You are on page 1of 32

Birmingham City University Faculty of Technology, Engineering and the Environment School of Computing, Telecommunications and Networks

Wireless Networking UG2

Wireless Security

Wireless Penetration testing is a practical subject and it is important to first setup a lab where we can try out all the different experiments in a safe and controlled environment. It is important that you set up this lab first before proceeding. We shall look at the following: •! •! •! •! •! Hardware and software requirements BackTrack 5 installation Setting up an access point and configuring it Installing the wireless card Testing connectivity between the laptop and the access point

So let the games begin! The following lab will investigate Backtrack 5; this is a version of Linux that allows for network testing and vulnerability assessment. This first lab is looking at Backtrack 5 and booting the system from DVD. You will be given a DVD with BT5R1, all of the Lab PC that have a wireless card installed has been configured to boot from DVD. Insert the BT5R1 DVD into the DVD drive and reboot from Windows. Hardware requirements •! We will need the following hardware to set up the wireless lab: •! Two PCs with internal/External Wi-Fi cards: We will use one of the PC as the victim in our lab and the other as the penetration tester's PC (please note the PC with the internal will always be the attacker). •! One access point: Any access point which supports WEP/WPA/WPA2 encryption standards would fit the bill. I will be using a Linksys Wireless N Router within these labs. •! An Internet connection: This will come in handy to perform research, download software, and for some of our experiments. Software requirements •! We will need the following software to set up the wireless lab: •! BackTrack 5: BackTrack can be downloaded from their official website located at The software is open source and you should be able to download it directly from the website. (note: I also have a VMWare version) •! Windows XP: This PC will be used as the victim machine for the rest of the labs •! It is important to note that even though we are using a Windows-based OS for our tests, the techniques learnt can be applied to any Wi-Fi capable devices such as Smart Phones and Tablets, among others.

Lab topology

Setting up Backtrack 5 Backtrack is relatively simple to install. We will run BackTrack by booting it as a Live DVD and then install it on the hard drive. Perform the following instructions step-by-step: •! 1. Boot the PC with this DVD and select the option BackTrack Text – Default Boot Text Mode from the boot menu:

Once you are in the GUI. your screen should resemble the following: . You can boot into the graphical mode by entering startx on the command prompt. If booting was successful then you should see the familiar BackTrack screen: 3.2.

1 for the AP and 192.1.Setting up the Access-point   For the wireless network and access point I will be using the Linksys WRT160N router and a Linksys WUSB600N card. In this first lab we will look at the network that is open with no security enabled. .1.100 for the client PC I have set the network name (SSID) to Wireless_Lab. I have reset the access point and logged in under the default username/password of admin/admin. As shown below the AP have been set with no security. With the default ip address of 192.168.168.

in this case BT5 is behaving as a normal user and could connect to the network by clicking the connect button.Now that the network is configured with BT5 and the wireless access point set up we are going to look at the AP from BT5. Open up the wireless network manager. However this is not what we want to achieve in the lab. Now open the terminal console and issuing the following commands. 1. Close the wireless manager by clicking the x button. As you can see the wireless network manager has found the “wireless_lab” AP. ifconfig . this can be found under applications and internet.

this is a passive attack and the end users will not know that you are scanning the network for wireless networks. You use iwconfig to set the network interface parameters. If you’re familiar with the ifconfig command. Passive Network Attack We are now going to run the first attack on the network. the iwconfig command is similar but works only with wireless interfaces. Using iwconfig You use iwconfig to configure a wireless network interface.As you can see we have a number of interfaces that are shown. To check that the wlan0 interface is capable of wireless type: iwconfig in to the terminal window. As well. the one that we are interested in is the wlan0 interface. such as frequency. The syntax is as follows: . you can use iwconfig to set the wireless parameters and display statistics.

• Auto: self-explanatory. iwconfig eth0 freq 2. For example. the following specifies that you want to disable Network ID checking. with roaming. • Repeater: node forwards packets between other wireless nodes. while a value over is the frequency in Hz. A value below 1. Use off to re-enable automatic mode without changing the current Access Point. • Managed: more than one Access Point. iwconfig eth0 mode managed ap: Use this parameter to force the card to register to the Access Point given by the address.essid: Use the ESSID parameter to specify the ESSID or Network Name. the following specifies the level as 80 dBm. the following specifies that you want to set the ESSID for the wireless adapter to ANY for wardriving. For example. the following specifies that you want to set the frequency to 2. For example.422G Or for example. • Secondary: node acts as a backup master or repeater. • Master: synchronization master or an Access Point. iwconfig eth0 nwid off freq/channel: Use this parameter to set the operating frequency or channel. • Monitor: the node acts as a passive monitor and only receives packets. iwconfig eth0 sens -80 mode: Use this parameter to set the operating mode of the device. For example. the following specifies that the network is infrastructure mode. iwconfig eth0 essid any nwid/domain: Use the Network ID parameter to specify the network ID or Domain ID. iwconfig eth0 channel 3 sens: Use this parameter to set the sensitivity threshold. the following specifies that you want to use channel three. The operating mode is one of the following: • Ad-hoc: no Access Point.422 GHz.000 represents the channel number. For example. .

or use any or auto to force the card to re-associate with the current best Access Point. For example. look for the “wireless_lab” as shown above. the following forces association with the access point with the hardware address of 00:60:1D:01:23:45. Using iwlist . iwconfig eth0 ap 00:60:1D:01:23:45 nick[name]: Use this parameter to set the nickname or station name. and the bit rates this network supports. iwconfig eth0 rate 11M From the terminal type: iwlist wlan0 scanning This will list all of the wireless networks. iwconfig eth0 nickname Peter Node rate/bit[rate]: Use this parameter to set the bit-rate in bits per second for cards supporting multiple bit rates. the following sets the nickname to Peter Node. the following sets the bit rate to 11 Mbps. For example. as you can see the output shows the ESSID name. For example.

signal quality and strength and bit data and error rate.1" from its manual Alternatively. node name.255.0. as shown in the following screenshot: Note: You need to make a note of the AP MAC ADDRESS you will need this later in the lab. frequency. The syntax is as follows: Now you are going to access the AP.168. Let's set our IP address in the same subnet by issuing the command ifconfig wlan0 192.0 up. If you have successfully connected to the access point. We know the access point has a management interface IP address "192. you can get the ESSID. you should see the MAC address of the access point in the Access Point: field in the output of iwconfig.168.101 netmask 255.255.0. For instance. issue the command iwconfig wlan0 essid "Wireless_Lab" and then iwconfig wlan0 to check the status.iwlist allows you to display more detailed information from a wireless interface than you can get with iwconfig. Verify the command succeeded by typing ifconfig wlan0 and checking the output: . this is the same as the default router IP address when we run the route –n command.

Now let's ping the access point by issuing the command ping 192. Video of Lab 1 . You should see that the MAC address of the IP 192. If the network connection has been set up properly.1.1 is the access point's MAC address we have noted earlier.1. In such a case.168. you could try to launch a browser and access the web interface to verify that the connection is up and running. You can additionally issue an arp –a to verify that the response is coming from the access point. then you should see the responses from the access point.1. It is important to note that some of the more recent access points might have response to ICMP Echo Request packets disabled. This is typically done to make the access point secure out-of-the-box with only the bare minimum configuration settings available.168.

Control.WLAN and its problems In this lab we will investigate the issues with wireless and look at the management frames that are used to control the network. packet injection. We will explore those flaws in this lab. such as packet spoofing. WLANs by design have certain insecurities which are relatively easy to exploit.Lab 2 . communication happens over frames. and Data frames Sniffing data packets for a given wireless network Injecting packets into a given wireless network Revisiting WLAN frames In WLANs. A frame would have the following header structure: The "Frame Control" field itself has a more complex structure: . we will look at the following: Revisiting WLAN frames Different frame types and sub-types Using Wireshark to sniff Management. and sniffing (which could even happen from far away). In this lab.

There are no sub-types for data frames. however. Management frames: Management frames are responsible for maintaining communication between the access points and wireless clients. or Tshark which can used for sniffing as well. From the terminal console. We will discuss the security implications of each of these frames when we discuss different attacks in later in these labs. Control frames can have the following sub-types: Request to Send (RTS) Clear to Send (CTS) Acknowledgement (ACK) 3. The first step in doing this is to create a monitor mode interface. use Wireshark for most of this book. Tcpdump. There are other tools like Airodump-NG. The Management frames can have the following sub-types: Authentication De-authentication Association Request Association Response Reassociation Request Reassociation Response Disassociation Beacon Probe Request Probe Response 2. We will. We will now look at how to sniff these frames over a wireless network using Wireshark. The first step is to create a monitor interface for Wireshark to inspect traffic. start BT5 and make sure that you can see you own network. but we encourage you to explore other tools. . Control frames: Control frames are responsible for ensuring a proper exchange of data between the access point and wireless clients. Data frames: Data frames carry the actual data sent on the wireless network.The Type field defines the type of WLAN frame. check the wlan0 is up and working. which has three possibilities: 1. Creating a Monitor Point Set up the basic wireless lab as set out in lab 1. for this we will use airmon-ng.

. we will use the airmon-ng utility which is available by default on BackTrack.To put our card into monitor mode. You should see the wlan0 interface listed in the output: Now issue the airmon-ng start wlan0 and you should see that the mon0 interface listed. First run airmon-ng to verify it detects the available cards. You can also check with the ifconfig command.

Wirershark Follow these instructions to begin sniffing packets: 1. Start Wireshark by typing Wireshark& in the console. Once Wireshark is running. click on the Capture | Interfaces sub-menu: Select packet capture from the mon0 interface by clicking on the Start button to the right of the mon0 interface as shown in the preceding screenshot. Wireshark will begin the capture and now you should see packets within the Wireshark window: .

These are wireless packets which your Wireless card is sniffing off the air. In order to view any packet. select it in the top window and the entire packet will be displayed in the middle window: .

type == 2: To additionally select a sub-type.fc. To view Control Frames. and even for a reasonably populated wireless network.As can be see from the above screen shot the management frame is showing the SSID of “wireless_lab” We just sniffed our first set of packets off the air! We launched Wireshark which used the monitor mode interface mon0 we have created previously. enter the filter wlan.fc. To view all the Management frames in the packets being captured.fc.type == 0 into the filter window and click on Apply. and data frames. to view all the Beacon frames among all Management frames use the following filter (wlan.   Now we will learn how to apply filters in Wireshark to look at management.fc. Wireshark traces can be a bit daunting at times. it is important to be able to drill down to only those packets which interest us. This can be accomplished using filters in Wireshark. You will notice by looking at the footer region of Wireshark the speed at which the packets are being captured and also the number of packets captured till now.subtype filter. . Please follow these instructions step-by-step: 1. You can stop the packet capture if you want to prevent the packets from scrolling down too fast: Examine the output. you could end up sniffing a few thousand packets. Hence. use the wlan. Explore how you can use these filters to identify unique wireless devices in the traces—both access points and wireless clients. For example. modify the filter expression to wlan. control. modify the filter expression to read wlan.type == 1: To view the Data Frames. find the MAC address of your AP.

We just learned how to filter packets in Wireshark using various filter expressions. Control. (groups of four) and set up a wireless lab as in lab 1. This way anyone who can sniff the packets can read these headers. As there is no integrity or replay attack mitigation in the protocol.type == 0) && (wlan. Also. Video of Lab 2 . We will look at some of these attacks in later labs.subtype == 8). Remove the filters Challenge Lab 2A Create a group of two teams. This helps us to monitor selected packets from devices we are interested in. instead of trying to analyze all the packets in the air. however this time each group will attack the other group. we can see that the packet headers of Management. It is also important to note that it is also possible for a hacker to modify any of these packets and re-transmit them. Group A will set up their AP with a password of their choosing (No more the 8 letters) Group B will do the same. each group will then attempt to gain access to the other groups AP by finding the username and password.fc. this is very easy to do.fc. and Data frames are in plain text and does not contain any encryption.

In order to do an injection test. Now run the following command aireplay-ng -9 -e Wireless_Lab -a 00:1E:E5:5A:D9:50 mon0 on a terminal: (Note: I have used the aireplay-ng -9 -e Wireless_Lab -a 00:1E:E5:5A:D9:50 -ignore-negative-one mon0 this is due to the VM) 3. Some of these packets have been sent by aireplay-ng which we launched. first start Wireshark and the filter expression (wlan.Lab 3 Packet Injection We will be using the aireplay-ng tool which is available in BackTrack for this lab.type_subtype == 0x08).fc. bssid == 00:1E:E5:5A:D9:50) && !(wlan. and others are from the access point Wireless Lab in response to the injected packets: . Follow these instructions carefully: 1. This will ensure that we only see non-beacon packets for our lab network. Go back to Wireshark and you should see a lot of packets on the screen now. (where 00:1E:E5:5A:D9:50 is the MAC of your AP) 2.

As before set up the wireless network as outlined in lab 1. We will be using the aireplay-ng tool which is available in BackTrack for this exercise. 3. This will ensure that we only see non-beacon packets for our lab network.ico as shown below: . We just successfully injected packets into our test lab network using aireplay-ng. 2.Now issue the airmon-ng start wlan0 and you should see that the mon0 interface listed. In order to do an injection test. Lab 3A Sniffing Data Packets This is a similar to lab 2 and will look more at the traffic being sent to and from the AP.As can be seen from the above screen shot the de-authentication packets are being sent from the attacker PC. Follow these instructions carefully: 1. You can also check with the ifconfig command. first start Wireshark and the filter expression (wlan.fc. bssid == 00:1E:E5:5A:D9:50) && !(wlan. Now run the following command aireplay-ng -9 -e Wireless Lab -a 00:1E:E5:5A:D9:50 mon0 on a terminal: Now from the client PC open a webpage to the AP and login. this is a HTTP Get packet and your looking for the GET/favicon. you will be looking for a specific packet. It is important to note that our card injected these arbitrary packets into the network without actually being connected to the access point Wireless Lab.type_subtype == 0x08).

It is not possible to tune into multiple channels at the same time. 3. The analogy I can give you is your car radio. To inject packets on a specific channel. there are multiple channels. channel hopping. What this means is. If you want to hear something else. with in wireshark look at the papcket details an see if you can find the username/password. Not all Wi-Fi cards support all these ranges and associated bands. The same principle applies to WLAN sniffing.4 GHz.6 GHz. the same applies to injection as well. we will need to select which channel is of interest to us.0 GHz. Though we have addressed WLAN sniffing in the previous paragraphs. Important note on WLAN sniffing and injection WLANs typically operate within three different frequency ranges—2. power levels. Let's now do some exercises on setting our card to specific channels. . we will need to put the card radio on that channel. This brings us to an important conclusion—we cannot sniff all channels at the same time. that if our access point of interest is on channel 1. we will need to set our card on channel 1. setting regulatory domains. It is important to note that your Wi-Fi card can only be on one channel at any given moment. You can tune it to only one of the available channels at any given time. Another interesting aspect of Wi-Fi is that in each of these bands. and 4.9/5. and so on.One you have found the packet. you will have to change the channel of the radio.

An easier way is to use airodump-ng with options to either hop channels arbitrarily or only a subset or only selected bands. One could write a simple script over it to make it do so. All these options are illustrated in the following screenshot when we run airodump-ng –help: .Looking at the wireless card 1.Lab 3B . Enter the iwconfig wlan0 command to check the capabilities of your card. As you can see in the following screenshot. the card can operate in the a/b/g/n bands: To set the card on a particular channel we use the iwconfig mon0 channel X commands: The iwconfig series of commands does not have a channel hopping mode.

but most network administrators think it does. In these labs. this measure does not provide robust security.Bypassing WLAN Authentication WLANs have weak authentication schemas. this can be done by looking at wireshark: As can be seen from the example above the broadcast is being sent from the AP. Thus. we will look at the various authentication schemas used in WLANs and learn how to beat them. . This allows clients in the vicinity to discover them easily. First check that the SSID is being transmitted. only clients which know the SSID of the access point can connect to it. Lab 4 . now going to the AP and disable the SSID broadcast.Finding hidden SSIDs 1. Unfortunately. which can be easily broken and bypassed. Hidden SSIDs is a configuration where the access point does not broadcast its SSID in the Beacon frames. all access points send out their SSIDs in the Beacon frames. In these labs. We will now look at how to uncover hidden SSIDs. we will look at the following: Uncovering hidden SSIDs Beating MAC filters Bypassing Open Authentication Bypassing Shared Key Authentication Hidden SSIDs In the default configuration mode.

With Kismet. the system is mainly menu driven. the first is using a network scanner called kismet. the tool will display all wireless networks in range and will list the channel and data being sent. as shown below. . there are a number of ways of finding hidden SSIDs. The SSID for the wireless_lab is hidden kismet will still show this network.Again check on wireshark that the SSID is not being shown.

thus revealing its presence. you can use aireplay-ng to send De-authentication packets to all stations on behalf of the Wireless Lab access point by typing aireplay-ng -0 5 -a 00:1E:E5:5A:D9:50 mon0. Finally.Explore the options with kismet. research an attack for the clients PCs within the network. This will generate Probe Request and Probe Response packets which will contain the SSID of the network. they can be very easily sniffed from the air and the SSID can be found. Alternatively. As these packets are not encrypted. these will show the SSID Even though the SSID is hidden and not broadcast. they exchange Probe Request and Probe Response packets. The second way of finding a hidden AP is to use a passive technique of waiting for a legitimate client to connect the access point. whenever a legitimate client tries to connect to the access point. . find the clients off the network. -a specifies the MAC address of the access point you are targeting: Within wireshark look for probe requests/response frames. and 5 is the number of Deauthentication packets to send. These packets contain the SSID of the access point. The -0 option is for choosing a De-authentication attack.

we can forcibly disconnect the clients from the access point by sending forged De-authentication packets on the air. The settings pages on my router look as follows: . they fail miserably in the wireless world. Try and check how you can selectively target individual clients using aireplay-ng. Here. all clients may be already connected to the access point and there may be no Probe Request/Response packets available in the Wireshark trace. Lab 5 MAC ADDRESS FILTERS Let us first configure our access point to use MAC filtering and then add the client MAC address of the victim laptop. The basic idea is to authenticate based on the MAC address of the client.In many cases. then attack the other teams network to find the SSID. This list of allowed MAC addresses will be maintained by the network administrator and will be fed into the access point.aircrack-ng. Unfortunately. These packets will force the clients to reconnect back to the access point. We will know look at how easy it is to bypass MAC filters. MAC filters MAC filters are an age old technique used for authentication and authorization and have their roots in the wired world. We will encourage you to explore the entire aircrack-ng suite of tools and other documentation located on their website: http://www. we sent broadcast De-authentication packets to force reconnection of all wireless clients. thus revealing the SSID. PLEASE KEEP THE SSID NAMES CLEAN! In the previous exercise. Challenge LAB 4B Find the SSID In groups of two teams (groups of 4) set up a Wireless network (as per lab1) but change the SSID name and make it hidden. it is possible to orchestrate these attacks with other tools like aircrack-ng suite as well. It is important to note that even though we are illustrating many of these concepts using Wireshark.

the connection will fail as shown next: . Once MAC filtering is enabled only the allowed MAC address will be able to successfully authenticate with the access point. If we try to connect to the access point from a machine with a nonwhitelisted MAC address.Add in the MAC address of the client PC to the list of permitted PC on the AP.

we can spoof the MAC address of the client using the macchanger utility which ships with BackTrack. You can use the command macchanger –m 60:FB:42:D5:E4:01 wlan0 to get this done. only clients associated and connected to an access point are shown. we will only monitor the access point which is of interest to us. The MAC address you specify with the -m option is the new spoofed MAC address for the wlan0 interface: . we can use airodump-ng to find the MAC addresses of clients connected to the access point. Once we find a whitelisted client's MAC address. The -c 1 sets the channel to 1 where the access point is. By specifying the bssid. The -a ensures that in the client section of the airodump-ng output. We can do this by issuing the commands airodump-ng -c 1 -a --bssid 00:1E:E5:5A:D9:50 mon0. This will show us all the client MAC addresses associated with the access point: As can be see from the above screen shot the MAC address from the client is highlighted.Wireshark show the authentication fail: In order to beat MAC filters.

2 KB) TX bytes:1736 (1. and it allowed us access to its wireless network. the other team then have to spoof the MAC Address of the client PC from BT5 and gain access to the AP. setup the lab and apply MAC Address filtering on a client PC.root@bt:~# macchanger -m 58:B0:35:70:C1:CE wlan0 Current MAC: 68:7f:74:f7:77:fd (unknown) Faked MAC: 58:b0:35:70:c1:ce (unknown) root@bt:~# ifconfig wlan0 wlan0 Link encap:Ethernet HWaddr 58:b0:35:70:c1:ce BROADCAST PROMISC MULTICAST MTU:1500 Metric:1 RX packets:210 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:72228 (72. php? id=airodump-ng. .7 KB) No bring the wlan0 interface back up with the ifconfig wlan0 up and then connect to the AP via the wireless manager from BT5 You have monitored the air using airodump-ng and found the MAC address of legitimate clients connected to the wireless network. This fooled the access point into believing that we are the legitimate client. We then used the macchnager utility to change our wireless card's MAC address to match the client's.   Challenge Lab 5B MAC ADDRESS FILTERS In groups of two teams.aircrack-ng. You are encouraged to explore the different options of the airodump-ng utility by going through the documentation on their website:

The security problem here is that an attacker passively listening to this entire communication by sniffing the air has access to both the plain text challenge and the encrypted challenge. The exact exchange of information is illustrated next (taken from http://www. the client successfully authenticates. you will learn how to sniff the air to retrieve the challenge and the encrypted challenge. The wireless client sends an authentication request to the access point. retrieve the keystream. and use it to authenticate to the access point without needing the shared key. which responds back with a challenge. The client now needs to encrypt this challenge with the shared key and send it back to the access point. which decrypts this to check if it can recover the original challenge text. else it sends an authentication failed message. In this lab. This keystream can be used to encrypt any future challenge sent by the access point without needing to know the actual key.Shared Key Authentication Shared Key Authentication uses a shared secret such as the WEP key to authenticate the client. He can apply the XOR operation to retrieve the keystream. . If it succeeds.

Now we need to attack the network to find the key. However. we will first start sniffing packets between the access point and its clients. On a side note. it might be a good . The -w option which is new here. To do this we use airodump-ng using the command airodump-ng mon0 -c 11 --bssid 00:1E:E5:5A:D9:50 -w keystream. we would also like to log the entire shared authentication exchange. requests airodump-ng to store the packets in a file whose name is prefixed with the word "keystream".LAB 6 Shared Key Let us first set up Shared Authentication for our Wireless Lab network. In order to bypass Shared Key Authentication. I have done this on my access point by setting the Security Mode as WEP and Authentication as Shared Key: Log the client PC with the passkey.

. airodump-ng will capture this exchange automatically by sniffing the air. An indication that the capture has succeeded is when the AUTH column reads SKA that is.idea to store different sessions of packet captures in different files. Once a client connects and the shared key authentication succeeds. This allows you to analyze them long after the trace has been collected. Shared Key Authentication as shown next. We can either wait for a legitimate client to connect to the access point or force a reconnect using the Deauthentication technique used previously.