Wireless Security Testing Section Two Tutorial

12.1 WEP Attacks

During the next few sessions of this entire chapter on WEP. We're going to look at WEP attacks. Now WEP is still used out there out in the real world even though we as security professionals discourage it. A lot of companies, organizations, and even small homes and office setups. Use WEP because of backwards compatibility issues with older software operating systems, and even older wireless cards. So we still see it out there, and some people use it because they simply don't know any better. Now WEP can be attacked, because it has a weak 24 bit initialization vector. And this is sent out periodically over the network between clients and access points. And the key, pardon the pun, is to collect as many weak IVs as you possibly can, but these are going to be few and far between on the network. It's not going to be transmitted out. Every few seconds. So you can sit there for an hour and snoop the traffic and not see very many of them. Sometimes it's necessary for us as security specialists to kind of help that traffic generation process along, if you know what I mean. And we use actually two tools to do this, to help us crack WEP. We use aireplay-ng and aircrack-ng. Now aireplay-ng is used to inject frames with the goal of creating a huge amount of traffic on the wireless networks. There's different attacks we can use to do this. We have fake authentication attacks, We have deauthentication attacks, we have aireplay attacks and so forth that we'll talk about. Aircrack-ng is used to crack the keys after we have enough IV s that have been collected in a traffic capture. So we aireplay-ng that generate large traffic and we capture it using aero dump and then we use air crack to crack the keys after enough of these IVs have been captured. Now, aircrack uses several methods to attack WEP IVs. We use typical dictionary attacks, where we have a dictionary file that could be used in something like John the Ripper or something like that. We can also use rainbow tables. We also can use brute-force attacks with aircrack-ng. It will do that also. And there's a couple of other weird attacks that you can use against WEP. They are not as common out there, but they are becoming more and more used by pen testers. The PTW attack, which requires that we get a lot of ARP packets, because ARP packets can contain initialization vectors. We also have another method, called FMS or KoreK method, and it uses a kind of statistical analysis to correct WEP keys using kind of a voting method. Different parts of the key are voted upon and Typically if the part of the key has the most votes, that means it's probably more likely to be the key. Now it's not an exact science. But statistically we can actually crack WEP keys using this method. So over the next few sessions we're going to explore how to use aireplay in aircrack-ng to crack WEP. We'll look at fake authentication attacks. We'll look at de-authentication attacks. We'll look at the ARP replay attacks as well. And then after we have collected enough traffic we will go ahead and try to crack WEP keys with aircrack-ng using this captured traffic. So that's the key to WEP. So over the next few sessions that's what we're going to look at so enjoy it. [BLANK_AUDIO]

12.2 Aireplay-ng Attacks

We've discuss web attack a little bit, now let's talk about how aireplay-ng can help us attack web. Now, aireplay-ng is really the attack tool of the air crack NG suite. One is used for is to inject packets and conduct different attacks on wireless network, clients, and access point. Let's talk about what NG action is for a moment. We used NG action basically to send frames to the wireless network to increase wireless traffic or we may want to send specific types of frames to APs and clients. Now, what these frames can do us is we can send a certain frames that will close the client to deauthenticate in the associate for example. So they have to reauthenticate to the access point reassociate with it. That would enable us to capture traffic during that process, generates traffic, and in the case of WPA, it generates the four way handshake that we want to capture to help crack WPA. In the case of WEP, it can cause WEP IV traffic to be generated again. So, we want to collect as much of this traffic as possible to capture that key traffic, pardon the pun. Now, Aireplay-ng Has several types of attack that we can use and we'll talk about a few of those over the next few sessions. We have fake authentication, where we authenticate our attacking machine to the wireless access point with no prompt at all. We also had the deauthentication attack we can run with Aireplay-ng Which can deauthenticate clients from the wireless access point, so that we generate that traffic we've talked about. We also have an ARP attack, that will allow us to generate ARP pockets or ARP frames rather that will contained web IVs in the more obviously IVs that we collect to the better chances of cracking web there are. There are also fragmentation attacks and other attacks that are in there. So let's go ahead and take a quick look at our replay in G and see how it works. Okay, I've typed in Aireplay-ng so that we get the usage of it. So that we get the little help file that goes with it. And there's different options you can use for aireplay-ng to do a wide range of things. We can filter based upon the bssid, the Destination MAC, the Source address, different things that you may want to filter on when you run this attack. You can get very specific with it. For replay options we have several options as well. We can set the frame control, the access point, MAC address, the destination MAC addresses, source MAC address obviously. And we can also do fake authentication a text on here. And we would use For example, -e to set the ESSID to set the target AP and so forth. One of the things that we really need to discuss that we're going to use a lot of is the attack modes. And you really need to get familiar with these if you're going to use aireplay-ng. And you can use these by using the numbers at the end. The -0,-1, and -2 and so forth. And these are the different attacks you can use. We have the deauthentication attack which is -0, fake authentication attack -1, the interactive and ARP replay attacks, -2 and -3 respectively. But there's other attacks out there we may not use during this course because they're very specific. Like the chopchop and the caffe-latte attack. If you look at the Aircrack in G-site which is a fantastic site by the way. It describes these attacks in detail. For example the cafe-latte attack, is used to attack clients themselves to get WEP and WPA keys and it comes, it gets its name from sitting in a In a cafe for example and attacking someone who has a laptop maybe in a cafe of while you are getting a cup of coffee according to the website, interesting attack. So what I want to do now is go ahead and And run a particular example of aireplay-ng. What we want to do is run the test attack. And a test basically tests the injection capabilities of your card and the access point. So it's a -9 attack. You probably want to run it whenever you're starting a new test. So what I want to do is go aireplay dash ng and this is a dash nine attack. And we are going to do a dash e for vtc with the That's the access point we want to attack and we need it's MAC address, and we can get that from a wide variety of sources, but what I've got open here in the other tab, is airdump ng session running, and we can grab the SSID from here. The one we're looking for is this one at the top here. We know that it's running WEP and WEP. That's the VTC one. So I can copy that straight out of here. [BLANK_AUDIO] And put it in the other tab here. [BLANK_AUDIO] So we have that MAC address there. And then we specify MON0. I already have our Interface running in monitor mode. So, we get this little bit back. It tells us that injection is working. It found our AP, vtc on channel 3, and it shows us that injection is working. That's the first attack you want to run with aireplay-ng. It actually Sends out some frames to the access point to see if we can do injection on it, and we can. So that's our first positive step toward attacking the AP. So over the next couple sessions, we're going to show a little bit more about what aireplay-ng can do. In terms fake authentication, deauthentication, and so forth with goal eventually cracking web and eventually also the BPA. [BLANK_AUDIO]

12.3 Fake Authentication

Now let's discuss Fake Authentication which is a pretty good attack that aireplay-ng can run against APs that use WEP and it doesn't matter whether it's open authentication or shared. Let me remind again that open authentication means that The client can authenticate to the access point with no problems, but any data, any transmissions, are encrypted with WEP, where as with shared authentication, it actually has to authenticate with the key before being allowed to associate and send data back and forth. Either way, a fake authentication attack will help us with Cracking whip because a lot of injection attacks really need an authenticated client to the AP and we can use fake authentication, even if there are no authenticated clients already authenticated to the access point. Now once we associate with the AP, the fake authentication can do that for us, this helps us to. Carry out some injection attacks that we need to do. And some of those require an authentication and an associated client. So let's go ahead and take a look at fake authentication with aireplay-ng. [BLANK_AUDIO] Okay, we're back in Backtrack again at the terminal. And I've already put in the the command for us because it's a little bit long and involved. And what I have is aireplay-ng-1. And that's a fake authentication attack. We have the zero here for the timing. We also have -E for the ESS ID, the name of the network. And keep in mind that this has to be The way it is that you see it on the access point has to be a set case. You can't use lower letters or anything like that. It has to be the same case. We have dash A for the Mac address of the victim the access point and dash H for our own Mac address because we are trying to associate with a access point And we want to use our MAC address there. Now obviously where I got these is over here I ran a aired up session earlier. And so I was able to get the VTC MAC address here. And I could do an eye of config and get my own MAC address and just paste them in. So let's go ahead and see what this looks like. We also have to put the access The interface that we want to use as well, right here, mon0. And I already have the card in mantra mode. Okay, we sent it out and we got a frame for that BSS SSID or channel 3 for VTC, we sent the authentication request and it told us that it's an open system, we got an ACK back, we're told authentication was successful. And once we authenticate we also sent an association request in ACK. And we have an association that's successful. Now if we were to do something like an airodump Let's switch over to our other tab here. And let's switch to an airodump here. Let's see if we can find ourselves associated with that particular access point. And yes we do, right here. We have VTC right here and the 00:C0:CA:69:0A:98 is our MAC on our attacking machine. So we have Successfully done a fake authentication to the BTC access point. And again we use this, not only to generate traffic, but also to help us inject packets, or inject frames later. Inject traffic into the network, things like deauthentication frames and so forth. So that's why we do that. Switch back over here to our other tab, and Occasionally, we may want to do this. It's a good idea to keep this command the way it is, maybe the text file or something so you can just paste it in there because we want to do this periodically, keep our association going. And if you change your timing you can have it do that actually. But we want to make sure that we stay associated with the wireless access point for the duration of our attack. So soon after you do this, you probably want to go ahead and do your, whatever frame injection or traffic injection you're doing, such as the deauthentication and so forth. So go ahead and do that as soon as you get this done. And obviously we're going to just re authenticate with them by doing it again before we run our other attacks. So that's how to perform a fake authentication against an access point. [BLANK_AUDIO]

12.4 Deauthentication Attacks

Another attack we're going to talk about that uses Aireplay is a deauthentication attack. Now, this is a very useful attack, because it sends deauthentication frames to both the access point and a connected client. Now, what happens is, the frames go out. And there's 128 frames all together in a burst. 60 [INAUDIBLE] go to the AP 64 go to the connect to the client it tells the AP that the client is deauthenticating ad leaving the network it tells the client that it must be deauthenticate. Now this forces obviously the client to reauthenticate because it doesn't desired to do that. When it does that this generates a lot of different Traffic. It can generate ARP traffic that may contain WEP IVs and we want to collect those to help us in the WEP key cracking process. It can also force a 4-way WPA handshake, if the wireless Wireless network is using WPA. We want to collect this WPA handshake process, so that we can use it later for WPA key cracking. So all of this traffic is collected into a traffic capture file for Further analysis and to help us crack keys. Let's go ahead and take a look at the authentication attacks and see how they work. All right, we're in our Backtrack box and in this tab of my terminal, I have arrow dump and G welling. And I want to show that we've got a connected client to the VTC wireless access point. In fact, we're focused just on that wireless access point here. And we see that we have a BSSID down here of the access point, and the station is a Windows 7 box I've got on the network. And they're connected. We've got good power. We've got some traffic here, not much though. And if we were just collecting this there wouldn't be a lot of frames to crack the WEP IV's. So what we need to do is run a de-authentication attack. So let's switch to this other tab. And I already have the command set up for you because it's a little involved. And I'll go through it with you. Aireplay-ng, obviously. -0 is the de-authentication attack. And the zero here is the timing. And if you have zero it means run it forever until you do the CTRL C thing. You could also have a number in there to specify how many bursts. Like five bursts or whatever -e is e SSID and that's a VTC here and make sure you get this right when you put in the command because if you used the wrong case such as lowercase versus uppercase since Linux and Unix are sensitive to that, you'll get an error. -a is the MAC address of the access point. And I can get that from over here copy it and paste it here and dash C is the access point of the client or the victim and again I can get that from this capture right here. I can copy and paste it and the mon zero Is the interface that we're going to be using. And I already have our wireless card put into Monitor Mode with airmon. So we're going to run the attack. And then we're going to switch over To the airdump capture and see what we get. So let's go ahead and run this. So we're sending out a lot of beacon frames. Now look what's happening over here. Notice a couple of things. First of all, the power on the AP is fluctuating like crazy because it's dealing with all these Deauthentication frames. Also notice the power of the station. The client itself has dropped to zero. Now, look over here. We're sending frames like crazy. We're generating traffic, a lot of traffic for it. So, we've got a little lost traffic and a lot of frames. Now, if we were to let this run for a while We would actually be able to collect a huge amount of traffic from it. I can tell you from personal experience, sending this type of traffic for periods of time can knock a box off the network. In fact in an earlier test of this I knocked the Windows seven box off. This particular client here. I knocked it off the network, blue screened it. So you actually can run a denial of service attack on a client using the authentication attack if you keep it up. Now we're obviously not going to do that. I'm going to go ahead Go ahead and do control c here, to stop the capture, and I'm going to do control c here to stop the deauthentication attack. Do you can see here where it says that we are sending 64 directed frames, and we're sending them both to the Access point and to the victim here. Here's the victim's address as well. And we're getting all these ACKs back. So we've sent a huge amount of deauthentication frames to both the access point and the client, and we knocked it off. Had that person sitting on that box been doing any work, they would have been knocked off the network repeatedly and had to reauthenticate, so They would have lost a lot of network connectivity at that point, and they may have noticed it because they may have not been able to go to a particular website, or they just have network traffic problems, and they wouldn't have been able to identify them easily. About the only way you can really track this attack is to have a wireless sniffer, obviously, like Airodump and Wireshark going on. And if you detected a lot of deauthentication frames, huge bursts of them, you would know that someone was attacking your network. So, that's a little bit from the defense side, obviously. So let's start deauthentication attack, and we're going to use that again In another session coming up, when we do ARP replay, we're going to force a deauthentication to force a lot of ARP traffic back and forth across the network. So that is the deauthentication attack using aireplay

12.5 ARP Replay Attacks

Now let's look at another attack using aireplay-ng. This is a very good attack because it's one of the best attacks to use to attack WEP. Now what happens to this is it forces ARP traffic to and from the client and to the access point. Now this ARP traffic, particularly ARP responses, can contain new IV's. Now, these IVs, obviously, we want to collect. And if we collect enough of them, this will enable WEP cracking. We can use Aircrack-ng to go through a traffic capture with these IVs and crack WEP. Now, the good thing about ARP replay attacks is, we can use this in conjunction with other attacks, things like fake authentication and deauthentication attacks. To increase the amount of traffic on the wire and to increase our chances of getting ARP traffic. What we want is a little bit of ARP traffic and then we will take that ARP traffic and replay it back and forth over the network. To the access point so we can Collect IV's. So what we're going to do now is use a little bit of a more complex attack. We're going to do an ARP replay attack. And we are also going to use fake authentication and deauthentication at the same time. So let's go ahead and look at ARP replay. [BLANK_AUDIO] Okay for this attack, one thing I want to do is go ahead and do a fake authentication, which I've already done once. Go ahead and do another one. And I want to come back over here I have four tabs in my terminal window here. I want to start arrow dump on channel three for the bssid that belongs to the VTC access folder and I'm going to dump this capture into an arp cap folder. So lets go ahead and start that. And we see that we have a authenticated host here and that's my Windows 7 box, by the way. I also have my fake authentication there, and you can see with the last two digits of the Mac address is 98. That's my attacking laptop here. And let's go ahead and move over to this tab. And we see the ARP attack set up. Now what we want to do is go ahead and run it. And it's going to look like this. We have aireplay-ng -3 and that designates the ARP replay attack. -b gives us the access point MAC address and -h is a MAC address from the source. And we're going to use the attacker laptop as the source. And we're going to run it on mon0. So let's go ahead and run that. Now while it's running, we're going to see some things here. And we're getting a lot of our packets here. [BLANK_AUDIO] Lot of good stuff there. And we're sending that to a capture. Now, the other thing we're going to do is come over here, and maybe go ahead and run a deauthentication attack. Just a quick one, really quick. Matter of fact, Let's change this to say five. We want it with five here. We won't run it and kill the bucks on the other end. [BLANK_AUDIO] So it gives us five quick bursts of that, that will also help us generate more ARP traffic, look at all the ARP requests we're getting back, and the axe. That is phenomenal, that is fantastic. That will help us crack WEP actually fairly quickly. So if we look over here, at the capture again We're getting a lot of frames here from the ARP request that we're playing out. And notice they're coming from our box. Now during an actual attack it would be a very good idea to probably spoof your MAC address. So that it can't be traced back to you. You may use a MAC address of another client that you've collected previously that's disappeared off the network. Or you may use just a false MAC address. You've gotta be careful though because a lot of access points can detect if there are false organizationally unique IDs The manufacturer part of the MAC address in that address. So you've got to be careful and craft a very good MAC address for that. Some IP's will drop it. But during this test we can use our own MAC address. Again, during an actual attack you'd probably want to use a spoofed address. Because we're going to, a sniffer will catch all these ARP packets. ARP frames rather being exchanged between you and the access point. So we're getting quite a few of them here. We haven't knocked this client off the network really with only the quick burst. But we did generate some ARP traffic from it. So when we look at our capture when we actually put it through aircrack, we should be able to crack WEP fairly easy with this. Again we're getting a fantastic amount of ARP requests here, so we don't actually need to get a lot of traffic on this. [BLANK_AUDIO] We don't even need to do the fake authentication again, either. We're getting so many good ones here. So that's an ARP replay attack and it has several components. Generating ARP traffic that has initialization vectors in them. Now keep in mind that all these packets will not have initialization vectors. But we hope to catch enough of them that we can use it for an attack. Aircrack-ng will take this capture file that we're putting into this file, this ARP cap file. And it will take that and try to crack WEP. And that's what we'll be doing in a later session. [BLANK_AUDIO]

12.6 Cracking WEP pt. 1

Now that we've collected a lot of traffic using various methods with aireplay-ng, we need to talk about cracking WEP. Now we crack WEP with Aircrack-ng. Aircrack-ng is used to parse traffic files, traffic captures files that we've collected using Airodump. And using various attacks with Aireplay. And it takes those capture files and it cracks WEP and WPA keys. Now it uses several methods to crack these keys, some things we've already mentioned like PTW FMS/KoreK, brute force and dictionary types of attacks. Now these can be run from several capture files at once. You can chain capture files into the commandline. So you can use multiple capture files. You can also use capture files from multiple ESSIDs and it can filter based upon the ESSID or combine them if you like. We're not going to use some of the more advanced features of aircrack-ng, I just want to show you the basics of how it works. Let's go ahead and look at a demonstration of how aircrack-ng can crack WEP using the traffic we captured previously. We're in BackTrack in a terminal window. And what we're going to do is look at two different captures. The first capture I want to show you does not have many initialization vectors to it. And it is going to fail. But I want to show you a little bit about why it fails and what you get from the results. Let's go ahead and run that really quick. And it's using the traffic capture here that only has 399 IVs. And it's using the statistical method, the core case statistical method, because the BTW primarily uses arp. And this capture didn't have a lot of arp to it, so it defaulted to that statistical method, and it's looking through here real quick and it does this by a vote. It statistically votes on what the most likely key is, or parts of the key. Now it didn't come up with anything because we had too few initialization vectors. It recommends that we at least try with at least 5,000, which we could do if we had time to collect it. So let's go ahead and get out of this and I'll show you Another method using a different file and the earlier file that we captured had all of the arc response packages in it and this is what we are going to use. So lets find it. And that's the arp capture here, the easiest way is to go dash z arp_cap-01.cap. We don't even have to have the -z in there, if you really don't want to. So let's run that and, wow, that was quick. We've got the ESSID of VTC, Encryption WEP, and that particular traffic capture had 40,928 ivs. And it found the KEY, and as you know, WEP uses HEX keys. And we can tell by the fact that it's ten hex digits that it's probably 64 bit WEP or 40 bit if you count off initialization vector. So 4D:1E:AD:EB:9F is the actual WEP key and it decrypted that. And if you really want to know what that is in plain text when I configured the VTC wireless access point. The passphrase that I use, or password, in this case, was vtc lowercase, so some systems you may have to use the WEP key itself in HEX. In other systems you may be allowed to use the particular passphrase. And it would vtc in lower case, or the key you see on screen. So that's using that huge capture file of arp frames that we previously capture. Now, you may be thinking, well the statistical tact that we just saw that failed Maybe it would work on this larger file. So we could check that and see. This particular attack, because it had a lot of ARP in it, used PTW. Because that's the default. That's really what PTW is for. Let's switch tabs and go over to a screen Well, I am using the statistical type attack on that same file. Now notice that its been running for 52 minutes and 15 seconds. That's a lot slower than what we saw the PTW attack, the point of that is the PTW attack works very well if you have ARP and because of that there's probably the better attack for WEP but you gotta have a lot of IVs obviously. In some cases it's not easy to get those IVs and ARP frames from the access points where the clients. So this is going to tick away until it probably figured it out eventually, but it's going to use a statistical method and it may take it a while and that's because it's not using the ARP frames themselves, it's looking at the raw IVs. So we'll let that continue to run. But on the other tab we saw where the PTW attack did work very well to grab the WEP key very quickly. 4D1EADEB9F is the correct WEP key. So that's a quick demonstration of how Aircrack-ng works when cracking WEP.

12.7 Cracking WEP pt. 2

So now that we've actually successfully cracked WEP, we are expert wireless security penetration testers. Now let's get back to reality for a moment. Obviously, that's not how it really goes in the really world. Now we did use the right tools, and we learned how to use them, but there's so many variations available that you have with those tools and with other tools. Another thing worth mentioning is Obviously, in a lab environment, we had a pre-staged network, with one client, one access point, one attacking machine, and we already kind of knew what to expect. For this particular lab environment, we used a 40 bit key, which is the lowest form of WEP you can use. Very easy to attack. We also made it so that we could collect as many initialization vectors as we could. We kind of made it easy to collect ARP. And we used the PTW attack, which is the best attack to use in that scenario. So we kind of had an ideal scenario going there that made it easy for learning purposes. In the real world, it may not be that easy. Obviously cracking WEP is not the hardest thing to do in the world, and we always see these different reports on the internet and on YouTube and things about people who can crack WEP in under 30 seconds. Well, it's doable, as you can see, but it's not always Is that easy on the surface. Sometimes you'll have other considerations. There might be different lengths of keys. There might be not enough clients. There may be no clients associated with an access point, and so forth. So Take it for what it's worth. You know how to do it now, but it's not always as easy as what we did. Now there are some other attacks that we could of run, and I would highly encourage you to check these out. And you can run most of these with aireplay-ng, and there are some other tools out there as well that you can use. We have the ChopChop attack, an interactive packet replay attack, and we also have client fragment attacks. And these are all available in aireplay-ng among others, with a lot of different options and things you can do. And you would use these in different scenarios. Now one thing I'll tell you is the aircrack-ng site is fantastic. I've used it for a number of years and I research things on there all the time when I'm cracking wireless networks, penetration testing, and so forth. And it's a fantastic site. In fact, a lot of the research I did in the months preceding this course was to read just about everything on the site. And actually try a lot of the examples they gave and that's what I want to encourage you to do. It's a fantastic site and you'll learn about these advanced attacks that we didn't have time to talk about and some variations on some of the things we talked about as well. So I would highly encourage you to look at the aircrack-ng site. And absorb all the information you can from it. Now some of the considerations I mentioned that we didn't have to deal with here in the lab environment is the length of key. We used a 40 bit key, which is really 64 bits minus the 24 bit initialization vector. And we could've used the 128 bit key. Which is really 104-bits, and that would be a serious consideration for time, because it may take a lot more time to crack 128-bit key. Another thing that we didn't really take into account is, we used open authentication. Shared authentication on the other hand can make for longer cracking and it may require the use of different attack techniques, like some of the ones we mentioned. So obviously, there's more to cracking WEP than what we did here. We've just given you the basic fundamentals to understand it. And understand how the tools work so you can branch out on your own and learn more. In the end you probably going to be have require a lot more IV For some of these types of attacks which requires more traffic, maybe more ARP frames. So you may have to use different attack techniques and you may have to use them over and over again to get traffic generated in order to crack WEP. And you may not be successful with your first couple of times of doing this. You also may require brute force or dictionary cracking with aricrack-ng If you don't get enough ARP traffic. And you can use dictionary files, obviously, like the type that are contained on backtrack, in the John the Ripper directory, or you can provide your own dictionary files. And you would use a -W. With aircrack in order to pick up a certain dictionary file. Now the ARP response replay that we did use and that uses the PTW method of attack that is probably the most effective against WEP most of the time. But again assumes perfect condition assumes you can get enough ARP responses. And that the IVs are in there. Okay, so, if you can use it, great, if you can't, you may have to use the statistical method and you may have to resort to dictionary cracking. In the end, the most effectiveness of your attack depends on the type of the attack that you run against. The wireless network and what kind of initial possession vectors you get. How many do you get? How many frames are in there, in that capture? The bigger the capture, the more the IVs, the better. That's what really increases your chances of cracking WEP. So keep that in mind and obviously don't lose hope. Understand that you've learned a lot during this part of the course, but take it for learning more. Use it to inspire it to learn more about cracking WEP, and when we talk about WPA, you'll understand that it's not all that difficult to do WPA as well. We used a lot of the same techniques when we cracked WPA. That we used when we cracked WEP. So obviously, we're going to move on into WPA now, and let's look forward to it.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*