Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ceh v8 labs module 15 hacking wireless networks

587 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Ceh v8 labs module 15 hacking wireless networks

  1. 1. C E H Lab M a n u a l H a c k in g W ir e le s s N e tw o rk s M o d u le 1 5
  2. 2. M odule 15 - H ackin g W ire le s s N etw o rk s H a c k i n g W i r e l e s s N e t w o r k s I Vi-Fi i developedon I E E E 802.11 standards and i widely usedin w r / s s s iees communication. Itprovides w r / s a c s t ap i e e s c e s o p/ications and data a ro a radio c ss network. I C ON KEY [£Z7 Valuable information Test roui knowledge = Web exercise m Workbook review Lab Scenario Wireless network teclmology is becoming increasingly popular but, at the same time, it has many security issues. A wireless local area network (WLAN) allows workers to access digital resources without being tethered to their desks. However, the convenience of WlANs also introduces security concerns that do not exist in a wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone with ability to intercept and decode them. Several reports have explained weaknesses 111 the Wired Equivalent Pnvacy (WEP) algorithm by 802.1 lx standard to encrypt wireless data. To be an expert ethical hacker and penetration tester, you must have sound knowledge of wireless concepts, wireless encryption, and their related threats. As a security administrator of your company, you must protect the wireless network from hacking. Lab Objectives The objective of this lab is to protect the wireless network from attackers. 111 this lab, you will learn how to: ■ Crack WEP using various tools ■ Capture network traffic ■ Analyze and detect wireless traffic Lab Environment C 7T oo ls d e m o n s tra te d in 111 the lab you will need a web browser with an Internet connection. ■ Tins lab requires A irP c ap adapter installed on your machine for all labs th is lab a re a v a ila b le in Lab Duration D:CEHT oo lsC E H v8 Time: 30 Minutes M o du le 15 H a c k in g W ireles s N e tw o rk s C E H Lab Manual Page 819 Overview of Wireless Network A wireless network refers to any type of computer network that is w ire le s s and is commonly associated with a te le c o m m u n ic a tio n s network whose in te rc o n n e c tio n s between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of re m o te information transmission system that uses e le c tro m a g n e tic w a v e s such as Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  3. 3. M odule 15 - H ackin g W ire le s s N etw o rk s radio waves for die c a rr ie r. Tlie implementation usually takes place at the physical level or layer of die network. ^ TASK 1 O v e rv ie w L a b T a s k s Pick an organization diat you feel is worthy of vour attention. Tins could be an educational uistimtion, a commercial company, 01‫־‬perhaps a nonprofit chanty. Recommended labs to assist you 111 Wireless Networks: ■ WiFi Packet Slutting Using AirPcap with Wireshark ■ Cracking a WEP Network with Aircrack-ng for Windows ■ Sniffing die Network Using the OmniPeek Network Analyzer L a b A n a ly s is Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s security posture and exposure. P LE A SE C E H Lab Manual Page 820 TA LK TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  4. 4. M odule 15 - H ackin g W ire le s s N etw o rk s W i F i P a c k e t Sniffing U s i n g A i r P c a p w i t h W i r e s h a r k T h e A ir P c a p a d a p te r is a U S B d e v ic e th a t, w h e n u s e d in ta n g e n t n ‫׳‬i t h th e A ir P c a p d r iv e rs a n d W in P c a p lib ra rie s , a llo w s a p e n te s te r to m o n ito r 8 0 2 . 1 1 b /g t r a ffic in m o n ito r m o d e . ■c o n key [£ Z 7 V a lu a b le in fo rm a tio n S T est your k n o w le d g e — m W e b e x e rc is e W o r k b o o k r e v ie w L a b S c e n a r io Wireless networks can be open to active and also passive attacks. These types of attacks include DoS, MITM, spooling, jamming, war driving, network liijacking, packet sniffing, and many more. Passive attacks that take place on wireless networks are common and are difficult to detect since die attacker usually just collects information. Active attacks happen when a hacker has gathered information about the network after a successful passive attack. Sniffing is die act of monitoring die network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die wireless networks. These tools allow hackers to find an unprotected network diat diey can hack. Your wireless network can be protected against tins type of attack by using strong encryption and authentication methods. 111 tins lab we discuss the Wireshark tool, which can sniff the network using a wireless adapter. Since you are the etlncal hacker and penetration tester of an organization, you need to check the wireless security, exploit the flaws ni WEP, and evaluate weaknesses present 111 WEP for your organization. L a b O b je c tiv e s The objective of tins lab is to help sftidents learn and understand how to: ■ Discover WEP packets C E H Lab Manual Page 821 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  5. 5. M odule 15 - H ackin g W ire le s s N etw o rk s L a b E n v ir o n m e n t £ 7 T o o ls d e m o n s tr a t e d in th i s la b a r e a v a ila b le in D:CEHT o o lsC E H v 8 M o d u le 15 H a c k in g W ir e le s s N e tw o rk s To execute the kb, you need: ■ Install AirPcap adapter drivers; to install navigate to D:CEH -ToolsC EHv 8 M o du le 15 H a c k in g W ireles s Netw orksVA irPcap -Enabled O pen S o u rce to ols, and double-click setup _airp cap _4_1_1.exe to install ■ When you are installing the AirPcap adapter drivers, it any installation error occurs, install the AirPcap adapter drivers 111 compatibility mode (right-click the A irP c ap a d a p te r d riv e r exe hie, select P ro p e rtie s ‫ ^־‬C o m p atib ility. 111 compatibility mode, and select W in d ow s7) " W ire s h a rk located at D:CEH -ToolsC EHv 8 M o du le 15 H a c k in g W ireles s N e tw o rk s A irP c a p -E n ab led O pen S o urce to o ls w ire s h a rk -w in 6 4 1.4 .4 .e x e ■ Run diis lab 111 Windows Server 2012 (host machine) ■ An access point configured with WEP on die host machine ■ This lab requires the AirPcap adapter installed on your machine. If you don’t have this adapter, please do not proceed with this lab ■ A standard AirPcap adapter widi its drivers installed on your host machine ■ WinPcap libraries, Wireshark, and Cain & Abel installed on your host machine ■ Administrative privileges to run AirPcap and other tools L a b D u r a t io n Time: 15 Minutes O v e r v ie w o f W E P ( W ir e d E q u iv a le n t P r iv a c y ) Several serious w e a k n e s s e s 111 the protocol have been identified by cryptanalysts with die result diat, today, a WEP connection can be easily cracked. Once entered C E H Lab Manual Page 822 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
  6. 6. M odule 15 - H ackin g W ire le s s N etw o rk s onto a network, a skilled hacker can m o d ify software, n e tw o rk s e c u rity settings. se ttin g s, and odier Wired Equivalent Privacy (WEP) is a deprecated security a lg o rith m for IEEE 802.11 wireless networks. L a b T a s k s C onfigure A irP cap Download AirPcap drivers Jtrom the site and lollow die wizard-driven installation steps to install AirPcap drivers. 1. Launch the S ta r t menu by hovering the mouse cursor on the lower-left corner of the desktop. ca You can download AirPcap drivers from http://www.a rdemon.net/ riverbed.html 1 F IG U R E 1.1: Windows Server 2012—Desktop view 2. Click the A irP c a p P a n e l window. C o n tro l P a n e l app to open the A irP c a p C o n tro l m The AirPcap adapters can work in monitor mode. In tliis mode, the AirPcap adapter captures all o f the frames that are transferred on a channel, not just frames drat are addressed to it. F IG U R E 1.2: Windows Server 2012—Apps 3. The A irP c ap C E H Lab Manual Page 823 C ontrol P anel window appears. Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  7. 7. M odule 15 - H ackin g W ire le s s N etw o rk s AirPcap Control Panel Settings Keys Interface V AirPcap USB wireless capture adapter nr. 00 c a The Multi-Channel Aggregator can be configured like any real AirPcap device, and therefore can have its own decryption, FC S checking and packet filtering settings. Transmit: yes Model: AirPcap Nx Blink Led Media: 802.11 a/b/g/n Basic Configuration Channel 2437 MHz [BG 6] @ Include 802.11 FCS in Frames Extension Channel Capture Type 802.11 +Radio v FCS Filter All Frames Help Reset Configuration Ok Apply Cancel F IG U R E 1.3: AirPcap Control Panel window 4. On the S e ttin g s tab, click the In te rfa c e drop-down list and select A irP c ap USB w ire le s s c a p tu re ad ap ter. 5. 111 the B asic C o n fig uratio n section, select suitable C hannel, C a p tu re T yp e, and FCS F ilte r and check the In c lu d e 8 0 2 .1 1 FCS in F ra m e s check box. _ AirPcap Control Panel * Settings ‫ם‬ Keys Interface AirPcap USB wireless capture adapter nr. 00 Q=& In Basic Configuration bos settings: Channel: The channels available in the Channel list box depend upon the selected adapter. Since channel numbers 14 in the 2.4GHz and 5GHz bands overlap and there are center frequencies (channels) that do not have channel numbers., Each available channel is given by its center frequency. Model: AirPcap Nx Transmit: yes V Blink Led Media: 802.11 a/b/g/n Basic Configuration Channel 2412 MHz [BG 1] Extension Channel Capture Type 0 802.11 Only ✓]Include 802.11 FCS in Frames v v FCS Filter All Frames Help Reset Configuration Ok Apply Cancel F IG U R E 1.4: AirPcap Control Panel window' 6. C E H Lab Manual Page 824 Now, click die K e y s tab. Check die E n a b le W EP D e c ry p tio n check box. Tins enables die WEP decryption algoridim. You can A dd N e w K e y, R e m o v e K e y, E d it K e y, and M o v e K e y U P an d D o w n. Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  8. 8. M odule 15 - H ackin g W ire le s s N etw o rk s 7. After configuring settings and keys, click OK. AirPcap Control Panel * Settings Keys WEP Configuration In Basic Configuration Settings: Extension Channel: For 802.1 In adapters, one can use the Extension Channel list to create a “ wide” channel. The choices are 1 (the preceding 20MHz frequency band), 0 (no extension channel), or +1 (the succeeding 20MHz frequency band). The channel o f the additional frequency band is called the extension channel. [Enable WEP Decryption Keys Add New Key Remove Key Edit Key Move Key Up Move Key Down Help Reset Configuration Ok Apply Cancel F IG U R E 1.5: AirPcap Control Panel window D TASK Launch W ire s h a rk appears. 2 C aptu rin g th e p a c k e ts N e tw o r k A n a ly z e r. The W ire s h a rk T eW sh rkN tw rkA a r [W sh rk1 .2 (S NRv4 5 0fro /trunk-1.8)] h ire a e o n lyze ire a .8 V e 4 2 m Id file £dit View £0 Capture Analyze Statistics Telephony Tools Internals Help m ± [B p ] T I j W t f M t M B B K S A I * * ‫►י‬ Filter | v | Expression... Clear Apply ^ ^ 0 0 1 yt «, Interface List m Save Open Open a p-evousV captured fie ft Open Recent: You can download Wireshark from http://www.wireshark.org. ^ Choose one or mo1 ‫ ׳‬nteffaces to capture from, then Start Th« User's Guid« (local version, if instaied Sample Captures Security A rich assortment of example captir• files on th* wiki " t " AirPcap US8 wireless capture adapter nr. 00: .ai A Work with Wireshark as secu!*ty as posstte ff] DevkeNPF_{0A6DAE573‫־‬C5C4‫־‬CFE9‫־‬F ‫־‬E 8J s 4E 8E J Microsoft Corporation: DeviceMPFJ82C13C97■‘' ^ o r u r.pc c . ^ k . r W ebsite Visit the project's website User's Guide M start £‫|־י‬ E l “ ! x ‫'־‬ The W orld's Most Popular Network Protocol Analyzer Version 1.8.2 (SVN Rev 44520 from /trunk-1.8) WIRESHARK m main window ' mdc v I Capture Options Start a capture with a«u.*a opeons IE Ready to load or capture Profile: Default F IG U R E 1.6: Wireshark Network Analyzer main window C E H Lab Manual Page 825 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  9. 9. M odule 15 - H ackin g W ire le s s N etw o rk s 9. Configure AirPcap as ail interface to H ie following are some o f die many features Wireshark provides available for U N IX and W indow s. In te r fa c e ... (C trl + l). You can also click die C a p tu re l i Edit View K ^ Go | Capture | Analyze it IB W Statistics Telephony Jools internals I - ‫ ז□ן‬x Help ? & [WPI 6 €1 1 interfaces... -> icon on die toolbar. (/TjThe W ireshark Network Analyzer [W ireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i File * Capture live packet data from a network interface. ark. Select DI* 0 ® ^ Options... Jv Expression... Clear Apply Save ■ Display packets with very detailed protocol inform ation. ‫י‬ Open and Save packet data captured. Interface List ■ Im port and Export packet data from and to a lot o f other capture programs. b VWt the project's websne Open Recent: ® User's Guide 3 ^ e interfaces to capture from, then Start The User $ Guide (local verson, tf instiled) Sample Captures A rich assortmert of example capture files on the w ild Work with Wireshark as securely as p ss4 te o > DeviceNPFJ0A6OAE57-3C5C4‫־‬C FE 9 ‫־‬F4E‫־‬E8E83: = Microsoft Corporation: DevkeNPFJ82C18C97-'J® OT Po.Hair prio c pc c3>«;r, * Search for packets on many criteria. mpc — Capture Options Start a capture *ith detailed options ■ Colorize packet display based on filters. ■ Create various statistics Website a Start ‫ י י ךי‬AirPcap USB wireless capture adapter nr. 00: .ai ^ ■ Filte r packets on many criteria. 0pen a Open previously captured *te Ready to load or capture Profile: Default 11 2 F IG U R E 1.7: Wireshark Network A aly er with interface option 10. The W ire s h a rk : C a p tu re In te r fa c e s window appears. By default, die AirPcap adapter is not 111 ninnuig mode. Select die A irp c a p U S B w ir e le s s c a p tu re a d a p te r n r. 0 0 check box. Click S ta r t Wireshark: Capture Interfaces Description IP □ PI N ote: Wireshark isn't an intrusion detection system. It does not warn you when someone does tilings on your network that he/ she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on. 1] Packets Packets/s none 2154 1 5 Details none 0 0 Details fe80::3d78:efc3:c874:6f57 375 3 Details none 375 3 Details 1 |,,t" AirPcap USB wireless capture adapter nr. 00 0 0 ff Microsoft Corporation I 1 Realtek PCIe GBE Family Controller ff Help Start Stop Options Close F IG U R E 1.8: W ireshark Capture Interface 11. Automatically, die a d a p to r nr. 0 0 - C a p tu rin g fro m W ire s h a rk window appears, and it starts capturing A irP c a p USB w ir e le s s c a p tu re packets from AirPcap Adapter. C E H Lab Manual Page 826 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  10. 10. M odule 15 - H ackin g W ire le s s N etw o rk s [/T C p rin fro A c pUBw le sca tu a a te n 0 :V irp a O [W sh rk1 .2 (S NRv4 5 0from | a tu g m i-Pa S ire s p re d p r r. 0 a c p O i‫׳‬e a .8 V e 4 2 /trunk-...1 I ‫ ם‬x ‫־‬ File Edit Vie* 60 Capture Analyze Statistics Telephony Tools K < a tt * 1m h x a < 1 a 4 u a • internals [‫י‬ m Wireshark can capture traffic from many different network media types - and despite its name - including wireless L A N as well. W hich media types are supported, depends on many things, such as the operating system you are using. Help ±ifsln e i a s i H Expression,... Clear Time Source 278 12. 8113270 N e t g e a r _ 8 0 : a b : 3e 279 12. 9136860 N e t g e a r _ 8 0 :a b : 3e Destination Bro ad ca st Bro ad ca st Protoccl 802 .1 1 8 02 .1 1 280 12. 9347300 Netgear_32:7c :06 Broadcast 802.11 281 282 283 284 285 286 287 288 289 290 291 292 293 294 12. 9844520 N e t g e a r _ a e : 2 4 :c c 1 3 .0 1 60 93 0 N e t g e a r _ 8 0 : a b : 3e 1 3 .0 3 70 69 0 N e t g e a r _ 3 2 :7 c :0 6 1 3 .0 4 11 94 0 e 2 : 5 5 : e 5 : 2 7 : b l : c O 1 3 .1 1 84 52 0 N e t g e a r _ 8 0 :a b :3 e 1 3 .1 3 94 87 0 N e t g e a r _ 3 2 :7 c :0 6 1 3 .1 8 36 99 0 C o n p e x _ 6 8 :b 6 : f 5 1 3 .1 8 91 99 0 N e t g e a r _ a e : 24 : c c 1 3 .2 2 08 27 0 N e t g e a r _ 8 0 :a b : 3e 13. 2400780 N e t g e a r _ 3 2 : 7c :0 6 13. 2898380 2 c : d b : c f : c 6 : a a : 6 4 13. 3233130 N e t g e a r _ 8 0 :a b : 3e 13. 344 3 8 3 0 N e t g e a r _ 3 2 :7 c :0 6 13.4 2 57 28 0 N « t g e a r _ 8 0 : ab : 3q Bro ad ca st Bro ad ca st Bro ad ca st (e 4 :d 2 :6 c :4 0 :fe :2 7 Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st Bro ad ca st 4 5 :c 9 :c 7 :6 a :0 4 :0 9 Bro ad ca st Bro ad ca st Bro ad ca st 8 02 .1 1 8 02 .1 1 802 .1 1 (8 0 2 .1 1 8 02 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 802 .1 1 IS F ram e 1 : 3247 b y t e s on w i r e (259 76 b i t s ) , 3247 b y t e s c a p t u r e d l± I E E E 8 0 2 .1 1 u n r e c o g n iz e d ( R e s e r v e d f r a m e ) , F l a g s : ----r . f t j OO 06 Ob OO 0 1 6b c3 00 0 2 c9 cc 00 0030 91 86 004 0 d5 5b 0 16 8f 5d83 8adf aa b2 be5a 49 63 ef 10 cb 54 c8 13 fO e6 28 c3 aO 98 86 b4 2f 84 20 b3 48 2b 91 4e 05 AirPcap JS B wireless capture adapter nr. GO:... 8c d9 75 ac fO fd ec 5alc 155e caab le 62 65 69 5f 6e 39 71 93 b2 8d 52 44 87 fa 5d 68 5e fl 3d 16 c7 164 164 322 109 164 322 3707 164 322 132 109 164 91 3838 164 322 164 Appl(‫׳‬ Save Info Be a c o n f r a m e , Be a c o n f r a m e , S N 4 0 3 1 ‫ , ־‬FN=0, Flags‫־‬ S N 4 0 3 2 ‫ , ־‬FN=0, Flags‫־‬ Beacon frame, SN264‫ ,־‬FN=0, Flags=. Be a c o n f r a m e , S N 1 7 5 3 ‫ , ־‬FN=0, Flags‫־‬ Be a c o n f r a m e , S N 4 0 3 3 ‫ , ־‬FN=0, Flags‫־‬ Be a c o n f r a m e , SN=265, FN=0, F l a g s ‫־‬ 802.11 B lo c k A c k , F la g s = o p m .r m ft Beacon frame, 5n4034‫ ,־‬fn=0, Flags‫־‬ Be a c o n fr a m e , Be a c o n fr a m e , f? SN266‫,־‬ FN=0,F l a g s ‫־‬ S N 1 6 4 2 ‫, ־‬F N 0 ‫ , ־‬F l a g s ‫־‬ - Deacon frame, Be a c o n fr a m e , Be a c o n fr a m e , SN *40 3 5, f n -0 , SN -2 6 7, E 5N=1756, FN=0, Flags‫־‬ F la g s f n - 0 ,F l a g s - e Acknowl cdgcm cnt (No data), SN-91S, TN-3, rlac Be a c o n fr a m e , SN -4036, F N -0 , Be a c o n fr a m e , SN -2 6 8, F la g s FN-0, F l a g s - Boacon frame, Plags- (2 5 9 7 6 b i t s ) sn- 4037, FN-0, on i n t e r f a c e E ' 0 . IT. H ‫ ־‬q . *‫־‬ ...........u AR. _D k. ] . c . . ( + .z . ‫___ ר‬ ............../ N .. . n . . . . [ .z ............. b9]h. Packets: 489 Displayed: 489 Marked: 0 Profile: Default F IG U R E 1.9: Wireshark Network Analyzer window with packets captured 12. Wait while Wireshark captures packets from AirPcap. II die F ilte r T o o lb a r option is not visible on die toolbar, select V ie w -> F ilte r T o o lb a r. The Filter Toolbar appears. N o te : Wireshark doesn't benefit much from Multiprocessor/Hvperdiread systems as time-consuming tasks, like filtering packets, are single direaded. No mle is widiout exception: During an “update list of packets 111 real time” capture, capturing traffic mns 111 one process and dissecting and displaying packets runs 111 another process, which should benefit from two processors. C p rin fro A c pUBw le sca tu a a te n 0 : Y irp a O [W s a 1 .2 (S NRv4 5 0from/tru k-... I ~ I ‫ ם‬r x a tu g m irPa S ire s p re d p r r. 0 a c p O ire h rlc .8 V e 4 2 n internals Help ‫4 ? ©י‬ ■ Main Tco bar / m u t 0. 0. 4> ‫ו‬ ax ‫ם‬ m m ‫ /י‬Filter Too bar r Wireless Toolbar ‫ <י‬Status Bar ✓ Packet L i* * Packet Qetails ‫ /י‬Packet Bytes Wireshark can open packets captured from a large number o f other capture programs. lim e Display Format I Name Resolytion ! */ Coloriz• P«ck«t List Auto Scroll in Liye Capture Q Zoom Qut Q Normal Size E Resize All Columns u Zoom In Displayed Columns Expand Subtrees Expand A l 0: 0 0 0 1 01 0: 0 1 02 0; 0 loo 0030 10040 0■ 0 I® 3247 b y t e s c a p tu r e d Save nfo B e a c o n f r a m e , s n 4 0 2 5 ‫ , ־‬fn‫־‬o , F l a g s ‫־‬ Beacon fr a m e , s n1 628‫ , ־‬f n 1 1 ‫ , ־‬F la g s ‫־‬ Be aco n fr a m e , S N 4 0 2 6 ‫ , ־‬F N 0 ‫ , ־‬F la g s ‫־‬ Beacon frame, sn^4027, fn^O, Flags^ D e a u t h e n t ic a t io n , s n -1 78 0 , f n -4 , F la g s • B e a c o n f r a m e , s n - 4 0 2 8 , f n -0 , F l a g s B e a c o n f r a m e , SN -4 0 29 , F N -0 , F l a g s B e a c o n f r a m e , SN -4 0 30 , F N -0 , F l a g s - Beacon frame, SN-4031, FN-0, FlagsBeacon fr a m e , SN-4032, F N -0 , F l a g s - Beacon frame, SN-204, FN=0, FlagsBeacon fr a m e , S N 1 7 5 3 ‫ , ־‬F N 0 ‫ , ־‬F la g s ‫־‬ Beacon fr a m e , s n4 0 3 3 ‫ , ־‬f n 0 ‫ , ־‬F la g s ‫־‬ Beacon frame, £N=26S, FN=0, Flags‫־‬ 8 0 2 .1 1 B l o c k A c k , F l a g s ‫ ־‬opm.RMFT Beacon fr a m e , s n 4 0 3 4 ‫ , ־‬f n 0 ‫ , ־‬F la g s ‫־‬ B e a c o n f r a m e , S N 2 6 6 ‫ , ־‬F N 0 ‫ , ־‬F la g s ‫־‬ (2 59 76 b i t s ) on i n t e r f a c e 0 Flags: ....s .F T C * Left trl■■ Colorize Conversation Reset Coloring 1-10 ^ S ift■ Right h *■ Ctrl* Right Collapse All Gear Apply Protocol Length 164 St 802 1 1 e : 6f 6b 18 802 1 1 109 164 St 802 1 1 164 802 1 1 St n _ f 2 45 Oc 802 1 1 30 104 St 802 1 1 ► 164 St 802 1 1 ► St 164 802 1 1 164 St 802 1 1 164 802 1 1 St 802 1 1 322 St 802 1 1 109 C l■■* S t tr * ■■ 164 St 802 1 1 C *■ trl■ ‫־‬ St 802 1 1 322 Ctr1+= f e 27 (8 0 2 1 1 3707 164 St 802 1 1 S ift■ Ctrl+R h *■ St 802 1 1 322 ► o Q Expression.. Coloring Rules... Show Packet in New Window ► C * Space trl■■ 5 71 93 5e 9 b2 8d f l f 52 44 3d e 87 fa 16 9 5d 68 c7 ____ I T . . H. . . e q . A k .].c ..( t .z . i. .. ................. U.a_RD= ............../ M .. . n . . . . [ . Z ................ b 9 ]h . Ctrl+R )isplayed: 7211 Marked: 0 Profile: Default F IG U R E 1.10: Wireshark Network Analyzer window with interface option C E H Lab Manual Page 827 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  11. 11. M odule 15 - H ackin g W ire le s s N etw o rk s 13. Now select V ie w window. -> W ire le s s T o o lb a r. kD Capturing from A irPcap U S B wireless capture adapter nr. 00: .airpcap00 File m Edit | View | Go Capture Analyze Statist cs Telephony Internals [W ireshark 1.8.2 {SV N R ev 44520 from /trunk ... I — ’ ‫ ם‬P x Help ► 5 ik [M]S * tg >/ Wain Todbar i * Jools The wireless toolbar appears 111 die Q 0• ‫ ט‬I & 0 % Fltcr Toolbar ' ] * Wireless Toolbar ‫־‬ £ 2.1 C an ■ S tu 3‫־‬r 0 1 h ‫ ׳‬ta s Clear Apply Save | v [ D r i v e r [v] W le sSetings-. D ire s ecryp n Ky ... tio e s Packct List Protocol st Length Info 802.11 164 Beacon frame, SN-4025, FN-0, Flags-......... e:6f:6b:18 802.11 109 Beacon frame, 5N-1628, FN-11, Flags‫........־‬ St 802.11 164 Beacon frame, 5n=4026, fn=o, Flags‫......... ־‬ St 802.11 164 Beacon frame, SN-4027, FN-0, Flags*......... n_f2:45:0c 802.11 30 Deauthentication, 5N-1780, fn- 4, Flags-.. st 802.11 164 Beacon frame. SN-4028, fn- 0, Flags-......... 164 Beacon frame. SN-4029, fn- 0. Flags-......... St 802.11 st 8 0 2 .11 164 Beacon frame, SN-4030, FN-0, Flags-......... st 8 0 2 .11 164 Beacon frame, SN-4031, TN-0, Flags-......... 802.11 164 Beacon frame, sn-4032, FN-0, Flags-......... C *■ st trl• * .St 802.11 322 Beacon frame, 5N-204, fn- 0, Flags-........... C *■ trl■■ 109 Beacon frame, SN-1753, FN-0, Flags-......... St 802.11 C ‫ ־‬St trl•*■ 164 Beacon frame, SN-4033, fn- 0, Flags-......... 802.11 322 Beacon frame, SN-265, FN-0, Flags-........... St 802.11 c:40:fe :27 (802.11 3707 802.11 Block Ack, Flags-opm.RMFT st 802.11 164 Beacon frame, SN=4034 , FN=0, Flags=......... 322 Beacon frame, SN-266, FN-0, Flags-........... st 802.11 S ift■ R h h ‫ ׳‬ig t C trl-Right 3247 bytes captured (2S976 bits) on interface 0 C L ft trl•*‫ ־‬e _ Flags: _ R.FT P3cket Details O Wireshark is a network packet analyzer that captures network packets and tries to display that packet data as detailed as possible. Expression‫״‬ Packct Bytes Jim• D layF rm isp o at N e R lu n am eso tio C lo P o ri7e acket list A S ro in L eC ture uto c ll iy ap 200m n ZoomQ t u N al S e orm 2 R A C ns esi:e ll olum D layedC ns isp olum Eipanc Subtrees E p n Al xad C seA ollap ll Colori2e Conversation Rcitl Culjrhy 1-10 C oloring R le ... us _ .H . IT . .. eq. a 5 71 93 5e 9 b2 3d f l k. ] . c .. ( +.Z .‫. . . ו‬ f 52 44 3d ....................u . a _ rde 87 f a 16 ........... / N... n... 0030 C R 9 5d 68 c7 . [ . z ............... b 9 ]h . trK £ A capU B.v le scaptureadapter n O ... P c e : 12 6D layed 12986M irP S ire s r. ): a lc ts 98 isp arked ‫כ‬ : OODO 01 00 02 00 S wP ho acket inN W ew indow P file D ro : efault ' F IG U R E 1.11: Wireshark Network Analyzer window with wireless toolbar option 14. You will see die Wireshark. m One possible alternative is to ran tcpdump, or the dumpcap utility diat comes with Wireshark, with superuser privileges to capture packets into a file, and later analyze diese packets by running Wireshark with restricted privileges on the packet capture dump file and s o u rc e d e s tin a tio n r t3‫ )׳‬Capturing from AiiPcdp USB wireless capture adapter nr. 00: VairpcapOO £ile £dit m u View (jo * 9t * Cooturc Analyze Statistics Telephony Tools Internals of the packet captured by [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J ‫ ח‬r * Help 6 ‫או 0 א: ט ^ ^ ^וי|| 1ו » ^ ^ ^ו 3 3 א ט‬ Filter |~ | E p s io ... C v x re s n lear A pply S v ae £0211 Charnel: v !Channel CHfset Time v FCS Filter All Frames Source None Destination 282 13.0160930 Netgear_30:ab:3e 283 13.0370690 Netgear_32:7c :06 284 13. 0411940 e2:55:e5:27 :bl:cO 285 13.1184520 Netgear_80: ab: 3e 286 13.1394870 Netgear_32:7c :06 287 13.1836990C0mpex_65:be:f5 288 13.1891990 Netgear_ae: 24: cc 289 13. 2208270 Netgear_80:ab:3e 290 13. 2400780 Netgear_32:7c :06 291 13. 2898380 2c:db:ef:e6:aa:64 292 13. 3233130 Netgear_80: ab; 3e 293 13. 3443830 Netgear_3z:7c:06 294 13.4257280 Netgear_80:ab:3e 295 13. 5282000 Netgear 80:ab:3e ?06 13. S4907?ONetgear_?2:7c:06 297 13. 6304580 Netgear_80: ab: 3e 298 13. 6514 500 Netgear _32: 7c. 00 jv ] Wireless Settings... Decryption Keys.. Protocol Length Info Broadcast Broadcast ( e4 :d2 :6c:40:f e:27 Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast 45:c9:e7:6a:04:e9 Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast B oadcasl r 802.11 802.11 C802.ll 802.11 802.11 802.11 802.11 802.11 802.11 802.11 802.11 802.11 ou2.11 802.11 802.11 802.11 802.11 164 Beacon frane, SN=4033, FN=0, Flags‫־‬ 322 Beacon frame, SN=265, FN=0, Flags‫־‬ E 3707 802.11 Block Ack, Flags=opm.RMFT 164 Beacon frame, SN-4034, fn- 0, Flags322 Beacon frane, SN=266, FN=0, Flags‫־‬ C 132 Beacon frane, sn1642‫ ,־‬fn=o , Flags‫־‬ 109 Beacon frane, SN1756‫ ,־‬fn=0, Flags‫־‬ 164 Beacon frane. SN=4035. FN=0, Flags‫־‬ 91 Beacon frane, SN=267, FN=0, Flags= E 3838 Acknowledgement (No data), SN-915, FN-3, Flac 164 Beacon frane, SN-4036, FN=0, Flags322 Beacon frane, SN=2btt, fn- u, Flags104 Beacon Trane, 5n-4 us/ , fn- u , Flags-................ 164 Beacon frane. SN-4038. FN-0. Flags-.................. 322 Beacon frane, SN-270, FN-0, Flags-............... B 164 Beacon franc, SN-4039, FN-0, Flags-............... 322 Beacon frane, SN-271, FN-0, Flags-............. .. C <fl__________________________________________________ ♦ Frane 293: 322 bytes on wire (2576 b its), 322 bytes captured (2S76 bits) on interface 0 + ieee 802.11 Beacon frane, Flags: ............. IEEE 802.11 wireless lan management frame S 3 00 00 01 00 02 00 0030 80 4c 64 08 0040 00 00 60 00 82 00 0000 de32 1104 840b 2a01 ff 7c 00 16 00 ff 06 09 24 2f ff ff cO 10 4b 75 30 48 01 00 ff 96 73 6c 30 m an nn n f rA nn n f © AirPcap U Bwi'eless capture adapter nr. GO:... S ff 31 75 03 18 4C60 8e64 6d20 0101 0100 de 00 57 05 00 32 00 4c 04 Of 7C 00 52 01 ac 06 00 01 02 02 .................. L • 2 |. L'. 21. . . . 1. d_ _ d....... Kj sum W R L. .... SH1........ O Paclcets: 32940 Displayed: 32040 Marked: 0 Profile: Default F IG U R E 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets 15. After enough packet capUires, stop Wireshark C E H Lab Manual Page 828 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  12. 12. M odule 15 - H ackin g W ire le s s N etw o rk s Capturing from AirPcap USB wireless capture adapter nr. 00 ‫ ־‬Wireshark £ile Edit m m View Go Capture Analyze Statistics Telephony Tools Help a® * Expression... $02.11 Channel: 2412 [B G 1] ). Time Clear Apply | v ] Channel Offset |0 Source Destination Protocol | v | FCS Filter All Frames |v|N on e WirelessSettings...DecryptionKeys... Info 4992 90.885184 2a:13:4C:al:CC:la C7:0 : 80: 13‫ י‬IEEE 802.11 Fragnented ieee S02.ll frame 4993 90.885677 IEEE 802.11 unrecognized (Reserved frame), Flags‫ . . . ־‬p . m . . 4994 90.985558 Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN=2080, FN=0, Flags‫־‬ BI=100, unrecognized (Reserved frame), SN2851‫ ,־‬FN0‫ ,־‬Flags‫־‬o 4995 91.049792 ab:76:13:1c:e6: 3f f f :57:a6:9:1EEE 802.11 4996 91.087908 Netgear_ae:24:c c Broadcast IEEE 802.11 Beacon frame, SM=2081,PN0‫ ,־‬Flags‫־‬ BI 100‫,־‬ 4997 91.497565 Netgear_ae:24:c c Broadcast IEEE 802.11 Beacon frame, SN-2085,FN-O, FlagsBI-100, 4998 91.600033 98:14:34:f c :48: cc Broadcast IEEE 802.11 Beacon frame, SN=3733,FN=7, Flags‫־‬ BI1]8896‫־‬ 4999 91.70239* Dlg1talG_02:e8:d5 Broadcast ieee 802.11 Beacon frame, sn2087‫,־‬fn- 0, Flags‫־‬ B1100‫,־‬ 5000 91.704757 f 8:a f:ed:3d:6c:62 f9:ea:f9:f IEEE 802.11 Null function ( no data), SN3864‫ ,־‬fn=15, Flags‫... ־‬P.M Data, 802.11 SN-2916, fn- 0, Flags-.p F. 500191.705380 bl:7c:25:46:el:dl e6:61:a IEEE:13 5002 91. 804794 Netgear_ae:24:cc Broadcast IEEF 802.11 Beacon frame. SN-2088,FN-0, FlagsBT-100, 5003 91.907138 N«tgear_a«:24:cc Broadcast IEEE 802.11 Beacon frame, &N-2089,F ^-O FlagsN , BI-100, 5004 92.112081 l c :12:30:8b:24: f 5 f f : f f : f f :3 IEEE 802.11 Beacon frame, SN-1151,FN-2, FlagsBI-55820 802.11 5005 92.246059 MonHaiPi _0a:72:8a 8:2c:b0:5d‫ ׳‬IEEE Null function (no data), SN-2733, FN-0, Flag>-.. . P... 5000 92.246276 horiHalpr_o. ieee 802.11 A c k n o w le d g e n e n t, F la g s 5007 92. 316789 Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN-2093,fn- 0, FlagsBI-100, 5008 92. 319258 91:6c: 5c: 32:50:d2 4d: 22: e: 24‫ ׳‬IEEE 802.11 Qos Data + CF-P011. 5N-1B31, FN-15, Flags-.p.PR..T L 5009 92. S2164S Netgear_ae:24:cc Broadcast IEEF 802.11 Beacon frame. SN-2095,fn- 0. FlagsBT-100, + Frame 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) S IEEE 802.11 Acknowledgement, Flags: ............. Type/Subtype: Acknowledgement (Oxld) ‫ ש‬Frame control: O O J (Normal) xO D ......]. 0000 d4 00 00 00 2c b 5d 80 ab 3e 6a 3e 19 81 O 0 AiP.ap LSBv lapluie atiajlei nr. 00:... Packets; 5C09 Displayed; 3009 MaiJ.cc: C PioHIc; Default F IG U R E 1.13: Stop wiieshaik packet capture 16. Go to F ile from menu bar, and select S a v e ‫ט‬ U i T lie latest version is faster and contains a lot of new features, like A PR (Arp Poison Routing) which enables sniffing on switched LA N s and Manin-the-Middle attacks. *‫פ‬ AirPcap USB wireless capture adapter nr 00 ‫ ־‬Wireshark [d< t yicw 20 £cptjrc Analyze Statistics Telephony Tools tJelp cw b a ‫ן‬ .0 & Opengecent Merge... |n|n| <. q ! 1 ‫ט‬ 3 3 yt b & ib ► kpressicn‫״‬ Clri»W 1rnc! Offset: [0 [ v j FCSFilter All Frames Destination Protocol Clear Appf/ [v^None ["vj Wireless Settings- Decryption Keys... Info Control wrapper. Flags-.pm.R.f . IEEE 802.11 Broadcast IEEE Beacon frane, SN-353, FN-0, Flags‫־‬ 802.11 BI-100, S Beacon frane, SN-3 54, FN-O, Flags‫. . . . ־‬ f f :ee:1:93‫י‬IEEE 802.11 61=12530‫׳‬ f f :f6:54:d'IEEE Beacon frane[Ka1formed Packet] 802.11 £xport B I 5 ,100‫־‬ broadcast ieee Beacon 0 2 .11 5n=356, fn=0, Flags‫. . . . ־‬ 8 frane, Data, 802.11 SN357‫ ,־‬FN1‫ , ־‬Flags=opmP.. FT d4:fa:cb:c.lEEE £ £rint._ Beacon frane, SN358‫, ־‬ FN0‫,־‬ Flags‫ ,־001 ־‬S BI Broadcast IEEE 802.11 Beacon frane, sn361‫ , ־‬FN0‫,־‬Flags‫. . . . ־‬ BI 100‫ ,־‬S d4:aa:01:4 IEEE 802.11 E Quit Ctrl*Q f : b 8 : c l Beacon frane, SN364‫, ־‬ 802.11 FN=0, Flags‫ , ־ 0. 0. . ־‬S BI1 . / uj zv.wv mwcjwi_iw2 :C B r o a d c a s t IEEE ox o a a wt a « . 4 C B r o a d c a s t IEEE Beacon frame, SN=335, FN=14, Flag5=... 802.11 , BI= 200, 7641 267. 835429 Netgear_ae: 60: ce Data, 802.11 5n3037‫ ,־‬fn3‫ ,־‬Flags=.p. . . . F. 74 27874 0 :5 :2 :0 :0 :4 IPv6mcaSt_HEEE 62 6. 796 1 4 9 1 0 4 Broadcast IEEE Beacon frane, sn369‫ , ־‬fn0‫ ,־‬Flags‫־‬ 802.11 BI 100‫ ,־‬S I 7643 268.038309 Netgear_ae: 24: cc Beacon frane, SN370‫, ־‬ fn0‫,־‬ Flags‫ , ־ 0 0 1 ־‬S I BI 7644 268.143787 Netgear.ae:24:cc Broadcast IEEE 802.11 Beacon frane, SN372‫ , ־‬fn0‫ .־‬Flags‫. . . . ־‬ BI 100‫ ,־‬S I Broadcast IEEE 802.11 7645 268. 345546 Netgear_ae: 24: cc B r o a d c a s t IEEE Beacon frane, SN=375, FN=0, Flags‫. . . . ־‬ 802.11 BI 100‫ ,־‬S I 7646 268. 652782 Netgear_ae: 24: cc Null function ( no data), SN-36, FN-0, Flags-. .. PR. .T 802.11 7647 268.661651 HorHai Pr_0a: 72 :8a 2c:bO:5d:8'IEEE Null function ( no data), 5N-36, fn-O, Flags‫ .. . ־‬pr. . t [— I 802.11 74 28626 n m1 r_ a 7 :8 2c:bO:5d:8'IEEE 68 6. 610 o a p 0 : 2 a 7649 269.164812 48:09:39:1a:ce:d4 ff:ff:lb :f-IEE E Beacon frane, SN-3746, FN-O, Flags-... 802.11 BI-36936 ‫ י‬Frane 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) - ieee 802.11 Acknowl edgernent, Flags: ............. Type/Subtype: Acknowledgement (Oxld) 0 Frame control: O O 4 (Nornal) 0 xO D E Save As. . :24:cc ► 1:02: cd b : 24:ec 1:24: C C C trl+P p:f8:41 :24:cc 00D0 d4 00 00 00 2c bo 50 80 ab Je 6a 4e 19 81 ^ File: "C:OtersADMN - 'AppOatalocalT... ....... j• ■> >■ )■ Packets: 7649 Displayed: 6£9‫ ל‬Marked: 0 Drcppec: C F IG U R E 1.14: Save the captured packets 17. Enter die F ile C E H Lab Manual Page 829 nam e, and click Save. Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  13. 13. M odule 15 - H ackin g W ire le s s N etw o rk s Wireshark: Save file as Save tn ** |jj. Name < & C? ₪t = AirPcap -Enabled Open Source tools - Date modified aircrack-ng-0.9-airpcap 10/19/2012 2:44 PM Type File folder 1 Recent places K Desktop S Lbranes 'V Computer Network < 1 H III | Packet capture Save as type | Wreshark.‫ו׳‬cpdump 1 > i A File name: ■ kfcpcap f pcap :*cap) Save _^J Cancel | Hdp (• Captured ♦Vpackets Displayed 7649 Selected packet ‫ו‬ (" Marked packets 0 0 (" First to last marked 0 0 c Range 1 ‫־‬ ‫־‬ r Remove Ignored packets 0 0 0 F IG U R E 1.15: Save the Captured packet file L a b A n a ly s is Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure. P LE A SE TA LK Tool/Utility TO Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Information Collected/Objectives Achieved Used Adapter: AirPcap USB wireless capture adapter nr .00 Wireshark C E H Lab Manual Page 830 Result: Number ol sniffed packets captured by Wireshark in network, which include: Packet Number, Time, Source, Destination, Protocol, and Info Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  14. 14. M odule 15 - H ackin g W ire le s s N etw o rk s Q u e s t io n s 1. Evaluate and determine the number of wireless cards supported by die wireless scanner. 2. Analyze and evaluate how AirPcap adapters operate. Internet Connection Required 0 Yes 0 No Platform Supported 0 Classroom C E H Lab Manual Page 831 □ !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  15. 15. M odule 15 - H ackin g W ire le s s N etw o rk s Lab C r a c k i n g a W E P N e t w o r k w i t h A i r c r a c k - n g for W i n d o w s A ir c r a c k - n g re c o v e rs is keys s ta n d a r d F A I S an 8 0 2 .1 1 o n ce e n o u g h W E P and d a ta p a c k e ts W P A -P S K have be en k e y s c ra c k in g p r o g r a m c a p tu re d . It im p le m e n ts th a t th e a tta c k a lo n g n it h so m e o p tim is a tio n s lik e K o r e K a tta c k s , a s w e ll a s th e a ll- n e w P T W a tta c k , th u s m a k in g th e a tta c k m u c h fa s t e r c o m p a re d to o th e r W E P c ra c k in g to o ls . I C O N K E Y '/ V a l u a b l e in fo rm a tio n > > T est your k n o w le d g e — c a W e b e x e rc is e W o r k b o o k r e v ie w L a b S c e n a r io Network administrators can take steps to help protect their wireless network from outside tinea ts and attacks. Most hackers will post details of any loops or exploits online, and if they find a security hole, they will come 111 droves to test your wireless network with it. WEP is used for wireless networks. Always change your SSID from the default, before you actually connect the wireless router for the access point. If an SSID broadcast is not disabled on an access point, die use of a DHCP server to automatically assign IP address to wireless clients should not be used because war dnving tools can easily detect your internal IP addressing it the SSID broadcasts are enabled and the DHCP is being used. As an etlncal hacker and penetration tester of an organization, your IT director will assign you the task of testing wireless security, exploiting the flaws in ”EP, and cracking the keys present 111 WEP of an organization. 111 tliis lab we discuss how WPA key are cracked using standard attacks such as korek attacks and PTW" attacks. & Too ls d e m o n s tra te d in th is lab a re a v a ila b le on D:CEHT oo lsC E H v 8 L a b O b je c tiv e s The objective of tins lab is to protect wireless network from attackers. 111 tins lab, you will learn how to: M o du le 15 ■ Crack WEP using various tools H a c k in g W ireles s ■ Capture network traffic N e tw o rk s ■ Analyze and detect wireless traffic C E H Lab Manual Page 832 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  16. 16. M odule 15 - H ackin g W ire le s s N etw o rk s L a b E n v ir o n m e n t To execute the kb, you need: ■ A irc ra ck-n g located at D:CEH -ToolsC EHv 8 M o du le 1 5 H a c k in g W ireles s Networks'!W EP-W PA C rac kin g T oo lsA ircrack-n gb in m V is it B a c k tr a c k ■ Tins tool requires Administrative pnvileges to ran h o m e s i te h t t p : / / w w w .b a c k t r a c k - ■ A client connected to a wireless access point lix u 1x . o r g f o r a c o m p l e t e lis t o f c o m p a tib le W i-F i ■ This lab requires AirPcap adapter installed on your machine. If you don’t have this adapter please do not proceed with the lab a d a p te rs . L a b D u r a t io n Time: 20 Minutes O v e r v ie w m Airplay filter options: -b bssid: M AC address, access point. TASK o f A ir c r a c k - n g A wireless network refers to any type of computer network that is w ir e le s s , and is commonly associated with a te le c o m m u n ic a tio n s network whose in te rc o n n e c tio n s between n o d e s are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of r e m o te information transmission system that uses e le c tr o m a g n e tic w a v e s , such as radio waves, for the c a rr ie r, and this implementation usually takes place at the physical level or layer of the network. 1 C rac kin g a W EP N e tw o rk L a b T a s k 1. Launch A irc ra ck-n g G U I from D :CEH -ToolsC EHv 8 M o du le 1 5 H a ck in g W ireles s N e tw o rk s A irP c a p -Enabled O pen S o u rce to o ls a irc ra c k -n g -0 .9 a irp c a p b in by double-clicking A irc ra c k -n g G U I.e xe . 2. Click the A ird u m p -n g tab. ‫ט‬ To start wlanO in monitor mode type: airmon-ng start wlanO. m To stop wlanO type: airmon-ng stop wlanO. F IG U R E 2.1: Airodump-ng window C E H Lab Manual Page 833 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  17. 17. M odule 15 - H ackin g W ire le s s N etw o rk s 3. Click L au n c h . This will show the a iro d u m p window. — airodump-ng 0.9 ‫ם‬ x airodump-ng 0.9 —< > 2006 T as d'Otreppe C hom Original work: Christophe Devine m To confirm diat die card is in monitor mode, run the command “ iwconfig” . You can then confirm the mode is “ monitor” and the interface name. usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K n network adapters: now 1 AirPcap U B wireless capture adapter nr. 00 S Network interface index num ber -> F IG U R E 2.2: Airodump-ng selecting adapter window 4. Type the Airpcap adapter index number as 0 and select all channels by typing 1 1 . Press E n ter. airodump-ng 0.9 tewJ Aircrack-ng option: b bssid Long version — bssid. Select the target network based on the access point's M AC address. airodump-ng 0.9 - < > 2006 T as d'Otreppe C hom Original work: Christophe Devine usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag] K n network adapters: now 1 AirPcap U B wireless capture adapter nr. 00 S Network interface index num ber -> 0 Channel<s>: 1 to 14. 0 = a ll -> 11 (note: if you specify the sane output prefix, airodump w ill resum e the capture session by appending data to the existing capture file ) Output f ilename pref ix -> m For cracking W P A /W P A 2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up W PA /W PA 2 key processing. C E H Lab Manual Page 834 F IG U R E 2.3: Airodump-ng selecting adapter window 5. It will prompt you for a file name. Enter C a p tu re and press E n ter. Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  18. 18. M odule 15 - H ackin g W ire le s s N etw o rk s ‫כ‬ airodump-ng 0.9 I~ I airodump-ng 0.9 - < > 2006 T as d'Otreppe C hom Original work: Christophe Devine m Aircrack-ng completes determining the key; it is presented to you in hexadecimal format such as K E Y FO U N D ! [BF:53:9E:DB:37], usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K n network adapters: now 1 AirPcap U B wireless capture adapter nr. 00 S Network interface index num ber -> 0 ChanneKs): 1 to 14, 0 - a ll 1 < 1 ‫־‬ <note: if you specify the sam output prefix, airodump w ill resum e e the capture session by appending data to the existing capture file> Output filename prefix ->| capture | <note: to save space and only store the captured WP IUs, press y. E The resulting capture file w ill only be useful for WP cracking) E Only write WP IUs <y/n) E — > F IG U R E 2.4: Airodump-ng selecting adapter window 6. Type y 111 O n ly w r it e W E P IV s Press E n te r airodump-ng 0.9 m Airodump option: -f <msecs> : Tim e in ms between hopping channels. airodump-ng 0.9 - < > 2006 T as d'Otreppe C hom Original work: Christophe Devine usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag] K n network adapters: now 1 AirPcap U B wireless capture adapter nr. 00 S Network interface index num ber 0 < ‫־‬ ChanneKs): 1 to 14, 0 = a ll -> 11 (note: if you specify the sam output prefix, airodump w ill resum e e the capture session by appending data to the existing capture file ) Output filename prefix -> capture <note: to save space and only store the captured WP IUs, press y. E The resulting capture file w ill only be useful for WP cracking) E Only write WP IUs <y/n) E ‫ע <־‬ m Airplay filter option: d dmac : M A C address, Destination. F IG U R E 2.5: Airodump-ng dumping the captured packets window 7. After pressing y it will display Wi-Fi traffic; leave it running for few minutes. 8. C E H Lab Manual Page 835 Allow airodump-ng to capturea large number ot packets (above 2,000,000). Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  19. 19. M odule 15 - H ackin g W ire le s s N etw o rk s 1 1 Channel :11 - airodump-ng 0.9.3 BS S ID B8:A3:86:3E:2F:37 1C:7E:E5:53 :04:48 4C:60:DE:32 :3B:4E 4C:60:DE:32 :7C:06 80:A1:D7:25 :63:13 80:A1:D7:25 :63:10 80:fll:D7:25 :63:12 80:A1:D7:25 :63:11 <J4:44^9:F9 :4q:nn |0 9r z‫ &״‬m 9c e z BS S ID B :A3:86:3E 2F:37 8 1C:7E:E5:53 A4:48 1C:7E:E5:53 A4: 48 1C:7E:E5:53 04:48 1C:7E:E5:53 04:48 94:44:52:F2 45:0C 94:44:52: F 45:0C 2 94:44:52:F2 45:0C 94:44:52:F2 45:0C 94:44:52:F 45:0C 2 00:09:5B:AE 24:CC 00:09:5B:AE 24:C C L - l°l - P R Beacons It Data C M E C E S U H B N S ID -78 5 0 1 48 WP S A H E? A C I -80 5496 2146 1 48 U A D 1 P ‫־‬Link_DIR-524 -80 181 1 6 48 U A Ithey Ithey P 0 11 48 WP K -81 5 E ? usum WR L -77 13 0 1 54 O N P ‫87 ־‬ 21 0 1 54 WP G E E? 0 -80 12 0 1 54 O N P ‫87 ־‬ 18 0 1 54 O N P 1 99rh4 1 HANTFn 1 4R IJPA -10 53036 224385 11 54 WP N T E R E EGA S T N TA IO P R Packets E S U S ID 00:24:2C:38:39:96 -75 1 SAH ACI AC:72:89:6B:BD:B3 -81 38 D ‫־‬Link_DIR-524 29 D-Link_DIR-524 30:69:4B:C7:F9:F7 -84 D0:B3:3F:12:O1:FF -79 7 D-Link_DIR-524 E0:F8:47:95:05: D -82 6 421 D-Link_DIR-524 4C:ED:DE:02:5B:BF -80 2 GNE ATC 4C: E : D : 94: C : El -80 D E E 5 GNE ATC 00:26:82:CF:09:C2 -80 16256 G N E ATC 50:01:BB:58:05:27 -76 1 GNE ATC 00:23:15:73:E7:E4 -73 293 G N E ATC 1C:66:AA:7C:F0:79 -81 213 N T E R EGA 04:54:53:0E:2C:OB -33 125920 N T E R EGA <| rH III > F IG U R E 2.6: Airodump-ng Channel listing window m airmon-ng is a bash script designed to turn wireless cards into monitor mode. It auto-detects which card you have and run the right commands. m Airodump-ng is used for packet capturing o f raw 802.11 frames and is particularly suitable for collecting W E P IV s (Initialization Vector) for the intent o f using them with aircrack-ng. 9. Now close the window. 10. Go to A irc ra c k -n g andclick A d v a n c e d O p tio n s - Aircrack-ng GUI Aircrack-ng x Arodump-ng ] Airdecap-ng | WZCook | About Filename (s) Encryption ‫ם‬ Choose. (§) W E P Key size 1 128 v | bits □ Use wordlist □ Use PTW attack O W PA □ Specify ESSID I I Specify BSSID Fudge factor Disable KoreK attacks I □ 1 □ 2 □ 3 □ 4 □ 5 □ 6 □ ‫ל‬ U8 Key search filter ‫ח‬ Baiteforce Alphanumeric characters 1 1 BCD characters = Last keybytes bnjteforce @ 1 1 Numeric (Fntz'BOX) ‫ן‬ I aJ — LZj Multithreading bnjteforce 1 1 Single Bnjteforce attack V Launch F IG U R E 2.7: Aircrack-ng options window 11. Click C h o o s e and select the filename c a p tu re , ivs N o te : Tins is a different file from the one you recorded; this file contains precaptured IVS keys. The path is D :C E H -T o o ls C E H v 8 M o d u le 1 5 H a c k in g W ire le s s N e tw o rk s A irP c a p -E n a b le d O pen S o u rc e to o ls a irc ra c k -n g -0 .9 -a ir p c a p C E H Lab Manual Page 836 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  20. 20. M odule 15 - H ackin g W ire le s s N etw o rk s To save time capturing the packets, for your reference, the tile (tins c a p tu re .iv s tile contain more than 200000 packets) is at D :C E H -T o o ls C E H v 8 M o d u le 1 5 H a c k in g W ire le s s N o te : c a p tu re .iv s N e tw o rk s V A irP c a p -E n a b le d O p en S o u rc e to o ls a irc ra c k -n g -0 .9 a irp c a p . 12. After selecting tile, click Launch. Aircrack-ng GUI Qi-J Aircrack-og Filename(s) Iff ll To put your wireless card into monitor mode: airmon-ng start rausbO. Enctyption Airodump-ng j Airdecap-ng [ WZCook About "D:CEH-T0 0 lsCEHv8 Module 15 Hacking Wireless NetworksAirPcap ■Enabled Open (§) W E P Key size 128 v bits Q Usewordlist Q Choose 1 Use PTW attack O W PA @ Advanced options □ Specify ESSID □ Specify BSSID Fudge factor Disable KoneK attacks 2 m n2 □3 □4 □5 □6 □7 □8 Key search filter A = Biuteforce Q Alphanumeric characters □ BCD characters Last keybytes biuteforce M 1 1 Numeric (FritzlBOX) 1 1*1 — tZ J Multithreading biuteforce 1 1 Single Biuteforce attack V Launch F IG U R E 2.8: Aircrack-ng launch window You may use this key without the in your wireless client connection prompt and specify that the key is in hexadecimal format to connect to the wireless network. m 13. If you get the enough captured packets, you wiil be able to crack the packets. 14. Select your target network from B S S ID and press E n ter. C:W1ndowsSystem32cmd.exe- "C:UsersAdm1n1stratorDesktopa1rcrack-ng‫- !! ”"־‬ ‫ם‬ * I Opening D:CEH-T001sCEHv8 M odule 15 Hacking Wireless NetworksSHirPcap -Enabled O e Source toolsaircrack-ng-0.9-airpcapcapture. ius pn R 231344 packets. ead 00:09:5B:AE:24:CC 94:44:52:F2:45:0C Index num of target network ? 1 ber WP <231233 IUs> E WP <111 IUs> E F IG U R E 2.9: Select target network C E H Lab Manual Page 837 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
  21. 21. M odule 15 - H ackin g W ire le s s N etw o rk s Aircrack-ng 0.9.3 m Aircrack-ng can recover the W E P key once enough encrypted packets have been captured with airodump-ng. K B 0 1 2 3 [00:00:06] Tested 1 keys <got 164492 IUs> byte<uote> B < 42> B F 9< 15> 4B 13> 41< 12> F < 9> < F 53< 40> C < 32> 34< 20> flF< 19> B 9 4< 19> 9E 40) D < 28> 64< 23> 88< 23> E < 8 4< 18> D < 143> 9?< 46> 33< 33> 43< 29> 38< 27> B K V F U D [ BF:S3:9E:DB:3? J E ON! Decrypted correctly: 100X depth 0/ 1 0/ 3 0/ 4 0/ 1 F6< 4> 40< 16> 82< 18> 36< 26> S C:UsersfldninistratorDesktopaircrack-ng-0.9.3-winairerack-ng-0.9.3-winbin> F IG U R E 2.10: aircrack-ng with W E P crack key L a b A n a ly s is Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate. P LE A S E TA LK TO Tool/U tility Y O U R IN S T R U C T O R IF Y O U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Information Collected/Objectives Achieved N um ber of packet captured: 224385 Aircrack-ng Cracked wireless adaptor name: NETGEAR Output: Decrypted key BF:53:9E:DB:37 Q u e s t io n s 1. Analyze and evaluate how aircrack-ng operates. 2. Does die aircrack-ng suite support Airpcap Adapter? C E H Lab Manual Page 838 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  22. 22. M odule 15 - H ackin g W ire le s s N etw o rk s Internet Connection Required □ Yes 0 No Platform Supported 0 !Labs C E H Lab Manual Page 839 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  23. 23. M odule 15 - H ackin g W ire le s s N etw o rk s 3 Sniffing t h e N e t w o r k O m n i P e e k U s i n g t h e N e t w o r k A n a l y z e r O m n iP e e k is a s ta n d a lo n e n e tw o rk a n a ly s is to o l u s e d to s o lv e n e tw o rk p ro b le m s . I CON KEY L a b S c e n a r io / V a lu a b le Packet sniffing is a form of wire-tapping applied to computer networks. It came into vogue with Ethernet; tins mean that traffic 011 a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic address to other stations. Sniffing programs turn off the filter, and thus see everyone traffic. Most of the hubs/switches allow the inducer to sniff remotely usmg SNMP, which has weak authentication. Usmg POP, IMAP, HTTP Basic, and talent authentication, an intruder reads the password off the wire ni cleartext. in fo rm a tio n s T est your k n o w le d g e w W e b e x e rc is e m W o r k b o o k r e v ie w To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing die network, and DNS poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis of wired and wireless networks. 111 tliis lab we discuss wireless packet analysis of capuired packets. & Too ls d e m o n s tra te d in th is lab a re a v a ila b le in D:CEHT oo lsC E H v 8 M o du le 15 L a b O b je c tiv e s The objective of this lab is to reinforce concepts of network security policy, policy enforcement, and policy audits. L a b E n v ir o n m e n t 111 tins lab, you need: H a c k in g W ireles s N e tw o rk s ‫י‬ A d va n c ed O m n iP e e k N e tw o rk A n a ly ze r located at D:CEH-T 00 lsC EH v 8 M o du le 15 H a c k in g W ireles s N e tw o rk sW i-F i P a c k e t S n iffe rO m n iP e ek N e tw o rk A n a ly ze r ■ You can also download the latest version ot O m n iP e e k from the lnik http: / / www.w1ldpflckets.com C E H Lab Manual Page 840 N e tw o rk A n a ly ze r Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
  24. 24. M odule 15 - H ackin g W ire le s s N etw o rk s ■ If you decide to download die die lab might differ la te s t version, dien screenshots shown 111 ■ Run diis tool 111 Windows Server 2008 ■ A web browser and Microsoft .NET Framework 2.0 or later ■ Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven installation steps to install OmniPeek ■ Administrative privileges to mil tools L a b D u r a t io n Tune: 20 Minutes O v e r v ie w You can download OmniPeek Network Analyzer from http://www.wi1dpackets.co o f O m n iP e e k N e t w o r k A n a ly z e r OmniPeek Network Analyzer gives network engineers real-time visibility and expert analysis of each and even7 part of die network from a single interface, which includes Edieniet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11 a/b/g/n. L a b T a s k s m. TASK 1 1. Launch OmniPeek by selecting S ta rt ‫ ־‬All P ro g ram s ‫)־‬ ‫^־‬ W ild p a c k e ts O m ni p a c k e ts Dem o. A n alyzin g W EP P a c k e ts 2. Click V ie w « : = J< ; sa m p le file s. -‫י‬ E h V w Cp r S n c ie a tue e d & Monitor Tools Window ■ it,;a a a ja f e 1& . Hlp e r± W ild Pd cke t 6 ‫׳‬m n iP ee k ‫ט‬ ‫ט‬ ‫י‬ • B « ‫,, ג‬ Start Page x j O O a SI N Capture ew Recent Files WsP.att Pacxet Exa-noba.pxt W^Apd O Capture File pen f$ View O niEngines m H U Start M onitor Location CProg‫׳‬om= (x86)WidPac*ateOmPMk D«ncaanptoeAEP pkl i09 CAProgrem Filoa (x8€)'V/JdPactaUVO■mP881D«nca#npla»VPecl> «t Exam ple#, p t k C.XProgrwn (x8€)'V/kJPacH»0‫רזי‬P»»t D«no*anplMAPA.pkt SSD ‫ ־‬BlackSlat* PS< =wldpac»:*te I oration Summary Recent Capmre Tem plates he r#e*at t#nput»« Summary SSD ‫ ־‬BlackSlato K y- 123«5€785D a Documentation Resources ►(flWWPWWT* ►A w tf‫ ־‬Cerwj Staled Godo or « ►vtevr iMtaiBdH nsiructoi* ► me L**‫ ׳‬Sude ► CnrCrgire O efcirg Started Quide ►Lg1r a 1!e2Q -m uQ a ► jvow attapfe *toe I ►WUPBCcmcttwsa Events E H ] ►Vow Het.vo‫־‬k •rol^ais 6po *hit# papers, and m oro L iiiJ yutt Technical Support ►vfevr :ech‫ד‬c3l euosort reaou•c6 f9r W Packet3produels 3 ild « WMFBCttts :ecfncaisuooort mP63< Sjppcrted harcv/3rs L'iiil> ^‫ג1י‬ ‫3כ‬ ED Z ► CD 2 Training & Services ► L IU ►caac:ut1‫״‬cP3:tetsoorsuitns Q • D ► ‫סט‬ wlcPa;«t8 Acadcny fine l'vP6e< i [F d‫ ־‬ic p, press FI I 4 _ rj J } None F IG U R E 3.1: Omnipeek main window Select W E P .p kt C E H Lab Manual Page 841 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  25. 25. M odule 15 - H ackin g W ire le s s N etw o rk s P F I. Edit v *w C *x‫ ״‬e Send Monitor Tool! Window Help W lld P .. kt ! ‫׳‬S ^ n lP e e k ^ • t! •ma. fe a a j a t, * * B i! r a » tz1‫ . ב‬E ^ ©^,:oE : i Start Fac« x ‫׳‬ 5 o jd 3 4 ‫י‬ W ackets O niP S p F s ildP m eek am le ile Ps .e bam aK ! pies.cM Sancte fie wch a variety of wired traffic. 1 ‫ד • ס <£ ־‬ ■ ^ O m n iP e e k ‫ ־‬SackSiate Key ‫ ־‬i2J45675*i) gives n e tw o rk en g in ee rs realtim e vis ib ility and 2 •ncrypUd traffic. (SSID ‫ י‬BlackSlilt 9SK « wldpacUtt) E x p e rt A n alysis in to e v e ry p a rt of th e n e tw o rk fro m a sin g le in te rfa c e , AlPiOcS. nc 154C Tied: Boulevard. S AotrU C e fc 2jlfoma e. ‫0 נ 2כ*לנ9 (52 מ‬ including E th e rn e t, G ig ab it, 1 0 G ig ab it, 8 0 2 .1 1a/b/g/n w ire le s s , V o IP , and V id e o to re m o te o ffic es. :‫ - ב‬te p, press Pi F IG U R E 3.2: Omiiipeek Sample Files W indow 4. It will open W E P .p kt 111 die window. Select P a c k e ts from die left pane. 11 F IG U R E 3.3: T E L N E T - U VVEP packets Window 5. Double-click any of die packets 111 die nglit pane. C E H Lab Manual Page 842 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  26. 26. M odule 15 - H ackin g W ire le s s N etw o rk s 1 Fit Ed* View. Capture Send !2 1 ^ 1 . Start Pi$4 Monitor ‫י‬ ‫נ‬ Tools Window Help 9. a W ild '.»( ki t 6 ‫׳‬rnnlP »*ek ! n _ ! - E ■n « u i »l i A l WEP pkt x Enier 3 fiter Gxpf-mior here (1.09 F1forhdp) Dashboards £z~ C o m p re h e n s ive n e tw o rk vott &voeo Aodex Zyirosss Capture ►= ‫׳‬dde3 *°s Expert p e rfo rm a n c e m a n a g e m e n t and m o n ito rin g o f 8 9 10 :: 1: 13 14 :‫צ‬ U 1‫־‬ 1: e n tire e n te rp ris e including n e tw o rk Vokc ft Video C9I» ***‫יי‬ Vkuak r ?w m j c 3’C^tt SLdlbUcs SDllK Prctacos Sumvtry V/irdesi | ALAN s e g m e n ts a t re m o te o ffic es Signal * B u f f a l o :A l: 32:31 * B u f f a l o ( A lt 82: 31 * B u f f a l o :A l: 32:31 * B u f f a l o : A l: 32:31 *B u r ra io :A 1 :8 2 :3 1 * B u f f a l o : A lt 82!31 * 3 u f f a l o ! A ll 32131 * B u f f a l o : A l : 92:31 * aurra1c:A1:52:31 * B u f f a l o :A l! 82 !31 * B u f f a l o 1A l l 32131 * B u f f a l o : A l: 82;31 20 21 22 21 2* 2S 2c 2‫־‬ 2: Web Server* Cteru *A©*? sSSID * 3 a f f a l = : A l : 32 :31 * B a r m s : A 1:52:: 31 ■ •!Ethernet Srcsdcast * 3 u f f a l o : A l : 3 2 :31 Ethernet B rcedcart * 3 u f f a l o : A l : B2 * L .te o n ie c h : 55: C2: CC * 3 .1 r r a l2 : A 1 :22 i ^ I •te o n 7 e ^:.c. :c;-: e * * a ffa L ? :A L :3 2 11 teoniech:EE:C3:CC * 3 a f f a l o : A l : 32 Ij{|11teonTech:SS:03:CC * 3 u f f a l o : A l : 32 lj|)l.teon7ech:S5:C 3:C C * 3 a f f a l : : A l : 22 ■ p 1 :te o a l« cn :5 5 :c2 : * 5 a r ra 1 5 :A i:5 2 ■ S > 1 1 te o n T « ch :5 5 :C 3 :C 3 * : ‫ ־‬f fa lD :A l:32: a ■ i|L 1 tc o a T c c h :E E :C 3 s C 3 * : ‫ ־‬f al o«Al «92 af ■J|l-teoa7ech:55:C3:OC * 3 u f f a l o : A l : 52 Ip E i& e rn e t srcaocast *9 u rra 1 9 :A 1 :s 2 : ■*jE th#rn#t 816‫ ■ * ז«*זג>נ‬i i f f a l ' r i l : 12 ■JpEthcract Sreadcaat * 3 a f f a l s : A l : 22 ■S E th eia et &:cedcaat * 3 a f f a l ; : A l : !2 I^ E lh e r& e t S:CeOCa£t * 5 a f r 3 1 3 : A l: 52 ■•)Ethernet B re isra a t tp ■: r r » l ? r i l : ■ < 2 ■]^Ethernet Srcadceet * 3 a f f a l o : A l : 22 ■ ^ E th ern et Ezceocaat ■ 4 3 i f f 1 1 ; : A l: 12 ■SJElheraei BlCcOCaSt * 3 j f f a l 2 : A l : 52 ■ ^ Ethernet Brceocast * 5 j r r a i o : A l : : 2 *1 1te on 7e ch:5S :03 :0C * 3 a f f a l o : A l : 32 ■1011teon7ech:5S:C2:C‫ 3 * ־‬u f f a l o : A l : 32 C * 1 .te o n ie ch :5 5:0 2:C * 3 j f f a l = : A l : 52 «C 3 ■j> B u ffa lo :A l: 32:31 S * B u f f a l o : A l : 82:31 “b: n e tw o rk s , I i <‫. ׳‬ *> i n i a d @ 1 h i 1 ‫5 ו - !ר‬ 3ack»: Source Destination 1 * B u f f a l o :A l: 32:31 ■},}Ethernet B ice dce rt 2 * B u f f a l o :A l: 82:31 ■9 Ethernet Broadcast *.-*u S S a lo :A l:3 2 :3 l * B u f f a l o :A ll 82131 * B u f f a l o :A l: 32:31 * B u f f a l o :A l: 82:31 *3 u rra 1 0 :A 1 :s 2 :3 1 * 3 u f f a l o : A l: 32: 31 * B u f f a l o : A l: 82:31 * B u f f a l o : A l: 32:31 *B u rra 1 0 :A 1 :8 2 :3 1 ................. ■ <1 =lags *? ‫?״‬ *? *? Wf ■■ i* 'lit Wf Wf W f Wf •p *p *? *p •9 *? *P •P Wf Wf Channel 1 1 Signal Data Rate 1 ‫%פפ‬ 170 1 ‫%פפ‬ 1.3 100( 1‫ו כ כ‬ 103t 1.0 : 1‫־‬ 113 1001 100* 100» lo o t 100% lo o t lo o t lo o t lo o t 1001 lo o t lo o t lo o t lo o t lo o t lo o t lo o t lo o t lo o t 1001 lo o t lo o t 74 71 74 74 74 71 74 74 113 US 115 115 115 113 115 115 115 115 71 74 74 74 13.9 12.0 9.0 6.0 8.0 6.0 6.0 6.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 1.0 21.0 13.0 12.0 9.0 See 113 113 1 _L pacms: 2003 Fj flap, press Fl ^ -I Duration 000:4c a;M.cr.e F IG U R E 3.4: T E L N E T - U n W E P packets analyzer 6. Click die right arrow to view the next packet. le [£Z"Om niPeek C o n n e ct m a n a g e s an o rg an iza tio n ’s v ___Suit re co rd ers, and provides all th e co n so le c a p a b ilitie s o f O m n iP e e k E n terp ris e w ith th e e x c e p tio n of lo c al c a p tu re and V o IP ca ll p la y b a c k View Capture Send WP k E .p t . 4■J2EB3HQDQ Monitor Tools Window W ild icketi O m n iP r fk ' li] & 1iiB: J 1 ‫&" ׳‬ 0x00000000 00000 x0000 9 Packet Larvgrh: 115 14:29:38.441934700 G 5 2 1.9 Mbps 1 2412M31 602.11b 9T e s is rta f: 9 Eata Pare: j‫ #־־‬Channel: 9 S ic r a l L a val: f ic ‫ ״‬c ! ast: j- 9 Noise L e ve l: j *-• Seise d2c: B T~ 802 .11 m e Eeader 10 01 ‫54 ־‬ | I - • version: <§ T ipe : I- 9 SuLtyte: ! B ‫ “ץ״‬J r a c C on trol Plag3: ! Help iT ►E S WEP put - Packet »3 x : • # Facket tJurfcer: 9 F lag •: O m n ip lia n c e and T im e L in e n e tw o rk Edit ! • • - . : a J il al. * * ai ‫׳‬ u > !l :• 0 :0 Mask oxc-3] *00 Management [0 Mask OxOC] %0 0 Seacon [0 M OF ] 10 ask x O 10000[1 0000 ] 0.............. A cfl-s c ric c c rc e r .0 ............ Ken-Protected Fras9 .........W o . . . 0 . . . . Fcvcx Management - a c tiv e r s ia --- 0 ... 7/1 15 net 15 .......... 0 .. le s t o r Vnfragjcntsd Franz ...........0. Kcc 1-9 . .0 j i-• • Ncre D ata a R~-Transvissioa an Exit T u tne Distrioizloa syszen ro t 06 :‫ כ י י‬C C CC CC C 0:33: C 31 C4 CC C iC CS C4 CC p:5S: 0099: 322 r CO DC FF CA Cl 07 FF 42 00 00 FF FF FF 6C €1 63 00 2A 01 OC 43 00 FF 00 63 53 00 DD 00 00 16 6C 18 00 01 61 00 00 AL ?4 S O 00 82 65 72 00 31 00 16 Cl A l £2 31 10 23 14 33 34 00 00 00 00 04 ‫ל‬ ) 01 08 e2 64 EE S6 12 24 48 K 33 31 01 32 04 8C 98 B0 . 1 . . .31acicSlatc............ * H I . . . 2 -----02 01 01 C C C3 A4 00 00 27 A4 30 00 42 43 SC 00 62 C O .......... * ......... ?................... ’ . . .SC* .b 00 F IG U R E 3.5: T ELN ET-U n W E P packets frame window 7. Close the tab from the top and select different options from the nglit pane; click G raphs. C E H Lab Manual Page 843 Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
  27. 27. M odule 15 - H ackin g W ire le s s N etw o rk s F‫־‬ Edit View Capture • fcl • H £ ~ O m n iP e e k t ‘te ro n rt WlEP.pkt x Monitor Tools f:4 Window fe S1; j! Help s « j 'AEP pkt -Packet = 3 32 j5k| 5*3 1‫־‬ 0 E n terp ris e also Send : !3 J _!j g) ft Start Dashboards vwoe & vceo Aadex provides C p re a tu ad v a n c e d V o ic e = ‫׳‬acte3 and V id e o o v e r IP *: b fu n c tio n a lity Web including Cterts »A0es sig nalin g and M ed ia an a ly s e s of V aVe okc id o Cls a v o ic e and vid eo , V o IP p la y b a c k , StdlfeliLS vo ic e and video M iflM E x p e rt A n alysis, SurMnory V/irdes* V isu al E xp e rt, and *‫0י‬ 91 m o re ^ n < / j» X 0 U >r a < > !‫ ב‬ii 3 liL Acdcs Cbun; Conpersons Appicetion _ayer Protocols by 3ytc5 Zppicstion Layer P‫־‬oto:ols by 3ackets ‫־‬ ARP An^ss 0‫־‬oacast$ CO fTpgredto Total P ack e t Size Distribution Er dPtDQ re o C ls E»ert Events Boert VoP -H.323 Cal Erors E>oert V0P - RTP B‫׳‬rcrs Boert: Y - SIP Errors 0P Ex>ert '‫•׳‬jireess Clent -^■ ‫׳‬slcal Errors Ejoert N re bs ReossociaticnDeried G^cbfc =our Pert Ublirabor (bts/3] G^abfc =our Pert Uttli2attor (perc•‫);!׳‬ Gigabt! TtvoPytLttuaton (bits/s) C-KXbt: Twopytutiiraron Cpercent) . Networklltlixeto! (bits/s) 'f : ::• ‫■ ־‬ :■:.‫: :י‬c't:‫׳‬ «rc R eacts arrl Reoies TCPAravs* TCP V3LCP -0lP ^Votocos v/«b Protocoe woto Jftlc v/rdess: Access Potns bv Trust WfrdaK Access Points vs. Clents V/rdes* Assccobons arc Reeojoaoto-i: V/rrittQ‫ ׳ 3 ־‬tes to/frorr Dutroubor Syote V7r«te«s: Cierts ay Trust v/rdess: Data 'vpes v/rdess: »acke: Trees V/rdess; 3adcts to'fron Dstnbubon Sv: V/rdess: ^cbe Req vs. ^rcbe Rso V/rdess: ^eres PacKrts: zcXX) Duration 000:40 ‫י‬ rteip, press F1 F IG U R E 3.6: W E P Graphs window 8. Now traverse through all the options 111 die left pane of the window. L a b A n a ly s is Document die BSSID of the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate. PLE A SE TA LK Tool/Utility TO Y O U R IN S T R U C T O R IF YO U R E L A T E D TO T H IS LAB. H A V E Q U E ST IO N S Information Collected/Objectives Achieved Packet Information: OmniPeek Network Analyzer C E H Lab Manual Page 844 • • • • • • • • Packet Number Flags Status Packet Length Timestamp Data Rate Channel Signal level Ethical Hacking and Countermeasures Copyright © by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited
  28. 28. M odule 15 - H ackin g W ire le s s N etw o rk s • • • • Signal dBm Noise Level Noise dBm 802.11 MAC Header Details Q u e s t io n s 1. Analyze and evaluate the list of captured packets. Internet Connection Required 0 Yes □ No Platform Supported 0 Classroom C E H Lab Manual Page 845 □ !Labs Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

×