Wireless Security Testing Section Three Tutorial

13.1 WPA Attacks

Now that we've talked about cracking web lets talk about some of the WPA WPA two attacks we can use and how to crack those keys. Now with a few exceptions WPA WPA2 use similar methods to generate traffic. And to collect those traffic captures. We don't always use the same attack methods, although one or two are similar. One big difference is that we are not looking for IVs in the traffic capture. We're looking for the WPA handshake that takes place when a client authenticates with an access point. Now we only need one of these handshakes recorded in a traffic capture, but sometimes they can be hard to get and sometimes You don't get a good one. Now, again, other than some of the attack methods, really the biggest difference that we see between cracking WEP and cracking WPA keys, are the methods used by aircrack-ng aircrack-ng. We don't use the same statistical method for example to crack WEP. We use actually dictionary and brute force attacks. Those are pretty much the only effective ways to crack WPA and WPA2 using aircrack. Now obviously the effectiveness of the attack depends upon the quality of the dictionary we have. If we have a huge dictionary with a lot of different combinations in it, Then our likelihood of cracking the WPA key is increased. Also, we need a capture of a valid handshake. Sometimes you don't get a valid one. You might get a corrupt one, or one that wasn't complete, or something else happened to it. But we need a valid handshake in order for this to work. Now, we can use the cracking part for WPA and WPA2. We can use aircrack-ng or we can also use a password cracking program like John the Ripper or some other program that's designed to do that. Now there are other attacks that exist to crack WPA that we're really not going to cover. We're going to cover one really basic attack just to kind of show you how it works. But there are plenty of them out there and it really depends upon several factors. Now, note that aircrack-ng, and other similar attacks that we can use against WPA can only crack pre-shared key authentication. That's really what we're after is that pre-shared key, and that's what we hope to get during the handshake process and what we hope to capture. And if we get that captured in a traffic capture file, than we can go ahead and run aircrack-ng on it and possibly crack it. Now it's not always possible to crack WPA and WPA2 because of limitations and time Your dictionary file and the possibility that you didn't get a good handshake. But we're going to show you one here in a moment that will show you how pretty much easy it is to do so. [BLANK_AUDIO]

13.2 Cracking WPA pt. 1

Now during part one of cracking WPA, what we're going to do is collect a WPA handshake in a traffic capture. And we've done this before obviously throughout the course. We've captured traffic, and we've attacked the connection between the client and the access point, to generate more traffic. And we're going to use a deauthentication attack during this demonstration, and that's a similar attack to what we use to crack WEP, to get IVs generated. So we'll use the authentication attack, and that will help the process along. Becomes sometimes it takes a while to get a valid handshake with WPA. So using this deauthenticaction attack can help us generate traffic and cause a reauthenication from client access point and we can hopefully capture that during the process. So let's go ahead and take a look at capturing a WPA handshake. We're in backtrack and I have 3 tabs running in a terminal, and the first tab I've already put the wireless card into monitor mode, on channel 3, the channel that we know the VTC Wireless Access Point is running on and I've already started traffic capture on it. And notice right here, we see that it's running the WPA with TKIP and when it uses TKIP, they pretty much tells us that it's going to be the WPA1, the basic verse of WPA. And, so we're going to go ahead and capture this traffic for a little bit and the next thing I want to do, let's switch over to another tab and I already have A deauthentication attack set up and ready to go. We're using aireplay, obviously, and the -0 is the deauthentication attack. We're going to send five bursts of deauthentication frames to the VTC access point. And that is the MAC address of the access point. And the MAC address of the client. And remember how this works. We send 64 frames to each one of them, telling both of them that the client has de authenticated. So lets go ahead and run this attack. [BLANK_AUDIO] Can we set a burst. Lets see if we've got a valid WPA handshake. There it is, we got one. And that's what we wanted to see right there. Notice we didn't have that earlier on the traffic capture. So what we'll do is in a minute, we'll stop this traffic capture, and we'll go ahead and analyze it using aircrack-ng, and we'll see what we come up with.

13.3 Cracking WPA pt. 2

During part two of cracking WPA we are going to demonstrate how to crack a WPA passphrase that we've just captured a WPA handshake in the previous session. And we got one and hopefully that's all we need, hopefully it will be a good one, it won't be a corrupt one. And all we had to do was deauthenticate the client from the access point, running a deauthentication attack using aireplay-ng. So now what we're going to do is use aircrack-ng to try to crack the passphrase. Now once again, most of the attacks that we use in WEP to crack a WEP key will not work. We have to use a dictionary or a brute force attack. In this case we're using a dictionary attack and what we will do is setup Aircrack and we'll point Aircrack to a word list. We have to use a dash W option with Aircrack so that it will Reference a word list. And this could be a word list that you've created yourself or downloaded off the internet. Or used the word list that comes with something like John the Ripper which we're going to do. And John the Ripper does come with Backtrack. So one thing I have done, I will tell you up front I've cheated a little. I put the WEP or the WPA key into the word list, so it is in there. So assuming that the handshake is good and we got a valid handshake, we'll be able to crack that WPA key and figure out what it was. So let's go ahead and take a look at that now. I already have our aircrack-ng commandline set up. And we have aircrack-ng with a -w. And -w means use a wordlist. Meaning that you're going to do dictionary cracking. And I'm picking out the word list that John the Ripper uses, password dot LST. And I also have to point it to the capture file that we collected our handshake in. So we have a handshake capture there and let's see if we are able to crack WPA pass phrase Using the four way handshake that we've captured. Let's go ahead and run the command and see what we get. And that was quick and easy, it actually work fairly well and again to be upfront on us that did a little bit. The key found is wireless that was the WPA key I used. When I change the VTC access point from WEP to WPA. Now it found the key based upon the four way handshake. And this word was in the dictionary file. And it was just the dictionary file that had just that one word in there. Now had the word been more complicated or not in the dictionary file, it would not have found it. Had it been more complicated, it may not have found it as fast. And had the dictionary file been huge, it may not have found it as fast. But again, this was just a simple demonstration on how easy it is to crack WPA and WPA2 keys. Now in the real world, obviously this would take a lot longer and so we've kind of compressed this for time. But it was fairly quick, but you will have to have probably a larger dictionary when you do this for real. And it may run for a while. Obviously, if people are using very simple keys, like wireless, it's going to go very quick. If they're using complex keys that are complex in length and character structure and so forth You may not get this back very quick. It may run for a little while and that's okay. This is just a simple demonstration of how to crack WPA keys using Aircrack-ng. And before that, Aireplay to conduct the authentication attack on the client and the Wireless Access Point. [BLANK_AUDIO]

13.4 Rogue APs

During this part of the course I'd like to talk about rogue access points for a moment. Now rogue access points can be very useful to us as wireless hackers. What we may do is set up a rogue access point. Maybe one that's pretty close to where the Actual one is, maybe hidden away a little bit, though. And we may even try to get it that's the same model and very similar to it. And what we would do is fire this rogue point up, the actual physical access point. And we might try to get clients to connect it Instead of the actual one and that does a couple things for us. First of all it have it set up right it may actually connect to it, assuming we know the key in advance, the WPA or WEP key in advance and they actually connect. We can actually get data from their systems itself we making. Have them connect and then use other different attacks to go into their system and grab sensitive data. The other thing we could do is even if we didn't have it set up properly, we could cause a denial of service attack such that they would try to connect, they can't connect because it's not set up properly, the way their wireless access point is. And they may keep trying to do this and never connect to the right wireless access point. Especially if we boost the power up a little bit, more so than their wireless access point is. And it looks like it's a stronger signal. And they may try to connect to it. We also may name it similarly so that it looks like it's just another access point in their network. Network. So we can use this for denial of service or to get them to connect and get that off of their machines. Now we can use real access points like I mentioned, something very similar to what the access point is that you're trying to fake. There can also be a fake access point. And this is basically a software access point that's broadcast out from your attacking laptop or attacking machine rather, that can use aireplay-ng. It can create Create the appearance of fake access points. And we talked earlier about a tool called Fake AP that does this, as well. It's an older tool but it's really easy to spot because it only does 802.11b types of wireless networks. Whereas, aireplay-ng can be used to create fake APs that look, on the surface, to be just like a regular AP. We can Have it mask the SSID. It can duplicate and SSID. It can appear to be doing WEP and so forth. And WPA and so forth. So it actually is a pretty cool thing to do if you can set it up and get it running. And what I want to do is I want to create a fake AP and we're going to use air 1-ng But I am going to use the graphical interface that we looked at earlier in the course, just to satisfy all the folks out there that love GUI. So I'll use the GUI for a moment, show you how easy it is. So let's go ahead and look at creating fake AP. Okay, I'm in Backtrack here, and I have the Gerix Wifi Cracker which is basically the GUI for the aircrack-ng suite And what I'm going to do is first I'm going to do a configuration here and what you're going to do is if you use it previously you want to clean the old session files out. You might want to reload your wireless interfaces, I've already have mine In monitor mode so I don't have to enable or disable that monitor mode. So I'll select interface I want to use and I'm going to scroll down a little bit [BLANK_AUDIO] and rescan the networks. [BLANK_AUDIO] And that's will tell me what networks I have actually out there. We'll give it a moment. [SOUND] And so we have a variety of networks out there and if we want to duplicate one, I might want to duplicate the VTC one. Now obviously it'll be a better idea to use the same ESS ID, but I can't say something like VTC-2 or VTC-guess and that might fool Someone who normally uses that network to try to use that particular access point. So let's go to fake AP here and I'm going to call it [BLANK_AUDIO] VTC2 and I'm going to put on the same channel as the other access point, put on channel three here. And I want to emulate WPA2 And I'm not going to put a key in here, [BLANK_AUDIO] and what I think I want to do is have it emulate the CCMP because that's standard WPA2 and I don't think I'm going to set any options. We could have go AdHOC mode, or Hidden SSID Or disable broadcast probes, we're not going to do any of that. Let's go ahead and just start it. And we see that it started up here, and now what I want to do is switch over to airdump and run a capture and just see what I get here. And we're scrolling off the screen a little bit, so I'm going to move the screen over just a touch, and there we go. We have another access point up that appears to be WPA-2, CCMP, preshared key authentication, and it's VTC-2. Now, from a client side, if I saw this, I might be tempted to try to connect to it. Now obviously I wouldn't get any good connections. But it would be enough to irritate me a lot and possibly have me start calling the help desk because I couldn't get connected. So it would be kind of a denial of service. And you could figure out all kind of creative ways to use this if you wanted to. If you're really trying to social engineer. A particular user something like that. Usually its probably more successful to use a physical a road access point and conduct maybe an evil twin attack or something like that. You actually use the physical access point to appear to be a valid access point on the users wireless network. But that's creating a fake AP Using air replay. And we actually looked at it in the Gerix WiFi Cracker GUI here. So really good little tool for those of you who love GUIs. So that is a fake AP. [BLANK_AUDIO]

13.5 Detecting Rogue APs

Now that we've talked about Rogue Access Points and what they're used for and how you can set up one, let's talk about how you as a security professional would detect rogue access points or fake APs that show up on your network. There's a wide variety of security testing tools, both hardware and software, that you might use to look for These rogue access points. A couple of things you might look for include unusual SSIDs of course or SSIDs that closely match yours. For example, if you have the SSID vtc on your Access point, and you see another one called vtc-guest, and you don't have a guest access point, then that might be something you might want to be concerned about. Something else you might think about is to look for access points in your network that don't belong. And that seems obvious but let me give you an example. Let's say you were looking at your wireless access points and one of them was transmitting at a very high power. And you did not recognize the SSID. Now a high power, one that appeared very close by Might be of concern to you because of that means it's near, and might be trying to cause interference with your wireless access points, or it's a rogue one that someone stood up. Now if it's a very very low power, or very very faint signal, there's a possibility that that's just a valid access point that's a distance away and you're just picking up peripheral signals from it. But it you see one with high power transmitting In your area where it shouldn't be, I would look at that one. Another thing you can do is capture traffic. And some things you probably would want to look for in your traffic captures are indications of some of the attacks that we've been running. Look for de authentication attacks, for example. Or fake authentication requests. If you see a lot of de authentications Then that could indicate that someone is trying to attack your network. You could also look at several other things in the traffic capture obviously SSIDs and so forth and see if your clients are trying to connect to those SSIDs. Another thing you might want to do is compare the list of authorized mac addresses with a list of currently connected clients and this will tell you If the clients that are connected are supposed to be connected to you. If there are unauthorized clients, that could indicate that you have someone who's trying to connect to your wireless network and they could be obviously trying to infiltrate your wireless network. The other thing you might want to do is check with your particular clients and find out which access points they are connected to because they could be connected to a rogue one. One thing also you might want to look for in your traffic capture is excessive traffic from a particular client or access point that may indicate something funny going on, like an attempt to join the network or an attempt to de-authenticate a client, or so forth. You might also look at MAC addresses. If you do a capture of traffic And look at the MAC addresses and try to compare them with known MAC addresses of your wireless access points. If you come up with one that's different, then that might be an indication that you have a rogue access point on your network that shouldn't be there. You should record the wireless access point's MAC addresses before you set them up. You might also think about using wireless intrusion detection devices or software called WIDs that can help you detect authorized and unauthorized clients and APs on the network. It will basically tell you which ones are authorized and which ones are not. So it's kind of a special purpose type of device or software that's especially used to detect rogue access points. And wireless intrusions. The big thing you really need to do to help you prevent rogue access points is maintain strict policies on connecting to the network and enforce those on clients. If those are enforced on clients, then you will cut down on your worry about them having to connect to a rogue wireless access point, because they're only going to connect to you. Maintain that policy both in writing and from a technical perspective. On the different clients. So that's how you would detect and/or prevent rogue access points on your network.

13.6 Attacking Past Wireless

All right. so you've attacked your first wireless network, you got the WEP and WPA keys, now what do you do? Well, from that point on you may go ahead and connect to the wired network so you can further attack the network And get data off of clients, for example. [00:00:20] But here's some other considerations before you get that far. Keep in mind that during the course of the sessions we've been doing, we've kept it very simple so we could demonstrate basic concepts, terminology And so you can kind of understand how things work when cracking WEP, WPA and so forth. [00:00:36] But there's some other considerations we really haven't talked about that you're going to have to consider when attacking a wireless network. It will not be as easy as this course was. There are things that you will have to consider, things like MAC filtering. For example, if you're continually trying to connect and you've got the right key and you're being rejected Maybe MAC Filtering is in place. What you might have to do then is to do a traffic capture and find an authorized MAC address and spoof that MAC address on your box. Now obviously, you may want to wait til that client is off the network before you do this. But you may wind up doing that to get around MAC Filtering. Another thing you have to look at when hacking wireless is complex passphrases. Obviously things like VTC, which was our WEP key, and the passphrase that we used for WPA, wireless, aren't complex. Now if people do their jobs as security administrators and actually use complex passwords that are lengthy, that have upper, lower, numbers, and special characters and so forth. Then that's going to be different, that's going to slow you down cracking the WPA and WPA2 for example, so that can be a consideration. Make sure you have a really good dictionary file available in time on your hands to do the offline cracking. Another thing that we definitely didn't talk about is a whole another subject is if the network is 802.1x authentication That is very difficult to crack using the methods that we have described so far. So, that's a whole different subject, and you're probably going to have to do some serious in depth investigation on what the weaknesses are with wireless in 802.1x in order to be able to crack that particular type of authentication. Another thing we mentioned that you may have to get around are network security devices. And I'm talking things like firewalls, wireless intrusion detection systems, and network access controllers. These devices, if the network is designed correctly, should be sitting behind your wireless access point. So that even when authorized users connect to the wireless access point before they're allowed to the wireless network they have to go through these devices to filter bad traffic, to authenticate them further and so forth. So these are things you have to think about when cracking wireless, it's not all as simple that we said it is. It really depends upon how well the security administrator has done their job. Now, let's assume for a second that you can crack the wireless network. Once it's compromised, what do you do then? Well, you would move on to the clients that are connected to it and try to steal data off of them. And obviously this is for a penetration test, I'm not talking about doing this for illegal, or, illicit, or unethical purposes, so keep that in mind as well. But when testing your network that you're authorized to test you would move on to the clients to see if you can could get data off of them or compromise their credentials further. You also might move your way into the wired network beyond security devices and so forth. You would use a variety of techniques to access systems, data and resources on things like servers and clients. Now obviously we haven't scratched the surface of penetration testing at all during this course, and we've really been focused on wireless penetration testing. The topic of penetration testing, even wired networks, is a whole other ball of wax. Something you're really going to have to practice and be good at and understand how Networks, now I'm talking network attacks, database attacks, web-based attacks and so forth. Have a good understanding though of general network attacks and how it attacks something like a switch or a router or a firewall because that's probably going to move you further into the wired network Work. Now as I said we use a variety of tools and one of the tools that's really great for PIN testing period beyond wireless is of course Backtrack 5. And it's the PIN tester's toolkit of choice. So beyond this course take the time to learn how Backtrack works and the different tools that are available on it. And there are courses out there that you can take or you can just do some self-study and set up a test lab and use BackTrack to penetrate that test network. Now some steps traditionally that we see in penetration testing include things like reconnaissance, where we scan a network to determine what's on it. We also might footprint and enumerate the network to determine what kinds of ports and protocols and services the network devices and the clients are running. We'd then do vulnerability analysis to see what kind of vulnerabilities those particular clients are running. For example, vulnerable web servers, vulnerable database servers, and so forth. Then we might go ahead and develop attacks for those vulnerabilities, and actually attempt to exploit them by attacking them. One of our goals may be to gain access to clients and servers to further ourselves into the network or to get data. Other steps that we might take when we're attacking a wired network from a wireless. Might include elevation of privileges. Obviously getting root is a big deal with the penetration tester. Data modification, changing data or stealing it off the box, exfiltration. Credential theft is a big one that we typically do as penetration testers. Password cracking goes along the same lines. But one big thing we try to do is avoid detection. We try to get around IDSes And other types of censors. We try to avoid getting things logged. We try to avoid tripping off IDS's and so forth. Or people detecting that we're on their network. So these are things as a regular penetration tester you would do. And again beyond the scope of this course. But something if you're seriously going to be into penetration testing, you're going to have to do.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*