0// /(1 01))‘/ i// /izrlfio/ /J‘ / /kt? K0/'eK / Ifirmér, :75 Ire/ / /1: fl]? (7// -1/911' PTIV (I/7‘m; é, 1‘/ J// J‘ / //méilrg 1‘/ Je 11/7‘/ mé / /// /dy faxfe/ ' rozzpfliwl fo 0// JP! ‘ WEP rmné/ '// ‘g foo/4'. N Lab Scenario E Valuable , , , , _ ; ,,, -ommgon Network administrators can take steps to help protect their wireless network troin outside threats and attacks. Most hackers will post details of any loops or exploits online, and if they find a security hole, they will come in droves to test your wireless network with it. "EP is used for wireless networks. Always change your SSID from % the default, before you actually connect the wireless router for the access point. If an fig _ _ _ V. , SSID broadcast is not disabled 011 an access point, the use of a DHCP server to . Workbook 1E 16“ _ y y _ automatically assign IP address to wireless clients should not be used because war driving tools can easily detect your internal IP addressing if the SSID broadcasts are enabled and the DHCP is being used. 9‘ / Test your knowledge | l[] As an ethical hacker and penetration tester of an organization, your IT director will assign you the task of testing wireless security, exploiting the flaws in "EP, and cracking the keys present in WEP of an organization. In this lab we discuss how V'PA key are cracked using standard attacks such as korek attacks and PT" attacks. if Tools _ _ . ... ... ,., .., t.. . in Lab Objectives HI" I It . . . . . . . '8. a are The ob]ective ot this lab is to protect wireless network troni attackers. available on D= CEH- In this lab, you will learn how to: ToolsCEHv8 I V _ , Module 15 Crack WEP using various tools “‘°"i"9 wi'°'°" ' Capture network traffic Networks ' Analyze and detect wireless traffic CEH Lab Mailual Page 832 Ethical Hacking and Counternieasures Copyright © EC—Cou. ncil All Rights Reserved. Reproduction is Strictly Prohibited
  16. 16. Q Visit Backtrack home site http: / / nnv. backtrack~ linuxorg for a complete list of compatible Wi-Fi adapters. El Airplay filter options: »b bssid: MAC address, access point E TASK 1 Cracking a WEP Network m To start wIan0 in monitor mode type: aixmon-rig start wlan0. LQ To stop wlan0 type: ainnon-ng stop wlzn0. Module15—l-laoklngvllllolossflotworks Lab Environment To execute the lab, you need: Aircrack-ng located at D: CEI-I-TooIsCEHv8 Module 15 Hacking Vliroless NetworksWEP-WPA Cracking Too| sAiIcrack-nglhin This tool requires Administrative privileges to run A client connected to a wireless access point This lab requires AirPcap adapter installed on your machine. If you don’t have this adapter please do not proceed with the lab Lab Duration Time: 20 Minutes Overview of Aircrack-ng A wireless network refers to any type of computer network that is wireless, and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. ‘C"ireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves, such as radio waves, for the carrier, and this implementation usually takes place at the physical level or layer of the network. Lab Task 1. Iaunch Aircrack-ng GUI from D: CEl-I-ToolsCEI'lv8 Module 15 Hacking Wireless NetworksAirPcap -Enabled Open Source tooIsaircrack-ng-0.9- airpcaplbin by double—clicking Ailcrack-ng GI. |l. exe. 2. Click the Airdump-ng tab. FIGURE 2.1: Airodump-ng window CEH Lab Manual Page 833 Ethical Hacking and Counterrneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  17. 17. ‘rm 9-: To confirm that the card is in monitor mode, run the command “i'config". You can then confirm the mode is “monitot" and the interface name. ‘, -A : ircrack»ng option: - b bssid Long version — bssid. Select the target netwoik based on the access point's MAC address. if“ . For cracking VP: /V"P: 2 prc-shared keys. only a dictionary method is used. SSE2 suppon is included to dramatically speed up Y'P: / V'P: 2 key processing. Module 15 — I-lacking Wireless Networks 3. Click Launch. This will show the airodump xvindow. aIrodump»ng 0.9 airodunp-ng 0.9 - (C) 2806 Ihona: d'Otreppe Original work: Christophe De-line usage: airodunp-ng (nic index) (nic type) <channel(s)> (output prefix) [ivs only flag] Known network adapters: 1 flirPcap USB wireless capture adapter nr. H Network interface index number -> FIGURE 2.2: A. irodump»ng selecting adapter window 4. Type the Airpcap adapter index number as 0 and select all channels by typing 11. Press Enter. anrodump~ng 0.9 airodulnp-ng 0.9 - (C) 2006 Thomas d'Otreppe Original work: Christophe Devine usage: airodunp-ng (nic index) <n1c type) (channel<: )) (output prefix) [ins only flag] Known network adapters: 1 flirl’cap USB wireless capture adapter nr. 88 Network interface index nunber -) B Channel(s): 1 to 14. B - all -) 11 (note: if you specify the sane output prefix. airodunp will resune the capture session by appending data to the existing capture file) (hltput filenane prefix -> FIGURE 2.3: Aiiodump-ng selecting adapter window 5. It will prompt yo11 for a tile name. Enter Capture and press Enter. CEH Lab Manual Page 834 Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  18. 18. Module 15 — I-lacking Wireless Networks aurodump-ng 0.9 aircdunp-ng 8.9 - (C) 2886 Tholnas d'Otreppe Original work: Christophe Dr. -vine fa lap. Aircrack-ng completes determining the key; it is presented to you usage: airodunp-ng (nic index) (nic type) (channel(s)) (output prefix) [ius only flag] in hexadecimal format such “mum netmrk adapters: as KEY FOUND! [BF:53:9E: DB:37]. 1 flirPcap USB wireless capture adaptor nr. 88 Network interface index number -) 0 Channel(: ): 1 to 14. B - all -) 11 (note: if you specify the cane outsut prefix. airodunp will resume the capture session by appending ata to the existing capture file) Output filenane prefix -) (note: to save space and only store the captured HEP llis, press The resulting capture file will only be useful for HEP cracking Only write HEP lUs (y/ n) -) FIGURE 2.4: : irodump—ng selecting adapter window 6. Type y in Only write WEP IVs. Press Enter. . ~ ~ aurodump-ng 0.9 9:: . Airodump option: ~f <| nsecs> : Time in ms b"“'°°“h°PPl“g ch‘““‘°15‘ airodunp-ng 8.9 - (C) 2086 Thonas d'0treppe Original work: Christophe Deuine usage: airodunp-ng (nic index) (nic type) (channel(s)) (output prefix) [ius only flag] Known network adapters: 1 RirPcap USB wireless capture adapter nr. 08 Network interface index nunher -) fl Channel(s): 1 to 14. B = all -) 11 (note: if you specify the sane out ut prefix. airodunp will resune the capture session by appending ata to the existing capture file) Output filenawe prefix -> capture (note: to save space and only store the captured HEP lUs. press y. The resulting capture file will only he useful for HEP cracking Only write HEP [Us (y/ n) -> y . Airplay filter option: - d dmac : MAC address, Destination. FIGURE 2.5: Airodumpmg dumping the captured packets window 7. After pressing y it will display V'i—Fi traffic; leave it running for few minutes. 8. Allow airodump~ng to capturea large number of packets (above 2,000,000). CEH Lab Mallual Page 835 Ethical Hacking and Countenneasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  19. 19. rm l . . airmon-ng is a bash script designed to turn wireless cards into monitor mode. It auto4detects which card you have and run the right commands. . . Airoduinp-ng is used for packet capturing of raw 802.11 frames and is paitictrlaily suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack~ng. Module 15 — I-lacking Wireless Networks Channel : 11 - alrodump-ng 0.9.3 : l E X BSSID B8:R3:86:3E:2F:37 1C:7E: E§: $3:R1:18 1C:6fl: DE:32:3B:1E 4c: sa: m~: :32:7c: a6 80:n1:D'2:25 :63 :13 80:R1:D7:25:63:1B 8B: R1:D7:25:63:12 R1:D7:25 3:11 BSSID B8:n3:86:3E:2F:3'7 1C:7E: ES: S3:fl1:18 1C:7E: ES:53:fl1:18 1C:7E: ES:53:R1:18 1C:7E: ES:53:R1:18 91:11:S2:F2:15:0C 91:11:52:P2:15:9C 91:41:S2:F2:15 :86 91:11:52:F2:15:BC 91:11:52:F2:15:BC B8:09:5B: flE:21:CC 0B: fl9:5B: RE:21:CC MIR Beacons -79 5 a -90 5495 2145 181 5 13 21 12 is 22455: station aa:24:2c:3a:39:96 flC:72:89:6B: BD: B3 3B:69:1B: C7:F9:F7 Dfi: B3:3P:12:R1:FF Eli: P8:17:7S: fl5:D6 1C: ED: DE: fl2:SB: BF 1C: ED: DE:91:CE: E1 BB:26:82:CF: B9:C2 5B: B1:EB:58:fl5:27 B: z3:15:73:E? :E1 1C:66:flfl:7C: F0:79 B1:51:53:flE:2C: flB -75 -31 -34 -79 -82 —se -32 -so -75 -73 —s1 -33 I Data cu 1 18 18 13 18 51 51 S1 51 PH]! Pan: kc t s I 38 29 7 121 2 5 16256 1 293 213 125928 BS! !! 8030"] D-[.1nlr_DIR-521 [they Ithey Xusun HLR GEE 0-: .u NEIGERR SRRCHI D-Link_DlR-521 D-Link_DlR-521 D-Link_DlR-521 D-Link_D| R-521 GRNIEC GRNIEC GRNIEC GRNTEC GRNTEC NETGERR NEIGERR FIGURE 2.6: Airodump»ng Channel listing window 9. Now close the vindov. 10. Go to Aircrack-ng andclick Advanced Options. Aircrack-ngGU| : C‘ X Fulenamefs) EDCTYDUOT1 6 wgp W PA 7 Spec1fyESS| D 7 Specify BSSID Fudge fador Usable KoreK anacks / -Nmdumpng I Ardecapng I WZCook l Abom Keysuze E A buts 7‘ Use WOVdl:5t C Use PTW attack Owoose A v El} Multrthneadlng brutelorce _' Single Brulefiorce attack 2 2 Key search filter Bruleforce _ Last keybytes [ 1 1 A l_ Nphanumerlc characters Wdofce l l 2 BCDchalacte1s l 3 . . r J] 4 l Numenc (Fn1z'BOX) l l5 l l6 l l 7 l J 3 V Launch FIGURE 2.7: Aircracleng options window 11. Click Choose and select the filename capture. ivs. Note: This is :1 different file from the one you recorded; this tile contains precaptnred IVS keys. The path is D: CEH-Too| sCEHv8 Module 15 Hacking Wireless NetworksAir| '-‘cap -Enabled Open Source toolslaircrack-ng-0.9-airpcap. CEH Lab Manual Page 836 Ethical Hacking and Countenneasures Copyright © by EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  20. 20. -. To put your wireless card into monitor mode: airmon»ng start rausb0. r ” 5.2:: You may use this key without the “: " in your wireless client connection prompt and specify that the key is in hexadecimal format to connect to the wireless network. Module 15 — I-lacking Wireless Networks Note: To save time capturing the packets, for your reference, the capture. ivs file (this capture. ivs tile contain more than 200000 packets) is at D: CEH-TooIsCEHv8 Module 15 Hacking Wireless NetworksAirPcap -Enabled Open Source tooIsaircrack-ng-0.9- airpcap. 12. After selecting tile, click Launch. 1 ~' Aircrackvng GUI A"'C"3Ck4"9 Aircvdurripng r“vrdecap4'ig: WZCook About Frlename"s) " D CEH-Too‘s . CEHvB Module 15 Hacking Wireless Networks AirPcap -Enabled Open El"D'§‘DT*0Fl 0 WEP K01 W6 1133 V N5 Use wordst l l Use PTW attack WPA 2 Advanced options l Soecrfy ESSID (J Specify BSSID Fudge factor 2 3 Key search filter Brutetorce Last keybytes 1 - Dsable KoreK l ] 1 A Nl7l"a”‘-'"‘e"° °*'5"a°‘9'3 bmteforce " attacks i a Q l g - Bcocharaders E Multrthreading bruletorce 1 l 4 - Numeflc flimziaoxl Single Bruletorce attack 1 l5 l l5 l l7 l ls ~ FIGURE 2.8: : ircrack~ng launch window 13. If you get the enough captured packets, you will be able to crack the packets. 14. Select your target network from BSSID and press Enter. C: WindowsSystem32cmd. exe » "C: UsersAdministratorDesktopaircrack-ng-. .. l; E x pen_ing-, ._; I)'QEH: Iun1sCEHvB"Hndu1 - pamsonr-cu oolauiecrnnkfinrfll . 313% MIC! ‘ ‘ ' FIGURE 2.9: Select target network CEH Lab Manual Page 837 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  21. 21. r — : Xircrack»ng can recover the WEP key once enough encrypted packets have been captured with airodumpmg. Module 15 — Hacking Wlnless Networks Flirnrm L. “.4 u,9_'« :1-1h] In ad 1 lu-yr. . '-; nt uute‘) V -12) B‘7( Ir‘ ‘IIK 5] . 48) C9‘. 3 34( ‘?1V‘. ' 451') DR( ER) 1( [UK 14.! ) 'i'. '( 4l-) (H FOIJNDY 1|5U‘v. in 41:’ I Ul‘: ‘.rJ : ‘)L: DU1 J2‘ [Jr-v, rupl v, -:1 LlJl‘I‘I, 'L n. I.. i.. i-. I rat . ..~-.1». -nu 0.. -N. II‘! .~. .. ‘K . .-. n. -;. « win . ..i. -. N. L, nu II. ‘I. t win It. ..» FIGURE 2.10: ai1crack—u. g with V'EP crack key Lab Analysis DOC11I1]€11l' tl1e BSSID of the target Wireless network, connected clients, and recovered "EP key. A11al_Ze various : irecrack—11g attacks and their respective data packet generation rate. IUR H (! l lHl~ l. ,l: , l’| l *l llI [U (ll R lIR1( I{I. l., l1,1>l() H'l, Q1 1 ‘ll()~ Tool/ Utility Inforrnation Collected / Objectives Achieved Number of packet captured: 224385 , Cracked wireless adaptor name: NETGEAR Alrcrack-ng Output: Decn_‘pted key BF:53:9E: DB: .>, ' Questions 1. : 11al§‘ze and evaluate how aixcrackmg operates. 2. Does the 21ircr:1ck—11g suite support Airpcap : d:1pter? CEH Lab ll.1nual Page 838 Ethical Hacking and Coumenneasures Copyright @ by EC-Council All Rights Reserved. Reproduction is Suictly Prohibited.
  22. 22. Module 15 - I-lacking Wireless Networks . , _ nu. -.n-‘ . uun. .runn n. .u| III--n D Yes IZI No ‘ Platform Supported IZI Classroom IZI iLabs CEH Lab . Iauual Page 839 Ethical Hacking and Countermeasures Copyright @ by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  23. 23. ICON KEY E Valuable information 9". ‘ Test your knowledge D "eb exercise "orkbook review 3 Tools demonstrated in this lab are available in D: cEl'l- ToolscEl-Iva Module 1 5 Hacking Wireless Networks Module 15—l-lacking Wlreless Networks Sniffing the Network Using the 0mniPeek Network Analyzer O/ /// //'Pm€ / '5 11 . i‘f(I/ I1/(I/0//0 / /em '0/7% (II/ afiir/ '.r I‘00/ / /.rm’ f0 so/ re / /eh) ‘one prob/ e// /.r. Lab Scenario Packet sniffing is a form of wire—tapping applied to computer networks. It came into vogue with Ethernet; this mean that traffic on a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic address to other stations. Sniffing programs turn off the filter. and thus see everyone traftic. Most of the hubs / switches allow the inducer to sniff remotely using SNMP. which has weak authentication. Using POP, IMAP, HTTP Basic. and talent authentication, an intruder reads the password off the wire in clearte. 1. To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing the network, and DNS poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis of wired and wireless networks. In this lab we discuss wireless packet analysis of captured packets. Lab Objectives The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. Lab Environment In this lab, you neect Advanced 0mniPeek Network Analyzer located at D: CEH-Too| sCEHv8 Module 15 Hacking Wireless NetworksWi-Fi Packet SnifferOmniPeek Network Analyzer You can also download the latest version of OmniPeek Network Analyzer from the link htt : www. wild ackets. com CEH Lab Manual Page 840 Ethical Hacking and Countermeasures Copyright © EC—Council All Rights Reserved. Reproduction is Strictly Prohibited
  24. 24. My You can download OmniPeek Network Aiialyzer from http: / / wvm‘. wildpackcts. co m. J TASK 1 Analyzing WEP Packets CEH Lab Manual Page 841 Module 15 — I-lacking Wireless Networks If you decide to download the latest version, then screenshots shown in the lab might differ Run this tool in ‘C"indows Server 2008 A web browser and Microsoft . NET Framework 2.0 or later Do11ble—click OmniPeek682demo. exe and follow the wizard—driven installation steps to install Omi1iPeek Administrative privileges to run tools ‘- -? J . Time: 20 Minutes is ""32 1' : .. 5:. : OmniPeek Network Analyzer gives network engineers real—time visibility and expert analysis of each and every part of the network from a single interface, which includes Ethernet, Gigabit, 10 Gigabit, VOIP, Video to remote offices, and 802.11 a / b / g/ n. -7 3 ES (5 1. Launch OmniPeek by selecting Start 9 All Programs 9 Wildpackets Omni packets Demo. 2. Click View sample files. lo rm. 2 bl Wu‘, 6:, ,,, «,. ,- = E9 > u ‘ . ..«= .., . / ‘i ‘ . ':— Newcapmm open Capture File View onn-Engines Stanlwzmltor tc_(. m.. > . ..{n.3.. y_ .2. i . . t. .., .m. . mall M ‘can cal Slppcrl — , .. ._ . slfl : %.. .ui. ._ _'l . . , 1 FIGURE 3.1: Omnipeek main window 3. Select WEP. pkt. Ethical Hacking and Countermeasures Copyright © by EC—CouuciI All Rights Reserved. Reproduction is Strictly Prohibited
  25. 25. Eomnipeek gives network engineers real- time visibility and Expert Analysis into every part of the network from a single interface, including Eflternet, Gigabit, 10 Gigabit, 802.11aIb/ gin wireless, VoIP, and Video to remote offices. 4. »- 3. Module 15 — I-lacking Wireless Networks -‘ “—~» 1 M r i um ’0rnlIlFe¢-Ir , ~ . », . _v 9, 7 - u _) in-trace J . ) ' S _ . ;J ‘. ‘.l dPa: I-. ets Orrn Peek Samle Files Ir V i . » : :: r=s. ,,»: ..y. ..: v'<7‘Ag<' . ».m. . . V1 H FIGURE 3.2: Omnipeek Sample Files Vindow It will open WEP. pkt in the window. Select Packets tron) the left pane. ““ " ‘ Wlkl Gvlnweek FIGURE 3.3: 'I'EL. IET~UnVEP packets Window Double-click any of the packets in the right pane. CEH Lab Manual Page 842 Ethical Hacking and Countermeasures Copyright © by EC—Couucil All Rights Reserved. Reproduction is Strictly Prohibited
  26. 26. 3‘ comprehensive network perfomaance management and monitoring of entire enterprise networks, including network segments at remote offices 3 OmniPeek Connect manages an organization's Omniplianoe and 1'ImeLine network recorders, and provides all the console capabil ies of OmniPeek Enterprise with the exception of local capture and VoIP call playback 6. Module 15 - I-lacking Wireless Networks . ~ H, mu 2 ml H! mm FIGURE 3.4: TELNET-UnWEP packets analyzer Click the right arrow to View the next packet. H HM‘ V 1 *4 V um / o,. ,., ,u, ,k :1 avg: wwul-1-v-mun; , ‘l ‘ ' -is/ ¢.a/ gi/ ecuzwcaxaci/ deg _. él; FIGURE 3.5: TELNET-UnY"EP packers fmme window Close the tab from the top and select different options from the right pane; click Graphs. CEH Lab Manual Page 843 Ethical Hacking and Countermeasures Copyright © by EC—Council All Rights Reserved. Reproduction is Stzictly Pxohibitut
  27. 27. E70-min-oak Enterprise also advanced Voice and Video over IP functionality including signaling and Ileria analyses of voice and video, Voll’ playback, voice and video Expert Analysis, Visual Expert, and CEH Lab Manual Page 844 Mod. h15-Hacldrnglfllrelesslletwolln 411:: a van nan. Draw: kncwu _nv: r rnmmu av am: known . .,»« D-utnmk 3. was me ma, “ BflK&SCU'$lEfl Y0 ‘Ural ma Pcuazls E: -arEv: ntn 5:. “ up »-azau Eran E1061 79]? - I’-'l'D EVGI Boer top -slv Evrnrs : -out mes: new 4-way Errors Ema I. V‘flE$I klnxnlm Dcncd C-och: =w Fa‘. uuutov (bun) Gone = eurFe'. UII-uiur‘ Ghrcru) I-om» Ywa mmmm in/ s; Caoatlrz rwavyrmmm {memo Pc('vx= IkLll: alnv mu/ x) «mat firm-mi Fhmffl t are none are warm ‘I? Aravse 1:» u we NF 5606:! me Dveenas was in YARNS K356 ’61’l€5 ll! ‘Nil Vlrckss tans ’oI'1B s. Elcru Wrdea -monsoon: Ir‘: Ruesooeborr wvelul an. -.1 rnflra-v mrwauler Syule V/ "ha Sun! W lvur wrfleas 2‘! ')R5 vn ens = ad¢: ma vkdeas me: even asmmon sq Vlrfin Wk Natl VI‘ 91¢: R59 VIl'¢$' 3:73 Packa Size Distribution ass-1. l<5o Isa-Izv amass Izsssn I512-I023 I102:-aw rnnut'z—: -Ital FIGURE 16: WE’ Gapln window 8. Now traverse through all the options in the left pane of the window. Lab Analysis Document the BSSID of the target wireless network, connected clients, and recovered W/ EP key. Analyze various Airecrack—ng attacks and their respective data packet generation rate. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. 'l‘()()l/ l'Iilil_' Information (Iollccted/ ()hjccti'cs Achiered Packet Information: Packet Number Flags Status Packet Length Tirnestamp Data Rate Channel Ethical Hacking and Coumenneasnnres Copyfight © by EC—Counci1 All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. ModIle15-Illacklrnglrhelesslletworks Signal dBm Noise Level Noise dBm 802.11 MAC Header Details Questions 1. Analyze and evaluate the list of captured packets. Intemet Connection Required IZI Yes Platform Supported lZl Classroom CEH Lab Manual Page 845 Ethical Hacking and Countermeasures Copyright © by EC—Connndl All Rights Reserved. Reproduction is Stn'ctly Prohibited.

×