ebook img

Wireless Attacks - WiFu PDF

385 Pages·2012·80.973 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Wireless Attacks - WiFu

Offensive Security Wireless Attacks - WiFu v. 3.0 9 3 3 4 6 - 7 0 7 2 - u f wi Mati Aharoni Devon Kearns Thomas d’Otreppe de Bouvette © All rights reserved to Offensive Security, 2012 All rights reserved to Offensive Security, 2012 © No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, 9 in any form or by any means such as any infor3mation storage, transmission or 3 4 retrieval system, without prior written6 permission from the author. - 7 0 7 2 - u f wi 2 © All rights reserved to Offensive Security, 2012 9 3 3 This page intentional4ly left blank. 6 - 7 0 7 2 - u f wi 3 © All rights reserved to Offensive Security, 2012 Table of Contents A Note from the Author ...........................................................................................................10 Before we Begin .......................................................................................................................13 1. IEEE 802.11 ...........................................................................................................................14 1.1 IEEE ................................................................................................................................................................................................ 14 1.1.1 Committees ........................................................................................................................................................................ 14 1.1.2 IEEE 802.11 ............................................................................................................................................................................ 16 1.2 802.11 Standards and Amendments ............................................................................................................................. 16 1.3 Main 802.11 Protocols ......................................................................................................................................................... 18 1.3.1 Detailed Protocol Descriptions ................................................................................................................................. 18 2. Wireless Networks ................................................................................................................22 2.1 Wireless Operating Modes ................................................................................................................................................. 22 2.1.1 Infrastructure Network ................................................................................................................................................ 22 2.1.2 Ad-Hoc Network ............................................................................9.................................................................................. 23 3 2.1.3 Wireless Distribution System ...............................................3...................................................................................... 24 4 2.1.4 Monitor Mode.........................................................................6........................................................................................... 25 - 7 3. Packets and Network Interaction ......................0...................................................................26 7 3.1 Wireless Packets – 802.11 MAC Frame ..................2..................................................................................................... 26 - u 3.1.1 Header .......................................................................f........................................................................................................... 27 wi 3.1.2 Data ....................................................................................................................................................................................... 29 3.1.3 FCS.......................................................................................................................................................................................... 29 3.2 Control Frames ......................................................................................................................................................................... 30 3.2.1 Common Frames .............................................................................................................................................................. 30 3.3 Management Frames ............................................................................................................................................................. 40 3.3.1 Beacon Frames ................................................................................................................................................................. 41 3.3.2 Probe Frames .................................................................................................................................................................... 44 3.3.2 Authentication .................................................................................................................................................................. 49 3.3.3 Association/Reassociation .......................................................................................................................................... 51 3.3.4 Disassociation/Deauthentication............................................................................................................................ 56 3.3.5 ATIM ...................................................................................................................................................................................... 60 3.3.6 Action Frames ................................................................................................................................................................... 60 3.4 Data Frames ............................................................................................................................................................................... 61 3.4.1 Most Common Frames .................................................................................................................................................. 62 3.5 Interacting with Networks ................................................................................................................................................. 67 3.5.1 Probe ..................................................................................................................................................................................... 69 3.5.2 Authentication .................................................................................................................................................................. 80 3.5.3 Association ......................................................................................................................................................................... 94 3.5.4 Encryption .......................................................................................................................................................................... 98 4. Getting Started ................................................................................................................... 124 4.1 Choosing Hardware ............................................................................................................................................................ 124 4 © All rights reserved to Offensive Security, 2012 4.1.1 Adapter Types ................................................................................................................................................................ 124 4.1.2 dB, dBm, dBi, mW, W .................................................................................................................................................. 127 4.1.3 Antennas........................................................................................................................................................................... 128 4.2 Choosing a Wireless Card ................................................................................................................................................ 129 4.2.1 Alfa AWUS036H ............................................................................................................................................................ 130 4.3 Choosing an Antenna ......................................................................................................................................................... 131 4.3.1 Antenna Patterns ......................................................................................................................................................... 131 5. Linux Wireless Stack and Drivers ........................................................................................ 138 5.1 ieee80211 vs. mac80211 ................................................................................................................................................. 138 5.1.1 ieee80211 ......................................................................................................................................................................... 138 5.1.2 mac80211 ........................................................................................................................................................................ 139 5.2 Linux Wireless Drivers ...................................................................................................................................................... 141 5.2.1 Resolving AWUS036H Issues ................................................................................................................................... 141 5.2.2 Loading and Unloading Drivers ............................................................................................................................ 143 5.2.3 mac80211 Monitor Mode ......................................................................................................................................... 146 5.2.4 ieee80211 Monitor Mode ...........................................................9............................................................................... 150 3 3 6. Aircrack-ng Essentials ......................................................................................................... 153 4 6 6.2 Airmon-ng ......................................................................................-.......................................................................................... 153 7 6.2.1 Airmon-ng Usage .............................................................0............................................................................................. 154 7 6.2.2 Airmon-ng Usage Examples ..................................2.................................................................................................. 154 - 6.2.2 Airmon-ng Lab..........................................................u..................................................................................................... 159 f 6.3 Airodump-ng ................................................................w.i......................................................................................................... 160 6.3.1 Airodump-ng Usage .................................................................................................................................................... 160 6.3.3 Precision Airodump-ng Sniffing ............................................................................................................................ 164 6.3.4 Airodump-ng Troubleshooting .............................................................................................................................. 165 6.3.5 Airodump-ng Lab ......................................................................................................................................................... 167 6.4 Aireplay-ng .............................................................................................................................................................................. 168 6.4.1 Aireplay-ng Usage ........................................................................................................................................................ 168 6.4.2 Aireplay-ng Troubleshooting.................................................................................................................................. 172 6.4.3 Optimizing Aireplay-ng Injection Speeds .......................................................................................................... 174 6.5 Injection Test .......................................................................................................................................................................... 175 6.5.1 Injection Test Usage .................................................................................................................................................... 175 6.5.2 Aireplay-ng Lab ............................................................................................................................................................ 179 7. Cracking WEP with Connected Clients ................................................................................ 180 7.1 Initial Attack Setup .............................................................................................................................................................. 180 7.1.1 Airmon-ng ........................................................................................................................................................................ 180 7.1.2 Airodump-ng .................................................................................................................................................................. 181 7.2 Aireplay-ng Fake Authentication Attack .................................................................................................................. 182 7.2.1 Fake Authentication Usage ..................................................................................................................................... 182 7.2.2 Fake Authentication Troubleshooting ............................................................................................................... 184 7.2.3 Running the Fake Authentication Attack ......................................................................................................... 188 7.2.4 Fake Authentication Lab .......................................................................................................................................... 189 5 © All rights reserved to Offensive Security, 2012 7.3 Aireplay-ng Deauthentication Attack ........................................................................................................................ 190 7.3.1 Deauthentication Attack Usage ............................................................................................................................ 190 7.3.2 Deauthentication Troubleshooting ..................................................................................................................... 191 7.3.3 Running the Deauthentication Attack ............................................................................................................... 192 7.3.4 Deauthentication Lab ................................................................................................................................................ 193 7.4 Aireplay-ng ARP Request Replay Attack .................................................................................................................. 194 7.4.1 What is ARP? .................................................................................................................................................................. 194 7.4.2 ARP Request Replay Usage ...................................................................................................................................... 197 7.4.3 Running the ARP Request Replay Attack .......................................................................................................... 198 7.4.4 ARP Request Replay Attack Lab ............................................................................................................................ 201 7.5 Aircrack-ng .............................................................................................................................................................................. 202 7.5.1 Aircrack-ng 101 ............................................................................................................................................................ 202 7.5.2 Aircrack-ng Usage ....................................................................................................................................................... 206 7.5.3 Aircrack-ng Troubleshooting ................................................................................................................................. 210 7.5.4 Running Aircrack-ng .................................................................................................................................................. 212 7.5.5 Aircrack-ng Lab ............................................................................................................................................................ 213 7.6 Classic WEP Cracking Attack Summary.....................................9............................................................................... 214 3 3 8. Cracking WEP via a Client ........................................4........................................................... 216 6 8.1 Attack Setup .................................................................................7.-.......................................................................................... 216 0 8.1.1 Attack Setup Lab ..........................................................7................................................................................................ 219 2 8.2 Aireplay-ng Interactive Packet Replay Attack ..-.................................................................................................... 220 u 8.2.1 Natural Packet Selection ..................................f........................................................................................................ 220 wi 8.2.2 Modified Packet Replay ............................................................................................................................................. 222 8.2.3 Running the Interactive Packet Replay Attack .............................................................................................. 224 8.2.4 Interactive Packet Replay Lab ............................................................................................................................... 227 8.3 Cracking the WEP Key ....................................................................................................................................................... 228 8.3.1 Lab ...................................................................................................................................................................................... 229 8.4 Cracking WEP via a Client Attack Summary .......................................................................................................... 230 9. Cracking Clientless WEP Networks ..................................................................................... 231 9.1 Attack Assumptions ............................................................................................................................................................ 231 9.2 Attack Setup ............................................................................................................................................................................ 232 9.2.1 Attack Setup Lab .......................................................................................................................................................... 234 9.3 Aireplay-ng Fragmentation Attack ............................................................................................................................. 235 9.3.1 Fragmentation Attack Usage ................................................................................................................................. 235 9.3.2 Fragmentation Attack Troubleshooting ........................................................................................................... 238 9.3.3 Running the Fragmentation Attack .................................................................................................................... 239 9.3.4 Fragmentation Attack Lab ...................................................................................................................................... 241 9.4 Packetforge-ng....................................................................................................................................................................... 242 9.4.1 Packetforge-ng Usage ................................................................................................................................................ 242 9.4.2 Running Packetforge-ng ........................................................................................................................................... 247 9.4.3 Packetforge-ng Lab ..................................................................................................................................................... 248 9.5 Aireplay-ng KoreK ChopChop Attack ........................................................................................................................ 249 9.5.1 ChopChop Theory ......................................................................................................................................................... 249 6 © All rights reserved to Offensive Security, 2012 9.5.2 Aireplay-ng KoreK ChopChop Usage ................................................................................................................... 251 9.5.3 Running the KoreK ChopChop Attack ................................................................................................................. 254 9.5.4 KoreK ChopChop Attack Lab ................................................................................................................................... 256 9.6 Interactive Packet Replay and Aircrack-ng ............................................................................................................ 257 9.6.1 Interactive Packet Replay ........................................................................................................................................ 257 9.7 Clientless WEP Cracking Lab ......................................................................................................................................... 259 9.8 Clientless WEP Cracking Attack Summary ............................................................................................................. 260 10. Bypassing WEP Shared Key Authentication ...................................................................... 262 10.2 Attack Setup ......................................................................................................................................................................... 263 10.2.1 Attack Setup Lab ........................................................................................................................................................ 264 10.3 Aireplay-ng Shared Key Fake Authentication .................................................................................................... 265 10.3.1 Deauthenticate a Connected Client ................................................................................................................... 266 10.3.2 Shared Key Fake Authentication ........................................................................................................................ 267 10.3.3 Running the Shared Key Fake Authentication ............................................................................................. 268 10.3.4 Shared Key Fake Authentication Lab ............................................................................................................... 269 10.4 ARP Request Replay and Aircrack-ng ......................................9............................................................................... 270 3 10.4.1 ARP Request Replay...............................................................3................................................................................... 270 4 10.4.2 Aircrack-ng................................................................................................................................................................... 272 6 10.5 Bypassing WEP Shared Key Authentication Lab ...7.-.......................................................................................... 273 0 10.6 WEP Shared Key Authentication Attack Summa7ry .......................................................................................... 274 2 - 11. Cracking WPA/WPA2 PSK with Aircrack-ngu ...................................................................... 276 f 11.1 Attack Setup ...............................................................w.i......................................................................................................... 277 11.1.1 Attack Setup Lab ........................................................................................................................................................ 278 11.2 Aireplay-ng Deauthentication Attack ..................................................................................................................... 279 11.2.1 Four-way Handshake Troubleshooting .......................................................................................................... 280 11.2.2 Deauthentication Attack Lab............................................................................................................................... 281 11.3 Aircrack-ng and WPA ...................................................................................................................................................... 282 11.3.1 “No valid WPA handshakes found” .................................................................................................................... 283 11.3.2 Aircrack-ng and WPA Lab ..................................................................................................................................... 284 11.4 Airolib-ng............................................................................................................................................................................... 285 11.4.1 Airolib-ng Usage ........................................................................................................................................................ 285 11.4.2 Using Airolib-ng ......................................................................................................................................................... 286 11.4.3 Airolib-ng Lab ............................................................................................................................................................. 290 11.5 Cracking WPA Attack Summary ................................................................................................................................ 291 12. Cracking WPA with JTR and Aircrack-ng ........................................................................... 292 12.1 Attack Setup ......................................................................................................................................................................... 292 12.1.1 Attack Setup Lab ........................................................................................................................................................ 293 12.2 Editing John the Ripper Rules ..................................................................................................................................... 294 12.2.1 Word Mangling Lab ................................................................................................................................................. 295 12.3 Using Aircrack-ng with John the Ripper................................................................................................................ 296 12.4 John the Ripper Lab ......................................................................................................................................................... 297 12.5 Aircrack-ng and JTR Attack Summary .................................................................................................................... 298 7 © All rights reserved to Offensive Security, 2012 13. Cracking WPA with coWPAtty .......................................................................................... 299 13.1 Attack Setup ......................................................................................................................................................................... 299 13.1.1 Attack Setup Lab ........................................................................................................................................................ 300 13.2 coWPAtty Dictionary Mode.......................................................................................................................................... 301 13.3 coWPAtty Rainbow Table Mode ................................................................................................................................ 302 13.4 coWPAtty Lab ...................................................................................................................................................................... 304 13.5 coWPAtty Attack Summary .......................................................................................................................................... 305 14. Cracking WPA with Pyrit ................................................................................................... 307 14.1 Attack Setup ......................................................................................................................................................................... 307 14.1.1 Attack Setup Lab ........................................................................................................................................................ 309 14.2 Pyrit Dictionary Attack ................................................................................................................................................... 310 14.3 Pyrit Database Mode ....................................................................................................................................................... 312 14.4 Pyrit Lab ................................................................................................................................................................................. 315 14.5 Pyrit Attack Summary ..................................................................................................................................................... 316 15. Additional Aircrack-ng Tools ............................................................................................. 318 9 15.1 Airdecap-ng .........................................................................................3................................................................................. 318 3 15.1.1 Airdecap-ng Usage ...............................................................4..................................................................................... 318 6 15.1.2 Removing Wireless Headers .......................................-.......................................................................................... 319 7 15.1.3 Decrypting WEP Captures ........................................0............................................................................................. 322 7 15.1.4 Decrypting WPA Captures ...................................2.................................................................................................. 325 - 15.1.5 Airdecap-ng Lab ....................................................u..................................................................................................... 327 f 15.2 Airserv-ng....................................................................w.i......................................................................................................... 328 15.2.1 Airserv-ng Usage ........................................................................................................................................................ 329 15.2.2 Using Airserv-ng......................................................................................................................................................... 329 15.2.3 Airserv-ng Troubleshooting.................................................................................................................................. 331 15.2.4 Airserv-ng Lab ............................................................................................................................................................ 332 15.3 Airtun-ng ............................................................................................................................................................................... 333 15.3.1 Airtun-ng Usage ......................................................................................................................................................... 334 15.3.2 Airtun-ng wIDS ........................................................................................................................................................... 335 15.3.3 Airtun-ng WEP Injection ........................................................................................................................................ 337 15.3.4 Airtun-ng PRGA Injection ...................................................................................................................................... 338 15.3.5 Connecting to Two Access Points with Airtun-ng....................................................................................... 339 15.3.6 Airtun-ng Repeater Mode ...................................................................................................................................... 340 15.3.7 Airtun-ng Packet Replay Mode ........................................................................................................................... 341 15.3.8 Airtun-ng Lab .............................................................................................................................................................. 342 16. Wireless Reconnaissance .................................................................................................. 343 16.1 Airgraph-ng .......................................................................................................................................................................... 343 16.1.1 CAPR ................................................................................................................................................................................ 343 16.1.2 CPG ................................................................................................................................................................................... 345 16.2 Kismet ..................................................................................................................................................................................... 346 16.3 GISKismet .............................................................................................................................................................................. 348 16.4 Wireless Reconnaissance Lab ..................................................................................................................................... 351 8 © All rights reserved to Offensive Security, 2012 17. Rogue Access Points ......................................................................................................... 352 17.1 Airbase-ng ............................................................................................................................................................................. 352 17.1.1 Airbase-ng Usage ....................................................................................................................................................... 353 17.1.2 Airbase-ng Shared Key Capture .......................................................................................................................... 354 17.1.3 Airbase-ng WPA Handshake Capture .............................................................................................................. 356 17.2 Karmetasploit ...................................................................................................................................................................... 358 17.2 Karmetasploit Configuration....................................................................................................................................... 358 17.3 Man in the Middle Attack .............................................................................................................................................. 366 17.4 Rogue Access Points Lab ............................................................................................................................................... 370 Appendix A: Cracking WEP via a Client - Alternate Solutions ................................................. 371 A.1 Pulling Packets from Captured Data .......................................................................................................................... 371 A.2 Creating a Packet from a ChopChop Attack ........................................................................................................... 375 Appendix B: ARP Amplification .............................................................................................. 378 B.1 Equipment Used ................................................................................................................................................................... 378 B.2 One for One ARP Packets ................................................................................................................................................. 379 9 B.3 Two for One ARP Packets ...............................................................3................................................................................. 381 3 B.4 Three for One ARP Packets ........................................................4..................................................................................... 383 6 - 7 0 7 2 - u f wi 9 © All rights reserved to Offensive Security, 2012 A Note from the Author The wireless industry continues to grow in leaps and bounds with more and more gadgets evolving to be wireless. Access points, media centers, phones, and even security systems are commonplace in the average household. Unfortunately, the security that is implemented on wireless equipment is often lacking, resulting in severe security vulnerabilities. In practice, many companies and organizations still use and deploy vulnerable wireless gear, often in their default configurations. This is most often due to poor security awareness or a lack of understanding of the risks and ramifications. 9 3 One of the more extreme examples of this happene3d to me back in 2005. I was asked to 4 6 perform an infrastructure vulnerability assess-ment on a medical institute. Their IT 7 0 department spent a fortune on hardening thei7r systems and complying with regulations. 2 - u They asked me to come and check their secufrity implementations in their main office. After wi several days of hard work and no luck, I realized that I might not be able to hack this network after all. I exited their main building and sat down in the cafeteria adjacent to it. I turned on my laptop (needing some casual Internet access) and suddenly saw a wireless network that aroused my suspicion. The ESSID of the network was the same as the first name of the CEO. I fired up Kismet, a wireless network sniffer, and started scouting the main building, as the signal seemed to be coming from that area. Walking back into the main office, I asked the IT administrator if they had any wireless networks installed. He answered with a firm “No” and proceeded to explain that their security policy forbids the introduction of wireless equipment into their network due to security issues. “It’s impossible – we don’t have ANY wireless gear here”, he swiftly concluded. 10 © All rights reserved to Offensive Security, 2012

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.