This document summarizes a presentation on wireless security testing and attacks. It describes tools like airodump-ng for packet sniffing, aireplay-ng for packet injection, and aircrack-ng for cracking wireless encryption keys. It demonstrates attacks like cracking WEP encryption, exploiting vulnerabilities in WPS, and performing man-in-the-middle attacks. The presentation emphasizes that these attacks would be illegal to perform without permission and stresses the importance of responsible disclosure.

1. You think your Wifi is
Safe?
Rob Gillen
@argodev

2. CodeStock is proudly partnered with:
RecruitWise and Staff with Excellence - www.recruitwise.jobs
Send instant feedback on this session via Twitter:
Send a direct message with the room number to @CodeStock
d codestock 406 This session is great!
For more information on sending feedback using Twitter while at
CodeStock, please see the “CodeStock README” in your CodeStock guide.

3. what we do
consulting training design debugging
who we are
Founded by top experts on Microsoft – Jeffrey Richter, Jeff Prosise, and John Robbins – our
mission is to help our customers achieve their goals through advanced software-based
consulting and training solutions.
how we do it Training
• On-site instructor-led training
Consulting & Debugging • Virtual instructor-led training
• Architecture, analysis, and design services • Devscovery conferences
• Full lifecycle custom software development
• Content creation Design
• Project management • User Experience Design
• Debugging & performance tuning • Visual & Content Design
• Video & Animation Production
wintellect.com

4. Don’t Be Stupid
The following presentation describes
real attacks on real systems. Please
note that most of the attacks
described would be considered ILLEGAL
if attempted on systems that you do
not have explicit permission to test
and attack. I assume no responsibility
for any actions you perform based on
the content of this presentation or
subsequent conversations. Please
remember this basic guideline: With
knowledge comes responsibility.

5. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.

6. Overview
• Pre-Requisite Knowledge
• Various Security Approaches
• Tools and Attacks

7. Required Gear
• Network Adapter that supports
“Monitor” mode.
– Equivalent to promiscuous mode on a
normal NIC
• Windows, MAC, or Linux
– Linux tools tend to be more readily
available

8. Wireless Packet Frames
• Management Frames • Control Frames
– Authentication – Request to Send
– De-authentication (RTS)
– Association Request – Clear to Send (CTS)
– Association Response – Acknowledgment (AWK)
– Re-association • Data Frames
Request
– Re-association
Response
– Disassociation
– Beacon
– Probe Request
– Probe Response

9. Packet Sniffing
• Filters:
– wlan.fc.type
• == 0 (mgmt frames)
• == 1 (control frames)
• == 2 (data frames)
– wlan.fc.subtype
• == 8 (beacons)
• (wlan.fc.type == 0) &&
(wlan.fc.subtype == 8)

10. Packet Sniffing
• Determine the channel of the
network we are interested in
– required for sniffing data packets
– airodump-ng
• iwconfig mon0 channel 11 (demo
pre/post)

11. Packet Injection
• aireplay-ng
– Inject packets onto a specific
wireless network without specific
association to that network
– Can target specific channels, mask
MAC addresses, etc.
– Does not require association

12. Regulatory Issues
• Available Channels
• Radio Power Levels
– iw reg set US
– iw reg set BO

13. DEMO: HIDDEN SSID

14. DEMO: Hidden SSID
• Show packet capture with the SSID
• Hide SSID
• Prove it is now hidden
• Solve for X
– Passive (wait for valid client) –
wireshark filter
– Use aireplay-ng to send deauth packet to
force the discovery
• Probe Request/Probe Response packets

15. DEMO: MAC FILTERS

16. DEMO: MAC Filters
• Enable MAC Filtering on the WAP
• Prove that a client cannot connect
• Use airodump-ng to show associated
clients
• Use macchanger to spoof the
whitelisted address and connect.

17. DEMO: SHARED KEY
AUTHENTICATION

18. DEMO: Shared Key
Authentication
• Illustration (steal picture from
Wikipedia/netgear?)
• Configured AP for Shared Key/Update
Client
• Use airodump-ng to capture/log the
authentication scheme + keystream
– Wait for valid client or send deauth pkt
• Use aireplay-ng to pass back the
captured auth pkt
• TIP: DOS by filling up AP tables
(wrapper around airreplay-ng)

19. DEMO: WEP ENCRYPTION

20. DEMO: WEP Encryption
• Capture data packets (ARP) from a
known/trusted client (airodump-ng)
• Replay them/re-inject between 10-
100,000 times (aireplay-ng)
• Crack them (aircrack-ng)
• “Guaranteed” crack

21. DEMO: WPA/2 ENCRYPTION

22. DEMO: WPA/2 Encryption
• Vulnerable to dictionary attacks
• Collect authentication handshake
• Select dictionary file and run the
cracker
• Works for WPA, WPA2, AES, TKIP

23. Tools

24. Tools
• Jasegar (Pineapple IV)
• I can be anything you want
me to be

25. Man-In-The-Middle

26. Man-In-The-Middle

27. Man-In-The-Middle

28. Man-In-The-Middle

29. Tools
• Reaver Pro (WPS Exploit)
• 4-10 hours and your network
is mine

30. What is Safe?
• Stop using Wi-Fi
• Avoid open Wi-Fi networks
• Always use SSL
• Use VPN
• Disable Auto-Connect… on *all*
devices
• Hard/complex network keys
• WPA-Enterprise / RADIUS / PEAP /
EAP-TTLS
• Disable WPS!

31. Equipment List
• Two Laptops
• Any Wireless Access Point
• Alfa Card
http://www.amazon.com/gp/product/B002BFMZR8
• Yagi Antenna
http://www.amazon.com/gp/product/B004L0TKW4
• Reaver Kit
http://hakshop.myshopify.com/products/reaver
-pro
• WiFi Pinapple
http://hakshop.myshopify.com/collections/fro
ntpage/products/wifi-pineapple

32. Learning More
• http://www.securityfocus.com
• http://www.aircrack-ng.org
• http://raulsiles.com/resources/wif
i.html
• http://www.willhackforsushi.com

33. Questions/Contact
Rob Gillen
rob@gillenfamily.net
http://rob.gillenfamily.net
@argodev