CEH v8 Labs Module 15 Hacking Wireless Networks PDF

CEH Lab Manual
Hacking Wireless
Networks
Module 15
Module 15 - Hacking Wireless Networks
Hacking Wireless Networks

I Vi-Fi is developed on IE E E 802.11 standa ids and is widely used in wireless
communication. I t provides wireless access to applications and data across a radio

network.
I CON
KEY
[Z7 Valuable
information
Test roui
knowledge
=
Web exercise
Workbook review
Lab Scenario
Wireless network teclinology is becoming increasingly popular but, at the same tune,
it has many security issues. A wireless local area network (WLAN) allows workers to
access digital resources without being tediered to their desks. However, the
convenience o f WLANs also introduces security concerns that do not exist in a
wired world. Connecting to a network no longer requires an Ethernet cable. Instead,
data packets are airborne and available to anyone widi ability to intercept and
decode them. Several reports have explained weaknesses 111 the Wired Equivalent
Pnvacy (WEP) algorithm by 802.1 lx standard to encrvpt wireless data.
To be an expert ethical hacker and penetration tester, you must have sound
knowledge o f wireless concepts, wireless encryption, and their related threats. As a
security administrator o f your company, you must protect the wireless network from
hacking.
Lab Objectives
The objective o f this lab is to protect the wireless network from attackers.
111
this lab, you will learn how to:
Crack W EP using various tools
Capture network traffic
Analyze and detect wireless traffic
Lab Environment
C 7Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 15
Hacking W ireless
Networks
C E H L ab M an u al P ag e 819
111 the lab you will need a web browser with an Internet connection.
Tins lab requires AirPcap adapter installed on your machine for all labs
Lab Duration
Time: 30 Minutes
Overview of W ireless Netw ork

A wireless network refers to any type o f computer network that is w ireless and is
commonly
associated
with
a
telecom m unications
network
whose
interconnections between nodes are implemented without the use o f wires.
Wireless telecommunications networks are generally implemented with some type o f
rem ote information transmission system that uses electrom agnetic w aves such as
E th ica l H a ck in g a nd C ounterm easures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
radio waves for die carrier. The implementation usually takes place at the physical
level or layer o f die network.
^
TASK
Overview
Lab Tasks
Pick an organization diat you feel is worthy o f vour attention. Tins could be an
educational institution, a commercial company, 01 perhaps a nonprofit chanty.
Recommended labs to assist you m Wireless Networks:
W 1F 1 Packet Sniffing Using AirPcap with Wireshark
Cracknig a \\EP Network with Aircrack-ng for Windows
Sniffing die Network Using the OmniPeek Network Analyzer
Lab Analysis
Analyze and document the results related to the lab exercise. Give your opinion 011
your targets security posture and exposure.
PLEASE TALK TO
C E H L ab M an u al Page 820
Y O U R I N S T R U C T O R IF YOU
R E L A T E D T O T H I S LAB.
HAVE
QUESTIONS

WiFi Packet Sniffing Using AirPcap

with Wireshark
The AirPcap adapter is a USB device that, when used in tangent with the AirPcap
drivers and WinPcap libraries, allows a pen tester to monitor 8 02.11b/g traffic in
monitor mode.
con
key
[Z7 Valuable
information
y 5 Test your
knowledge
Web exercise
Workbook review
Lab Scenario
Wireless networks can be open to active and also passive attacks. These types o f
attacks include DoS, M11M, spoofing, jamming, war driving, network liijacking,
packet sniffing, and many more. Passive attacks that take place on wireless networks
are common and are difficult to detect since die attacker usually just collects
information. Active attacks happen when a hacker has gathered information about
the network after a successful passive attack. Sniffing is die act o f monitoring die
network traffic using legitimate network analysis tools. Hackers can use monitoring
tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die
wireless networks. These tools allow hackers to find an unprotected network diat
they can hack. Your wireless network can be protected against tins type o f attack by
using strong encryption and authentication methods.
111 tins lab we discuss the Wireshark tool, which can sniff the network using a
wireless adapter. Since you are the etlucal hacker and penetration tester o f an
organization, you need to check the wireless security, exploit the flaws 111 W EP, and
evaluate weaknesses present 111WEP for your organization.
Lab Objectives
The objective o f tins lab is to help smdents learn and understand how to:
Discover W EP packets

Lab Environment
7 Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 15
Hacking W ireless
Networks
To execute the kb, you need:
Install AirPcap adapter dnvers; to install navigate to D:\CEH-Tools\CEHv8

Module 15 Hacking W ireless NetworksVAirPcap -Enabled Open Source
tools, and double-click setup_airpcap_4_1_1.exe to install
When you are installing the AirPcap adapter drivers, 11 any installation error
occurs, install die AirPcap adapter dnvers 111 compatibility mode (right-click
the AirPcap adapter driver exe hie, select Properties ^Compatibility, 111
compatibility mode, and select Windows7)
"
Wireshark located at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless

Networks\AirPcap -Enabled Open Source tools\wireshark-win641.4.4.exe
Run diis lab 111 Windows Server 2012 (host machine)

A 11 access point configured widi W EP on die host machine
This lab requires the AirPcap adapter installed on your machine. If
you dont have this adapter, please do not proceed with this
lab
A standard AirPcap adapter widi its dnvers installed on your host machine
WinPcap libraries, Wireshark, and Cain & Abel installed on your host
machine
Administrative privileges to run AirPcap and other tools
Lab Duration
Time: 15 Minutes
Overview of WEP (Wired Equivalent Privacy)

Several serious w ea k n e sses 111 the protocol have been identified by cryptanalysts
with die result diat, today, a WEP connection can be easily cracked. Once entered
C E H L ab M anual Page 822
E th ica l H a ck in g an d C ounterm easures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited
onto a network, a skilled hacker can modify software, network settings, and other
security settings.
Wired Equivalent Privacy (WEP) is a deprecated security algorithm for IEEE
802.11 wireless networks.
Lab Tasks
Configure AirPcap
Download AirPcap drivers Ironi the site and lollow die wizard-driven installation
steps to install AirPcap drivers.
1.
Launch the Start menu by hovering the mouse cursor on the lower-left
corner o f the desktop.
ca
You can download

AirPcap drivers from
http:// www.a1rdemon.net/
riverbed.html
FIGURE 1.1: Windows Server 2012Desktop view
2.
m Tlie AirPcap adapters

can work in monitor mode.
In tliis mode, the AirPcap
adapter captures all of the
frames that are transferred
on a channel, not just
frames that are addressed
to it.
FIGURE 1.2: Windows Server 2012Apps
3.
Click the AirPcap Control Panel app to open the AirPcap Control
Panel window.
The AirPcap Control Panel window appears.
E th ica l H a ck in g an d C o untenneasures Copyright by EC-Council

AirPcap Control Panel

Settings
Keys
Interface
AirPcap USB wireless capture adapter nr. 00
c a Tlie Multi-Channel
Aggregator can be
configured like any real
AirPcap device, and
therefore can have its own
decryption, FCS checking
and packet filtering
settings.
Transmit: yes
Model: AirPcap Nx
Blink Led
Media: 802.11 a/b/g/n
Basic Configuration
Channel
2437 MHz [BG 6]
@ Include 802.11 FCS in Frames
Extension Channel
Capture Type
802.11 + Radio
FCS Filter
All Frames
Help
Reset Configuration
Ok
Apply
Cancel
FIGURE 1.3: AirPcap Control Panel window
4.
On tlie Settings tab, click die Interface drop-down list and select AirPcap
USB w ireless capture adapter.
5.
111 the Basic Configuration section, select suitable Channel, Capture Type,
and FCS Filter and check the Include 802.11 FCS in Frames check box.
_
AirPcap Control Panel *

Settings
Keys
Interface
Q=& In Basic
Configuration bos settings:
Channel: The channels
available in the Channel list
box depend upon the
selected adapter. Since
channel numbers 14 in the
2.4GHz and 5GHz bands
overlap and there are
center frequencies
(channels) that do not have
channel numbers., Each
available channel is given
by its center frequency.
Model: AirPcap Nx
Transmit: yes
Blink Led
Media: 802.11 a/b/g/n
Basic Configuration
Channel
]Include802.11 FCS inFrames
2412 MHz [BG 1]
Extension Channel
Capture Type
802.11 Only
v
v
FCS Filter
All Frames
Help
Reset Configuration
Ok
Apply
Cancel
6.
N ow , click die K eys tab. Check die Enable WEP Decryption check box.
Tins enables die WEP decryption algoridnn. You can Add N ew Key,
R em ove Key, Edit Key, and Move Key UP and Down.

7.
After configuring settings and keys, click OK.

AirPcap Control Panel *
Settings
Keys
W EP Configuration
In Basic
Configuration Settings:
Extension Channel: For
802.1 In adapters, one can
use the Extension Channel
list to create a wide
channel. The choices are -1
(the preceding 20MHz
frequency band), 0 (no
extension channel), or + 1
(the succeeding 20MHz
frequency band). The
channel of the additional
frequency band is called die
extension channel.
[ 0 E n a b le W EP Decryption
Keys
Add New Key

Remove Key
Edit Key
Move Key Up
Move Key Down
Help
Ok
Reset Configuration
Cancel
Apply
D TASK
Launch Wireshark Network Analyzer. The Wireshark main window

appears.
2
Capturing the
packets
lU
The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1.8)]
file
dit
View 0
Capture
Analyze
Statistics
Telephony
I j W t f M t M B B K S A I * *
Filter
Iools
Internals
m T
| v | Expression...
[ B p ] ^ ^ 01 0
Clear
E l ! x '
Help
Apply
yt m
Save
T he W o rld 's M o s t P o p u lar N e tw o rk P rotocol A n a lyze r

Version 1.8.2 (SVN Rev 44520 from /tru n k - 1.8)
W I R E S H A R K
,,
In te rfa c e List
O p en
Open a t>ev*ousV captured fie
ft
Open Recent:
You can download

Wireshark from
http: / /www.wireshark.org.
User's G uide
M start
Th User's Guid (local version, if instaied
Choose one or more nterfaces to capture from, then Start
S a m p le C aptures
S ecurity
A rich assortment of example capare files on th* wiki
" t" AirPcap US8 wireless capture adapter nr. 00: \\.\ai A
Work with Wireshark as secu!*ty as posstte
f f ] \Devke\NPF_{0A6DAE573C 5C 4CFE9F4EE8E8J s
J Microsoft Corporation: \Device\MPFJ82C13C97'

|
o r u r.oc c . ^ k . r
W e b s ite
Visit the project's website
md c
'
v I
C a p tu re O ptions
Start a capture with elcutfed opoons
IE
Ready to load or capture
Profile: Default
FIGURE 1.6: Wireshark Network Analyzer main window

9.
Hie following are
some of die many features
Wireshark provides
available for UNIX and
Windows.
* Capture live packet data
from a network
interface.
Configure AirPcap as ail interface to \ \
ark. Select Capture ->
Interface... (Ctrl +l). You can also click die
icon on die toolbar.
I- x
(/TjThe Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i
File
l
Edit
^
View
Go | Capture | Analyze
i t
Statistics
Telephony
Jools
internals
Help
? & [W P I 61
I B interfaces...
W Options...
Jv
D I*
Expression... Clear Apply Save
Display packets with

very detailed protocol
information.
Open and Save packet
data captured.
In te rfa c e List
Import and Export

packet data from and to
a lot of other capture
programs.
VWt the project's websne
Open Recent:
User's G u id e
3
e interfaces to capture from, then Start
The User $ Guide (local verson, if mstaied',
S a m p le Captures
A rich assortmert of example capture files on tKe wild
Work with Wireshark as securely as poss4>te
\Device\NPFJ0A6OAE57-3C5C4CFE9F4EE8E83: =
Microsoft Corporation: \Devke\NPFJ82C18C97-'J
OT Po.Hair p r io c pc c3>;r, r~r*,^11c- \
* Search for packets on

many criteria.
mpc
C a p tu re O p tio n s
Start a capture *ith detailed options
Colorize packet display

based on filters.
Create various statistics
W e b s ite
S ta rt
AirPcap USB wireless capture adapter nr. 00: \\.\ai ^
Filter packets on many

criteria.
0pen
Open a previously captured f*e
Ready to load or capture
Profile: Default
FIGURE 1.7: Wireshark Network A11aly2 er widi interface option
10. The Wireshark: Capture Interfaces window appears. By default, die

AirPcap adapter is not 111 running mode. Select die Airpcap USB w ireless
capture adapter nr. 00 check box. Click Start
Wireshark: Capture Interfaces
Description
IP
10 | ,,t" AirPcap USB wireless capture adapter nr. 00
PI f f
Note: Wireshark isn't

an intrusion detection
system. It does not warn
you when someone does
tilings on your network
that he/ she isn't allowed to
do. However, if strange
things happen, Wireshark
might help you figure out
what is really going on.
Microsoft Corporation
1 ] Iff 1 Realtek PCIe GBE Family Controller
Help
Start
Packets Packets/s
none
2154
15
Details
none
Details
fe80::3d78:efc3:c874:6f57
375
Details
none
375
Details
Stop
Options
Close
FIGURE 1.8: Wireshark Capture Interface
11. Automatically, die Capturing from AirPcap USB w ire less capture
adaptor nr. 00 - Wireshark window appears, and it starts capUiring
packets from AirPcap Adapter.

All Rights Reserved. Reproduction is Strictly Prohibited
[/T| Capturing from Ai-Pcap USB wireless capture adapter nr. 00: \\.\airpcap00
File
Edit
View
60
Capture Analyze
Statistics
Telephony
Tools internals
<u a tt * 1m h x a <a 1a 4
K
Wireshark can
capture traffic from many
different network media
types - and despite its name
- including wireless LAN as
well. Which media types are
supported, depends on
many things, such as the
operating system you are
using.
Time
Expression,... Clear AppK
Destination
Protoccl
278 12. 8113270 N etg e a r_ 8 0 : a b : 3e

279 12. 9136860 N e tg e a r_ 8 0 :a b : 3e
B ro a d c a s t
B ro a d c a s t
802.11
802 .1 1
2 8 0 1 2 . 9 3 4 7 3 0 0 N e tg e a r _ 3 2 : 7 c :0 6
B ro a d c a s t
8 0 2 .1 1
281
282
283
284
285
286
287
288
289
290
291
292
293
294
Source
ifsln eiasiH
[
[Wieshark 1.8.2 (SVN Rev 44520 from/trunk-...1 I
Help
12. 9844520 N e tg e a r_ a e : 2 4 : c c
B ro a d c a s t
802 .1 1
1 3 .0 160930 Net g e a r _ 8 0 : a b : 3e
B ro a d c a s t
802 .1 1
1 3 .0 370690 N e tg e a r_ 3 2 :7 c :06
B ro a d c a s t
802.11
1 3 .0 411940 e 2 : 5 5 : e 5 : 2 7 : b l: c O ( e 4 : d 2 : 6 c : 4 0 : f e : 2 7 (8 0 2 .1 1
1 3 .1 184520 N e tg e a r _ 8 0 :a b :3 e
B ro a d c a s t
802 .1 1
1 3 .1 394870 N e tg e a r_ 3 2 :7 c :06
B ro a d c a s t
802.11
1 3 .1 836990 C o n p e x _ 6 8 :b 6 :f 5
B ro a d c a s t
802.11
1 3 .1 891990 N e tg e a r_ a e : 24 : c c
B ro a d c a s t
802.11
1 3 .2 208270 N e tg e a r_ 8 0 :a b : 3e
B ro a d c a s t
802.11
13. 2400780 N e tg e a r_ 3 2 : 7c :06
B ro a d c a s t
802.11
13. 2898380 2 c :d b : c f : c 6 : a a : 6 4
4 5 : c 9 : 7 : 6 a : 0 4 :09
802.11
13. 3233130 N e tg e a r_ 8 0 :a b : 3e
B ro a d c a s t
802.11
13. 3 4 4 3 8 3 0 N e tg e a r_ 3 2 :7 c:0 6
B ro a d c a s t
802.11
1 3.4257280 N tg ar_ 8 0 : ab: 3q
B ro a d c a s t
802.11
Save
Info
164
164
322
109
164
322
3707
164
322
132
109
164
91
3838
164
322
164
Beacon fra m e , S N 4 0 3 1 , FN=0, F la g s

B e a c o n f r a m e , S N 2 6 4 , FN=0, F la g s = .
Beacon fra m e , SN=265, FN=0, F la g s
f?
8 02.11 B lo c k A c k , Flags= 0pm . r m f t
B e a c o n fra m e , 5 n 4 0 3 4 , f n =0 , F la g s
Beacon fra m e , S N 2 6 6 ,
FN=0,F la g s
E
Beacon fra m e , S N 1 6 4 2 ,F N 0 , F la g s
D e a co n fra m e ,
5N=1756, FN=0, F la g s
Beacon fra m e , SN*4035, f n - 0 , F l a g s Beacon fra m e , sn -2 6 7 ,
fn -0 ,F la g s e
A c k n o w l cdgcmcnt (No d a t a ) , SN -91S, F N -3, r l a c
Beacon fra m e , SN -4036, F N -0 , F l a g s Beacon fra m e , SN -268,
f n - 0, F l a g s E
B o a c o n fra m ,
s n - 4037 , F N -0 , F l a g s '
IS Frame 1 : 3247 b /te s on w ir e (25976 b i t s ) , 3247 b y te s c a p tu re d (25976 b i t s ) on in t e r f a c e 0

lj IEEE 802.11 u n re c o g n iz e d (R eserved fr a m e ) , F la g s : ------ r . f t
OOOO
0010
0020
0030
004 0
06
6b
c9
91
d5
Ob
c3
cc
86
5b
16 8 f
5d 83
8a d f
aa b2
be 5a
49
63
ef
10
cb
54
fO
c3
86
84
c8
e6
aO
b4
20
13
28
98
2f
b3
48
2b
91
4e
05
0 AirPcap JSB wireless capture adapter nr. GO:...
8c
d9
75
ac
fO
f d ec
5a l c
15 5e
c a ab
l e 62
65
69
5f
6e
39
71
b2
52
87
5d
93
8d
44
fa
68
5e
fl
3d
16
c7
. IT .
H. .e q .
k. ] . c . . ( + . z . __
........ U.a_rd=
.............. /
N ... n . ..
. [ . z ...............b 9 ]h .
Packets: 489 Displayed: 489 Marked: 0
Profile: Default
FIGURE 1.9: Wireshark Network Analyzer window with packets captured
12. Wait while Wireshark captures packets from AirPcap. II die Filter Toolbar
option is not visible on die toolbar, select V iew -> Filter Toolbar. Tlie
Filter Toolbar appears.
Note: Wireshark doesn't benefit much from Multiprocessor/Hypertliread systems
as time-consuming tasks, like filtering packets, are single direaded. N o mle is
widiout exception: During an update list o f packets 111 real time capture, capturing
traffic mns 111 one process and dissecting and displaying packets runs 111 another
process, which should benefit from two processors.
Capturing from AirPcap USB wireless capture adapter nr. 00: \V\airpcap00
internals
mut
/ Main Tco bar
[Wiresharlc 1.8.2 (SVN Rev 44520 from /trunk-... I ~ I r x
Help
0. 0.
/ Filter Too bar

r
Wireless Toolbar
* Status Bar
Packet List
* Packet Qetails
/ Packet Bytes
Wireshark can open

packets captured from a
large number of other
capture programs.
lim e Display Format

Name Resolytion
! */ Coloriz Pckt List

Auto Scroll in Liye Capture
Q Zoom In
Q Zoom Qut
E Resize All Columns

Displayed Colcmns
Expand Subtrees
Expand Al
Collapse All
loo
0030
100
0040
Reset Coloring 1-10

^
4>
mm
Save
nfo
B ea co n f ra m e , s n 4 0 2 5 , f n o , F la g s
Beacon f ra m e , s n 1 6 2 8 , f n 1 1 , F la g s
B ea co n f ra m e , s n 4 0 2 6 , F N 0 , F la g s
Beacon f ra m e , s n ^4027, f n Ô, F la g s ^
D e a u t h e n t ic a t io n , s n -1 7 8 0 , f n - 4 , F la g s
B ea co n f ra m e , s n - 4 0 2 8 , f n - 0 , F l a g s B ea co n f ra m e , SN -4029, F N -0 , F l a g s B ea co n fra m e , SN -4030, F N -0 , F l a g s B ea co n fra m e , SN -4031, F N -0 , F l a g s Beacon f ra m e , SN -4032, F N -0 , F l a g s B ea co n fra m e , S N -2 0 4 , FN=0, F l a g s Beacon f ra m e , S N 1 7 5 3 , F N 0 , F la g s
Beacon f ra m e , s n 4 0 3 3 , f n 0 , F la g s
Beacon f ra m e , N=26S, FN=0, F la g s
8 0 2 .1 1 B lo c k A c k , F la g s opm.RMFT
Beacon f ra m e , s n 4 0 3 4 , f n 0 , F la g s
B ea co n f ra m e , S N 2 6 6 , F N 0 , F la g s
Shift*Right 3247 b y te s c a p tu re d (25976 b i t s ) on i n t e r f a c e 0

F la g s : . . . . s . F T
Ctrl* Right
Ctrl*Left
Colorize Conversation
0000
0
0:
100
0010
:
100
0020
;
Protocol Length
164
St
802 11
e : 6 f 6b 18
802 11
109
164
St
802 11
164
St
802 11
n_ f2 45 0c
802 11
30
104
St
802 11
164
St
802 11
St
164
802 11
164
St
802 11
164
St
802 11
802 11
322
St
802 11
109
Ctrl** S t
164
St
802 11
Ctrl*
St
802 11
322
Ctr1+ =
f e 27 (8 02 11
3707
164
St
802 11
Shift*Ctrl+R
St
802 11
322
Q Normal Size
ax
Expression.. Gear Apply
Coloring Rules...
Show Packet in New Window
5
Ctrl*Space 9
f
e
9
71
b2
52
87
5d
93
8d
44
fa
68
5e
fl
3d
16
c7
___ I T . . H. . . e q . A
k .] .c .. ( t . z . i. . .
................... u . a _ rd =
................/
M .. . n . . .
. [ . Z ...............b 9]h.
Ctrl+R )isplayed: 7211 Marked: 0
Profile: Default
FIGURE 1.10: Wireshark Network Analyzer window with interface option

13. N ow select V iew -> W ireless Toolbar. The wireless toolbar appears 111 die
window.
kD Capturing from AirPcap USB wireless capture adapter nr. 00: \\.\airpcap00
File
m
Edit | View | Go
Capture
Analyze
Statist cs
Telephony
tg
i >/ Wain Todbar
Jools
Internals
[Wireshark 1.8.2 {SVN Rev 44520 from /tru n k ... I P x
Help
* 5 ik [M]S
Flter Toolbar
]*
02.11 Chan
'
Wireless Toolbar
Status 3a 1
I &0
Clear Apply
Save
| v [ D r i v e r [ v] Wireless Secings.. Decryption Keys...
Packet List
st
P3cket Details
Q Wireshark is a
network packet analyzer
that captures network
packets and tries to display
that packet data as detailed
as possible.
Expression
e :6 f:6 b :1 8
St
St
n _ f 2 :4 5 : 0 c
st
st
st
st
Ctrl** s t
.St
Ctrl
*
St
Ctrl* S t
St
c : 4 0 : f e : 27
st
st
Shift Right
P*cket Bytes
J im Display Format
Name Resolution
Colori7e Packet lis t
Auto Scroll in Liye Capture
200m n
Zoom Qut
Normal S2 e
Resi:e All Columns
Ospla>ed Columns
Eipanc Subtrees
Protocol Length
8 0 2 .1 1
164
8 0 2 .1 1
109
8 0 2 .1 1
164
8 0 2 .1 1
164
8 0 2 .1 1
30
8 0 2 .1 1
164
164
8 0 2 .1 1
8 0 2 .1 1
164
8 0 2 .1 1
16 4
8 0 2 .1 1
16 4
8 0 2 .1 1
322
109
8 0 2 .1 1
164
8 0 2 .1 1
322
8 0 2 .1 1
3707
( 8 0 2 .1 1
8 0 2 .1 1
164
322
8 0 2 .1 1
Info
B e a co n f r a m e , S N -4 0 2 5 , F N -0 , F l a g s - .............
B e a co n fr a m e , 5 N -1 6 2 8 , F N -1 1 , F la g s ..........
Beacon
fram e, 5n=4026, fn=o, Flags .....
Beacon
fram e, SN-4027, FN-0, F la g s * ..........
D e a u th e n tic a tio n , 5N-1780, f n - 4 , F la g s - . .
Beacon
fram e. SN-4028, f n - 0 , F l a g s - ..........
Beacon
fram e. SN-4029, FN-0, F l a g s - ..........
B e a co n
B e a co n
B e a co n
f r a m e , s n - 4 0 3 0 , F N -0 , F l a g s - ............
f r a m e , S N -4 0 3 1 , r N - 0 , F l a g s - ............
f r a m e , s n - 4 0 3 2 , F N -0 , F l a g s - ............
Beacon frame, 5 N -2 0 4 , fn-0, Flags-......
Beacon
fram e, SN-1753, FN-0, F l a g s - ..........
Beacon
fram e, SN-4033, f n - 0, F l a g s - ..........
Beacon fram e, SN-265, FN -0, F la g s - .............
8 0 2 .1 1 B lo c k A c k , F la g s-o p m .R M F T
B e a co n f r a m e , SN=4 0 34 , FN =0, F la g s = .............
B e a co n f r a m e , S N -2 6 6 , F N -0 , F l a g s - ...............
Ctrl-Right
Expand A I
Ctrl*Left
Collapse All
3247 b y t e s c a p tu r e d
F la g s : ____R .F T
(2 S 9 7 6 b i t s )
on i n t e r f a c e 0
Colori2e Conversation
R c itl C u ljrh y 1-10
OODO
0010
0020
0 0 30
5
9
f
e
CtrKR 9
Coloring Rules...
Show Packet in New Window
AirPcap USB .vireless capture adapter nr. O): ...
71
b2
52
87
5d
93
3d
44
fa
68
5e
f l
3d
16
c7
____I T . . H . . . e q . a
k. ] . c . . ( + .Z . . . .
.........................u . a _ r d ............... / N . . . n . . .
. [ . z ................. b 9 ]h .
Packets: 12986 Displayed 12986 Marked:
'
Profile: Default
FIGURE 1.11: Wireshark Network Analyzer window with wireless toolbar option
14. You will see die sou rce and destination o f the packet captured by
Wireshark.
r t3 )Capturing from AiiPcdp USB wireless capture adapter nr. 00: \V\airpcapOO
One possible
alternative is to ran
tcpdump, or the dumpcap
utility diat comes with
Wireshark, with superaser
privileges to capture
packets into a file, and later
analyze diese packets by
running Wireshark with
restricted privileges on the
packet capture dump file
ile
dit
mu
View
(jo
* 9t *
Cooture
Analyze
Statistics
Telephony
Tools
6 3 3 ^ ^ ^ 1
Filter
80211 Channel:
Internals
[Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J r
|| ^ ^ ^ : 0
|~v | Expression...
v !Channel CHfset
None
v FCS Filter All Frames
Time
Source
282 13.0160930 N e tg e ar_ 8 0 :ab :3 e
283 13.0370690 N etg e ar_ 3 2 :7 c :06
284 1 3 . 0 4 1 1 9 4 0 e 2 : 5 5 : e 5 : 27 : b l: c O
Destination
B ro a d c a st
B ro a d c a st
Clear Apply
Save
j v ] Wireless Settings... Decryption Keys..

Protocol Length Info
802.11
802.11
( e4 :d 2 : 6 c : 4 0 : f e :2 7
B ro a d c a s t
B ro a d c a s t
285 1 3 .1 1 8 4 5 2 0 N e tg e a r _ 8 0 : a b : 3e
286 1 3 .1 3 9 4 8 7 0 N e tg e a r _ 3 2 :7 c :0 6
Help
C 8 0 2 .ll
8 0 2 .1 1
8 0 2 .1 1
8 0 2 .1 1
164 Beacon
322 B eacon
f r a n e , SN=4033, FN=0, F la g s
fram e, SN=265, FN=0, F la g s
3707 8 0 2 .1 1
16 4 B e a co n
322 B e a co n
13 2 B e a co n
B lo c k A c k , F lag s=o pm .R M FT
f r a m e , S N -4 0 3 4 , F N -0 , F l a g s f r a n e , S N =266, FN=0, F la g s
f r a n e , s n 1 6 4 2 , f n = o , F la g s
287 13.1836990C0mpex_65:be:f5
288 13.1891990 Netgear_ae: 24: cc
289 13. 2208270 N etg e ar_ 8 0 :ab :3 e
B ro a d c a st
B ro a d c a st
B ro a d c a st
290 1 3 . 2 4 0 0 7 8 0 N e tg e a r _ 3 2 :7 c :0 6
291 1 3 . 28 9 8 3 8 0 2 c : d b : e f : e 6 : a a : 6 4
292 1 3 . 32 3 3 1 3 0 N e tg e a r _ 8 0 : a b ; 3e
B ro a d c a s t
4 5 :c 9 :e 7 :6 a :0 4 :e 9
B ro a d c a s t
8 0 2 .1 1
8 0 2 .1 1
8 0 2 .1 1
293 13. 3443830 N e tg e a r_ 3 z :7 c :06

294 13.4257280 N e tg e ar_ 8 0 :ab :3 e
295 13. 5282000 N etgear 80 :ab :3 e
?06 13. S4907?O N etge ar_?2:7c:0 6
297 13. 6304580 N etgear_8 0: a b : 3e
298 13. 6514500 Netgear _32:7c.O G
B ro a d c a st
B ro a d c a st
B ro a d c a st
B ro a d c a st
B ro a d c a st
B ro a d c a st
802.11
ou2.11
802.11
322 Beacon frane, SN=2b8, f n - u , Flags104 Beacon T ra n e , 5N-4U3/, f n - u , F la g s - ............... ..

164 Beacon f r a n e . SN-4038. FN-0. F la g s - ....................
8 0 2 .1 1
8 0 2 .1 1
8 0 2 .1 1
322 B e a co n f r a n e , S N -2 7 0 , F N -0 , F l a g s - ..................... B
164 B e a co n f r a n c , 5 N -4 0 3 9 , F N -0 , F l a g s - .....................
322 B e a co n f r a n e , S N -2 7 1 , F N -0 , F l a g s - .................. ... C
802.11
802.11
109 B eacon f r a n e , S N 1 7 5 6 , f n =0 , F la g s
164 B eacon f r a n e . SN=4035. FN=0, F la g s
91 B e a co n f r a n e , S N =267, FN=0, F la g s =
38 38 A c k n o w le d g e m e n t (No d a t a ) , S N -9 1 5 , F N -3 ,
164 B e a co n f r a n e , S N -4 0 3 6 , FN =0, F l a g s -
E
F la c
jr ___________________________________________
F ram e 2 9 3 : 322 b y t e s o n w i r e (2 5 7 6 b i t s ) ,
+ i e e e 8 0 2 .1 1 B e a c o n f r a n e , F la g s : ..................
322 b y t e s c a p tu r e d
(2 S 7 6 b i t s )
on i n t e r f a c e 0
S IEEE 8 0 2 .1 1 wireless lan management frame
0000
80 00
0000 f f f f f f f f
ff
4 c 60
d e 32 7 c 06 cO 1 0
96
64 00
11 04 0 0 0 9 4 b 75 73
08 82
84 Ob 1 6 24 30 48
6c
0 0 00
2 a 01 0 0 2 f 01 00
30
m an nn
r\A n n n f
AirPcap USB wi'eless capture adapter nr. OO:...
0010
0020
0030
004 0
ff
31
75
03
18
4C 6 0
8e 64
Gd20
01 01
01 0 0
de 32 7C 06
.................... L 2 |.
00
57
05
00
L ' . 2 1. . . . 1 . d ____
d .......... K j sum WLR.
00
4c
04
Of
00
52
01
ac
00
01
02
02
... SOH1......
Packets: 32940 Displayed: 32040 Marked: 0
Profile: Default
FIGURE 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets
15. After enough packet capUires, stop Wireshark

Capturing from AirPcap USB wireless capture adapter nr. 00 Wireshark

ile
Edit
View
m ma
Go
Capture
Analyze
Statistics
Telephony
Tools
Help
*
Expression...
$02.11 Channel: 2412 [BG1]

).
Time
Source
4992 90 . 58518*
4993 90.885677
4994 90.985558
4995 91.049792
4996 91.087908
4997 91.497565
4998 91.600033
4999 91.70239*
5000 91.704757
5 001 91.7053 80
5002 91 . 804794
5003 91.907138
5004 92.112081
5005 92.246059
5000 92.246276
5007 92. 316789
5008 92 . 319258
5009 92 . S2164S
Clear Apply
| v ] Channel Offset |0
Destination
Protocol
13 :80 : C 7 :0 IEEE 802.11
2 a : 1 3 :4C :a l: C C :l a
IEEE
B ro a d c a st IEEE
f f :57:a6:9:1EEE
B r o a d c a s t IEEE
B ro a d c a st ie e e
f 9 : e a : f 9 : f IEEE
1 3 : e 6 : 61 :a IEEE
N e tg e a r_ a e :2 4 :cc
a b : 7 6 :1 3 :1 c : e 6 : 3f
9 8 :1 4 : 34 :f c :4 8 : cc
D lg 1 ta lG _ 0 2 :e 8 : d5
f 8 : a f :e d : 3d : 6 c : 62
b l: 7 c : 2 5 : 4 6 : e l: d l
N etgear _ a e : 2 4 :cc
N e tg e a r_ a :2 4 :cc
l c : 1 2 : 30:8b :2 4 : f 5
MonHaiPi _0a :7 2 : 8a
B ro a d c a s t
IE EE
f f : f f : f f :3 IEEE
2 c :bO: 5 d : 8IEEE
h o riH a lp r_ o .ie e e
24 :4 d : 22: e IEEE
9 1 :6c: 5c: 3 2 : 50 :d2
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
| v | FCS Filter All Frames
|v |N o n e WirelessSettings...DecryptionKeys...
Info
F ra g n en te d i e e e S 0 2 . ll fram e
u n re c o g n ize d (R e serve d fra m e ) , F la g s . . . p . m . .
Beacon frame, SN=2080, FN=0, Flags
BI=100,
unrecognized (Reserved frame), S N 2 8 5 1 , F N 0 , Flagso
Beacon frame, SM=2081,F N 0 , Flags
B I 1 0 0 ,
Beacon frame, SN-2085,FN-O, FlagsBI-100,
Beacon frame, SN=3733,FN=7, Flags
BI1]8896
Beacon frame, s n 2087,f n -0, Flags
B 1 1 0 0 ,
Null function (no data), S N 3 8 6 4 , fn=15, Flags...P.M
Data, SN-2916, fn-0, Flags-.p
F.
B e a co n fr a m e .
S N -2 0 8 8 , F N -0 , F l a g s B e a co n fr a m e ,
& N -2 0 8 9 , FN^-O, F l a g s B e aco n fr a m e ,
S N -1 1 5 1 , F N -2 , F l a g s N u l l f u n c t i o n ( n o d a t a ) , S N -2 7 3 3 , F N -0 , F l 4 g
A c k n o w l ed g enent, F l a g s -
B T -1 0 0 ,
B I-1 0 0 ,
B I-5 5 8 2 0
* - . . . P .. .
Beacon fram e, SN-2093, f n - 0 , F l a g s B I-1 0 0 ,

Qos Data + C F-P01 1. 5N-1B31, FN-15, F la g s - . p . P R . . T
L
Beacon fra m e . SN-2095, f n - 0 . F l a g s BT-100,
+ Frame 1: 14 b y te s on w ir e (112 b i t s ) , 14 b y te s c a p tu re d (112 b i t s )

...............
T yp e /Sub typ e: Acknowledgem ent (O x ld )
S IEEE 802.11 Acknowledgement, F la g s :

Frame C o n t r o l : OxOODi (N o rm a l)
0000
d4 00 00 00 2c bO 5d 80
AiP .dp LSBv
.... ].
ab 3e 6a 3e 19 81
idp luie adajLei nr. 00:...
Pdikel*; 5C09 DbpldycU: 3009 Marked: C
Piorile; Default.
FIGURE 1.13: Stop wiieshaik packet capture
16. G o to File from menu bar, and select Save
AirPcap USB wireless capture adapter nr 00 Wireshark
U i Tlie latest version is
[d<t yicw
faster and contains a lot of

new features, like APR
(Arp Poison Routing)
which enables sniffing on
switched LANs and Manin-the-Middle attacks.
&
20
cptjrc
Analyze Statistics
cw.0
Opengecent
Merge...
Telephony Tools tJelp
b a
| n | n | <3. q !31
kpressicn
Clri^W 1rnc! Offset: [0
[ v j FCSFilter All Frames
Destination
rint._
1:0 2 : cd
b : 2 4 :e c
1:24: CC
f f : f 6 : 5 4 : d 'I E E E
b ro a d c a st ie e e
&
ib
:2 4 :c c
B r o a d c a s t IE EE
B r o a d c a s t IE EE
IP v6m caS t_< IE E E
7643 268.038309 N etge ar_a e: 24: cc

7644 268.143787 N e t g e a r.a e : 24 :c c
7645 268. 345546 N etge ar_a e: 24: cc
76 4 6 2 6 8 . 6 5 2 7 8 2 N e tg e a r _ a e : 2 4 : c c
76 4 7 2 6 8 .6 6 1 6 5 1 H o rH a i P r_ 0 a : 72 :8 a
76 48 2 6 8 . 6 6 2 1 6 0 n o m a 1 p r _ 0 a : 72 :8 a
B ro a d c a st
B ro a d c a st
B ro a d c a st
IEEE
IEEE
IEEE
B ro a d c a s t
IE EE
2c:b O :5 d :8 'IE E E
2c:b O :5 d :8 'IE E E
f f: f f: lb : f - I E E E
F r a n e 1 : 14 b y t e s o n w i r e (1 1 2 b i t s ) , 14 b y t e s
- i e e e 8 0 2 .1 1 A c k n o w l e d g e rn e n t, F la g s : ..................
Clear Appf/
[v^None
["vj Wireless Settings... Decryption Keys...
Info
802.11C o n tro l w rapper. F la g s - .pm.R . f .
Beacon802.11
f r a n e , S N -3 5 3 , F N -0 , F la g s
802.11Beacon f r a n e , SN-3 5 4 , F N -O , F la g s . . . .
Beacon802.11
fra n e [N a lfo r m e d P a c k e t]
d 4 : fa :c b :c .lE E E
d 4 :a a :0 1 :4 IEEE
Ctrl+P p : f8 : 4 1
E Quit
C trl*Q f : b 8 : c l
/ ot*xj zov . WSV31U wwctjwai _iw . 24 : CC
7641 267. 835429 N e tg e a r _ a e : 60: ce
76 42 2 6 7 . 8 7 7 9 4 6 0 1 : 5 4 : 2 9 : 0 1 : 0 0 : 4 4
7649 269.164812 4 8 : 0 9 : 3 9 :1a:ce:d 4
Protocol
IEEE
f f : e e : 1 :9 3 IEEE
: 2 4 :cc
xport
yt
c a p tu r e d
B I -1 0 0 , S
61 = 12 53 0
B I 5 ,1 0 0
Beacon8 0f r2a. 1n1e , 5 n = 3 5 6 , f n = 0 , F la g s . . . .
D a ta , 802.11
S N 3 5 7 , F N 1 , F la g s = o p m P .. FT
Beacon802.11
f r a n e , S N 3 5 8 , F N 0 , F la g s
BI 100, S
Beacon802.11
f r a n e , s n 3 6 1 , f n 0 , F la g s . . . .
BI 100, S
Beacon8 0f 2r a.1n1e , S N 3 6 4 , FN=0, F la g s . . . .
BI 100, S
Beacon8 0fr2a.1m1e , S N = 33 5, F N =1 4, F l a g 5 = . . .
, B I= 2 0 0 ,
D a ta , 850n23.1
0 31 7 , f n 3 , F la g s = .p . . . . F.
Beacon802.11
f r a n e , s n 3 6 9 , f n 0 , F la g s
B I 1 0 0 , S
Beacon802.11
f r a n e , S N 3 7 0 , f n 0 , F la g s
B I 1 0 0 , S
Beacon802.11
f r a n e , S N 3 7 2 , f n 0 . F la g s . . . .
B I 1 0 0 , S
Beacon802.11
f r a n e , S N = 37 5, FN=0, F la g s . . . .
B I 1 0 0 , S
N u ll f802.11
u n c t io n ( no d a t a ) , S N -3 6 , F N -0 , F l a g s - . . . PR. . T
N u ll f802.11
u n c t io n ( no d a t a ) , 5 N - 3 6 , f n -O , F la g s . . . pr . . t [
Beacon802.11
f r a n e , S N -3 7 4 6 , FN -O , F l a g s - . . .
BI-36936
I
I
I
I
I
(1 1 2 b i t s )
T yp e /S u b ty p e: Acknowledgement (O x ld )
Frame c o n t r o l: OxOOD4 (N o rn a l)
00
00D0
d4 00 00 00 2c bo 50 80
ab Je 6a 4e 19 81
File: "C:\Oters\ADM N - '\AppO ata\local\T ...
........ j >!>
Packets: 7649 Displayed: 69 Marked: 0 Drcppec: C
FIGURE 1.14: Save the captured packets
17. Enter die File nam e, and click Save.

Wireshark: Save file as
Save tn | j j . AirPcap -Enabled Open Source tools

Name
aircrack-ng-0.9-airpcap
* *
Date m odified
Type
10/19/2012 2:44 PM
File folder 1
Recent places
K
Desktop
Lbranes
'V
Computer
III
<1
Network
File name:
| Packet capture
Save as type
| Wreshark.cpdump
>
A
kfcpcap f pcap :* cap) _^J
Save
Cancel
Help
( Captured
Vpackets
("
("
Displayed
7649
Selected packet
Marked packets
First to last marked
c Range 1
Remove Ignored packets
FIGURE 1.15: Save the Captured packet file
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
your targets security* posture and exposure.
PLEASE TALK TO
T o o l/U tility
Y O U R I N S T R U C T O R IF YOU
HAVE
QUESTIONS
Information C o llected /O b jectives Achieved

U sed Adapter: AirPcap USB wireless capture adapter
nr.00
Wireshark
Result: Num ber o l sniffed packets captured by
Wireshark 111 network, which include:

Packet Number, Time, Source, Destination, Protocol,
and Info

Questions
1.
Evaluate and determine the number o f wireless cards supported by die

wireless scanner.
2.
Analyze and evaluate how AirPcap adapters operate.
Internet Connection Required
0 Yes
0 No
P latform S upported
0 C lassroom
!Labs

Lab
Cracking a WEP Network with

Aircrack-ng for Windows
Aircrack-ng is an 802.11 W E P and W PA-PSK keys cracking program that
recovers keys once enough data packets have been captured. It implements the
standard FA IS attack along with some optimisations like KoreK attacks, as )),ell as
the all-new P T \V attack, thus making the attack much faster compared to other
W E P cracking tools.
I CON
KEY
'/ Valuable
information
>> Test your
knowledge
Web exercise
c a Workbook review
Lab Scenario
Network administrators can take steps to help protect their wireless network from
outside tlireats and attacks. Most hackers will post details o f any loops or exploits
online, and if they find a security hole, they will come 111 droves to test your wireless
network with it. W EP is used for wireless networks. Always change your SSID from
the default, before you actually connect the wireless router for the access point. If an
SSID broadcast is not disabled on an access point, die use o f a DH CP server to
automatically assign IP address to wireless clients should not be used because war
dnving tools can easily detect your internal IP addressing it the SSID broadcasts are
enabled and the DH CP is being used.
As an etlucal hacker and penetration tester o f an organization, your IT director will
assign you the task o f testing wireless security, exploiting the flaws in \\EP, and
cracking the keys present 111 W EP o f an organization. 111 tliis k b we discuss how
WPA key are cracked using standard attacks such as korek attacks and PTW attacks.
& Tools
dem onstrated in
this lab are
available on
D:\CEHTools\CEHv8
Module 15
Hacking W ireless
Networks
Lab Objectives
The objective o f tins lab is to protect wireless network from attackers.
111
tins lab, vou will learn how to:
Crack W EP using various tools
CapUire network traffic
Analyze and detect wireless traffic

Lab Environment
To execute the kb, you need:
m Visit Backtrack
home site
http://w\v\v.backtrackIi1u1x.org for a complete
list of compatible Wi-Fi
adapters.
Aircrack-ng located at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless

Networks'!WEP-WPA Cracking Tools\Aircrack-ng\bin
Tins tool requires Administrative pnvileges to ran
A client connected to a wireless access point
This lab requires AirPcap adapter installed on your machine. If you

dont have this adapter please do not proceed with the lab
Lab Duration
Time: 20 Minutes
Overview of Aircrack-ng
m Airplay filter options:
-b bssid: MAC address,
access point.
TASK
Cracking a WEP
Network
A wireless network refers to any type o f computer network that is w ireless,

and is com m only associated with a telecom m u n ication s network w hose
in tercon n ection s between n od es are implemented without the use o f wires.
Wireless telecommunications networks are generally implemented with some
type o f rem ote information transmission system that uses electrom agn etic
w a v es, such as radio waves, for the carrier, and this implementation usually
takes place at the physical level or layer o f the network.
Lab Task
1.
Launch Aircrack-ng GUI from D:\CEH-Tools\CEHv8 Module 15 Hacking

W ireless Networks\AirPcap -Enabled Open Source tools\aircrack-ng-0.9airpcapbin by double-clicking Aircrack-ng GUI.exe.
2.
Click the Airdump-ng tab.
To start wlanO in
monitor mode type:
airmon-ng start wlanO.
m To stop wlanO type:

airmon-ng stop wlanO.
FIGURE 2.1: Airodump-ng window

3.
Click Launch. This will show the airodump window.

airodump-ng 0.9
airodump-ng 0.9 <C> 2006 Thomas d'Otreppe

Original work: Christophe Devine
m To confirm that die

card is in monitor mode,
run the command
iwconfig. You can then
confirm the mode is
monitor and the interface
name.
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> [ivs only flag]
Known network adapters:
1 AirPcap USB wireless capture adapter nr. 00
Network interface index number
->
FIGURE 2.2: Airodump-ng selecting adapter window
4.
Type the Airpcap adapter index number as 0 and select all channels by
typing 11. Press Enter
airodump-ng 0.9
tewJ Aircrack-ng option: b bssid Long version

bssid. Select the target
network based on the
access point's MAC
address.
airodump-ng 0.9 - <C> 2006 Thomas d'Otreppe

usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag]
1

Channel<s>: 1 to 14. 0 = all
-> 0
-> 11
(note: if you specify the sane output prefix, airodump will resume
the capture session by appending data to the existing capture file)
Output filename pref ix
m For cracking
WPA/WPA2 pre-shared
keys, only a dictionary
method is used. SSE2
support is included to
dramatically speed up
WPA/WPA2 key
processing.
5.
->
It will prompt you for a file name. Enter Capture and press Enter.

airodump-ng 0.9
I~ I

m Aircrack-ng
completes determining die
key; it is presented to you
in hexadecimal format such
as KEY FOUND!
[BF:53:9E:DB:37],
usage: airodump-ng <nic index> <nic type> <channel<s>> <oatput prefix> Civs only flag]
1

ChanneKs): 1 to 14, 0 - all
-> 0
11 <
<note: if you specify the same output prefix, airodump will resume
the capture session by appending data to the existing capture file>
Output filename prefix
->|capture |
<note: to save space and only store the captured MEP IUs, press y.
The resulting capture file will only be useful for MEP cracking)
Only write WEP IUs <y/n)
>
6. Type y 111 Only w rite WEP IVs Press Enter

airodump-ng 0.9
Airodump option: -f
<msecs> : Time in ms
between hopping channels.

usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag]
1

ChanneKs): 1 to 14, 0 = all
0 <
-> 11
(note: if you specify the same output prefix, airodump will resume
the capture session by appending data to the existing capture file)
Output filename prefix
-> capture
<note: to save space and only store the captured WEP IUs, press y.
The resulting capture file will only be useful for WEP cracking)
Only write WEP IUs <y/n)
<
m Airplay filter option:

d dmac : MAC address,
Destination.
FIGURE 2.5: Airodump-ng dumping the captured packets window
7. After pressing y it will display Wi-Fi traffic; leave it running for few
minutes.
8.
Allow airodump-ng to capturea large number of packets (above 2,000,000).

L -l l -
Channel : 1 1 - airodump-ng 0.9.3
11
B S S ID
B 8 : A 3 : 8 6 :3 E
1 C :7 E :E 5 :5 3
4 C : 6 0 : D E :3 2
4 C : 6 0 : D E :3 2
8 0 :A 1 :D 7 :2 5
8 0 :A 1 :D 7 :2 5
8 0 :fll:D 7 :2 5
8 0 :A 1 :D 7 :2 5
:2 F :3 7
:0 4 :4 8
:3 B : 4 E
:7 C :0 6
:6 3 :1 3
:6 3 :1 0
:6 3 :1 2
:6 3 :1 1
PUR
B eacons
It D a ta
CH
MB
ENC
E S S ID
-7 8
-8 0
-8 0
-8 1
-7 7
78
-8 0
78
5
5496
1 81
5
13
21
12
18
0
2146
1
0
0
0
0
0
1
11
6
11
1
1
1
1
WEP?
UPA
UPA
WEP?
OPN
WEP?
OPN
OPN
SAACHI
D L in k _ D I R - 5 2 4
Ith e y Ith e y
Kusum WLR
1 qRnq
99RH4
11
48
48
48
48
54
54
54
54
4R
I JP f t
noNTFn
-1 0
53036
224385
11
54
WEP
NETGEAR
< J4:44^ 9:F9 :4 q :n n
| 0e
9r z& z m
9c
B S S ID
B 8 :A 3 :8 6 :3 E
1 C : 7 E : E 5 :5 3
1 C :7 E :E 5 :5 3
1 C :7 E :E 5 :5 3
1 C : 7 E : E 5 :5 3
9 4 :4 4 :5 2 :F 2
9 4 : 4 4 : 5 2 : F2
9 4 :4 4 :5 2 :F 2
9 4 :4 4 :5 2 :F 2
9 4 : 4 4 : 5 2 : F2
0 0 : 0 9 :5 B :A E
0 0 : 0 9 :5 B :A E
2 F :3 7
A 4 :4 8
A 4 :4 8
0 4 :4 8
0 4 :4 8
4 5 :0 C
4 5 :0 C
4 5 :0 C
4 5 :0 C
4 5 :0 C
2 4 :C C
2 4 :CC
STATIO N
PUR
P a c k e ts
0 0 :2 4 :2 C :3 8 :3 9 :9 6
A C : 7 2 : 8 9 :6 B :B D :B 3
3 0 : 6 9 :4 B :C 7 :F 9 :F 7
D 0 :B 3 :3 F :1 2 :A 1 :F F
E 0 : F 8 : 4 7 : 9 5 : 0 5 : D6
4 C :E D :D E :A 2 :5 B :B F
4 C : ED: DE: 9 4 : CE: E l
0 0 : 2 6 : 8 2 :C F : 0 9 : C 2
5 0 : 0 1 : B B :5 8 : 0 5 : 2 7
0 0 : 2 3 : 1 5 : 7 3 : E 7 :E 4
1 C : 6 6 : A 0 : 7 C : F 0 : 79
0 4 :5 4 :5 3 :0 E :2 C :O B
-7 5
-8 1
-8 4
-7 9
-8 2
-8 0
-8 0
-8 0
-7 6
-7 3
-8 1
-3 3
1
38
29
7
4 21
2
5
16256
1
293
213
125920
<|
rH
G0E
E S S ID
SAACHI
D L in k _ D I R - 5 2 4
D - L in k _ D I R - 5 2 4
D - L in k _ D I R - 5 2 4
D - L in k _ D I R - 5 2 4
GANTEC
GANTEC
GANTEC
GANTEC
GANTEC
NETGEAR
NETGEAR
>
III
FIGURE 2.6: Airodump-ng Channel listing window
airmon-ng is a bash
script designed to turn
wireless cards into monitor
mode. It auto-detects
which card you have and
run the right commands.
m Airodump-ng is used
for packet capturing of raw
802.11 frames and is
particularly suitable for
collecting WEP IVs
(Initialization Vector) for
the intent of using them
with aircrack-ng.
9.
N o w close the window.
10. G o to Aircrack-ng andclick Advanced Options

-
Aircrack-ng GUI
Aircrack-ng
Choose.
() W EP
Airodump-ng ] Airdecap-ng | WZCook | About
Filename (s)
Encryption
Key size
1128
v|
bits
Use wordlist
Use PTW attack
W PA
Specify ESSID
I I Specify BSSID
Fudge factor
Disable KoreK
attacks
Key search filter

l~ l Alphanumeric characters
1 1 BCD characters
=
1 1 Numeric (Fritz!BO)Q
Baiteforce
Last keybytes
bruteforce
@
I aJ
LZ j
Multithreading bruteforce
1 1 Single Bruteforce attack
Launch
FIGURE 2.7: Aircrack-ng options window
11. Click C hoose and select the filename capture, ivs

Note: Tliis is a different file from the one you recorded; this file
contains precaptured IVS keys. Tlie path is D:\CEH-Tools\CEHv8
Module 15 Hacking W ireless Networks\AirPcap -Enabled Open
Source tools\aircrack-ng-0.9-airpcap

Note: T o save time capturing the packets, for your reference, the
capture.ivs file (tins capture.ivs tile contain more than 200000
packets) is at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless
NetworksVAirPcap -Enabled Open Source tools\aircrack-ng-0.9airpcap.
12. After selecting file, click Launch.
Aircrack-ng GUI
Qi-J
Aircrack-ng
Filename(s)
Iffll To put your wireless

card into monitor mode:
airmon-ng start rausbO.
Enctyption
Airodump-ng
j Airdecap-ng
[ WZCook
About
"D:\CEH-T 00 ls\CEHv 8 Module 15 Hacking Wireless Networics\AirPcap Enabled Open

() W EP
Key size
128
bits
Usewordlist
Choose
Use PTW attack
W PA
Advanced options
Specify ESSID
Specify BSSID
Fudge factor
Disable KoreK
attacks
m
n 2
3
4
5
6
7
8
Bruteforce
Key search filter
Alphanumeric characters
BCD characters
Last keybytes
bruteforce
M
=
1 1 Numeric (FritzlBOX)
1*1
tZ J
Multithreading bruteforce
1 1 Single Bruteforce attack
Launch
FIGURE 2.8: Aircrack-ng launch window
You may use this key

without the
in your
wireless client connection
prompt and specify that the
key is in hexadecimal
format to connect to the
wireless network.
13. If you get the enough captured packets, you will be able to crack the
packets.
14. Select your target network from BSSID and press Enter.
C:\W1ndows\System32\cmd.exe- "C:\Users\Adm 1n1strator\Desktop\a 1rcrack-ng !! "O p e n in g D :\C E H -T 0 0 1 s \C E H v 8 M o d u le 1 5 H a c k in g W i r e l e s s
Open S o u r c e t o o l s \ a i r c r a c k - n g - 0 . 9 - a i r p c a p \ c a p t u r e . i u s
Read 2 3 1 3 4 4 p a c k e t s .
0 0 :0 9 :5 B :A E :2 4 :C C
9 4 : 4 4 : 5 2 : F 2 : 4 5 :0 C
In d e x n um be r o f
ta rg e t
N e t w o r k s S H ir P c a p
- E n a b le d
WEP < 2 3 1 2 3 3 IU s >

WEP < 1 1 1 IU s >
n e tw o rk
? 1
FIGURE 2.9: Select target network

A ir c r a c k - n g
[0 0 :0 0 :0 6 ]
KB
0
1
2
3
Aircrack-ng can
recover the WEP key once
enough encrypted packets
have been captured with
airodump-ng.
d e p th
0/
1
0/
3
0/
4
0/
1
D e c ry p te d
T e s te d
b y te < u o te >
BF<
42 > B9<
5 3<
4 0 > C9<
9E<
4 0 ) D8<
DB< 1 4 3 > 9 ? <
1 keys
1 5>
3 2>
28>
46 >
KEV FOUND!
c o r r e c t l y : 1 00 X
4B<
34<
64<
3 3<
t
0 .9 .3
< g o t 164492
13>
20>
23>
33>
41 <
flF <
88<
43 <
12>
19>
23>
29>
B F :S 3 :9 E :D B :3 ?
IU s >
FF<
B4<
E4<
3 8<
9>
1 9>
1 8>
27>
F6 <
40<
82<
3 6<
4>
16>
1 8>
26 >
C : \ U s e r s \ f l d n in is t r a t o r \ D e s k t o p \ a i r c r a c k - n g - 0 . 9 . 3 - w in \ a ir e r a c k - n g - 0 . 9 . 3 - w in \b in >
FIGURE 2.10: aircrack-ng with WEP crack key
Lab Analysis
Docum ent die BSSID o f the target wireless network, connected clients, and
recovered W EP key. Analyze various Airecrack-ng attacks and their respective data
packet generation rate.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU H A V E
T o o l/U tility
QUESTIONS
Information C o llected /O b jectives Achieved

N u m ber of packet captured: 224385
Aircrack-ng
Cracked wireless adaptor name: N E T G E A R

Output: Decrypted key
BF:53:9E:DB:37
Questions
1.
Analyze and evaluate how aircrack-ng operates.
2.
D oes die aircrack-ng suite support Airpcap Adapter?

Y es
0 No
P latform Supported
0 !Labs

3
Sniffing the Network Using the
OmniPeek Network Analyzer
OmniPeek is a standalone network analysis tool used to solve network problem .
I CON
KEY
/ Valuable
information
s
Test your
knowledge
Web exercise
c a Workbook review
Lab Scenario
Packet sniffing is a form o f wire-tapping applied to computer networks. It came into
vogue widi Ethernet; tins mean that traffic 011 a segment passes by all hosts attached
to that segment. Ediernet cards have a filter that prevents the host machine from
seeing traffic address to other stations. Sniffing programs turn o ff the filter, and thus
see everyone traffic. Most o f the hubs/switches allow the inducer to sniff remotely
using SNMP, which has weak authentication. Using POP, IMAP, HTTP Basic, and
talent authentication, an intruder reads the password o ff the wire in cleartext.
To be an expert ethical hacker and penetration tester, you must have sound
knowledge o f sniffing network packets, performing ARP poisoning, spoofing die
network, and D N S poisoning. OmniPeek network analysis performs deep packet
inspection, network forensics, troubleshooting, and packet and protocol analysis o f
wired and wireless networks. 111 tliis lab we discuss wireless packet analysis o f
capuired packets.
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 15
Hacking W ireless
Networks
Lab Objectives
The objective o f diis lab is to reinforce concepts o f network security policy, policy
enforcement, and policy audits.
Lab Environment
111
tins lab, you need:
Advanced OmniPeek Network Analyzer located at D:\CEH-T0 0 ls\CEHv8

Module 15 Hacking W ireless Networks\Wi-Fi Packet Sniffer\OmniPeek
Network Analyzer
You can also download the latest version ot OmniPeek Network Analyzer
from the link http: / / \v^~vv.w1ldpackets.com

If you decide to download the latest version, then screenshots shown 111
die lab might differ
Run diis tool 111 Windows Server 2008
A web browser and Microsoft .NET Framework 2.0 or later
Double-click Om niPeek682dem o.exe

installation steps to install OmniPeek
Administrative privileges to m il tools
and
follow
the wizard-driven
Lab Duration
Tune: 20 Minutes
Overview of OmniPeek Netw ork Analyzer

You can download
OmniPeek Network
Analyzer from
http://www.wi1dpackets.co
OmniPeek Network Analyzer gives network engineers real-time visibility and expert
analysis o f each and even7 part o f die network from a single interface, which
uicludes Ediernet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11
a /b /g /n .
Lab Tasks
m.
TASK
Analyzing WEP
P ackets
1.
Launch OmniPeek by selecting Start Âll Programs )Wildpackets

Omni packets Demo.
2.
Click View sam ple files.
: =J<
-
Ech
View
; &
Capture
Send
Monitor
Tools
Window
it, ;a a a ja fe 1&
Help
. r
W ild P d c k e t 6 m n iP e e k
,,
Start Page x j
O
a SI
N ew C ap ture
Recent Files
WsP.att
Fao<t Exa-noba.pxt
WPAfkt
Recent Capture Tem plates
he raeaat tenpUMK
Open C apture File
f$
V iew O m niE ngines
HU
S tart M o n ito r
Location
C\Progom =109 (x86)\WidPac*ate\OmPMk Denc\aanptoe\AEP pkl
CAProgrem Filoa (x8)'V/JdPacfcaUVOmP881 Drx\aanpl8VPacl>at
Example#, pkt
C.XProgrwn Filta (x8)IWIdPac*at*Y0P**l Dno\*anplM\APA.pkt
Summary
SSD BlackSlate Kay - 1235785D
I o ra tion
Summary
SSD BlickSlit* PS< = widpackatt
Documentation
Resource*
(flWWPWWT*
\Aowr fra Cerwj Staled Godo
Vtevr DrUtf HUMBON nitruCtOI*
-iae me L**< Sud*
^ ae
CnrCrgire Oefcirg Started Ouide
LgIfStl!e2PUQ-lflS
jvow aarapfe *ilea I

WkjRBCcmcttwsa Events d B
Vow Het.vok rolâis 6po *hite papers, and moro L iiiJ
Technical Support
Training 8> Services
vfevr :ech ca 1euosort reaouce3 f 9r WildPacket3 producia G2D

^ 13 WMFBCttts :ecfncaisuooort EZD
DrmPe3< Sjppcrted harcv/3rs L 'iiil
wlcPa;t8 Academy L iU
fine caac:ut 1cP3:tets oorsuitns Q D
l'vP6e<
[F d ic p, press FI
I
4
J } here
_ rj
FIGURE 3.1: Omnipeek main window
Select WEP.pkt

P
F I.
Edit
v *w
^ t! m
C *x e
Send
fe: a a j
Monitor
Tool!
Window
Help
a t, * * B i î t a
W lld P .. kt ! S ^ n lP e e k
E ^
^ , :o E
Start Fac x
5 O Jd d4 (
WildPackets OmniPeek Sample Files
PasK.e! bampies .cM
Sancte Re wch a variety of wired traffic.
1 <
^ O m n iP e e k
gives network
engineers realtim e visibility and
Expert Analysis
into every part of
the network from
a single interface,
including
Ethernet, Gigabit,
10 Gigabit,
802.11a/b/g/n
w ireless, VoIP,
and Video to
remote offices.
SBCkSlate Key 12 J45675i)
2 ncrypUd traffic. (SSlD BlackSlilt 9SK wldpacUtt)
A lP iO c S . nc
154C Tied: Boulevard. S
AotrU C eek. 2jlfoma
25( 9*2 0
: - te p, press Pi
FIGURE 3.2: Omiiipeek Sample Files Window
4.
It will open WEP.pkt in die window. Select Packets from die left pane.
FIGURE 3.3: TELNET-U 11WEP packets Window
5.
Double-click any o f die packets 111 die nglit pane.

1 Fi t
Ed*
View.
Capture
-
12
S:a1t Pi$4
Send
Monitor
l i i .!23 f
Tools
Window
Help
W ild '.( ki t 6 rnnlP*ek

1[x
9.
>
- ^
Lij
u i l i A l
WEP.pkt x
Enter 3 fiter e<pr3310r hre (1.09 F1forhdp)

Dashboards
z~ Comprehensive
network
performance
m anagem ent and
monitoring of
entire enterprise
networks,
including network
segm en ts at
remote offices
< .
*> 0 1 1 5 ] @ 1 H I - . 1 ! - 5
âdce: Source
Destination
1 * B u f f a lo :Al: 32:31
JjjEtheraet Biceocart
1 * B u f f a lo :Al: 82:31
9 Ethernet Broadcast
vott &voeo
Aadex
Zyirosss
Capture
=dde3
*s
Expert
Êthernet rcsbcaat * 3 a f f a lo : A l : 3 2 :31

Ethernet Brcedcait * B u ffa lo s A l: B2
* 1 .teoniech: 55 : C3: CC * 3 a f f a l2 : A 1 : 22
i ^ I teon7e^:.c.e :c;-:
* fc rf;al? :A i:32
liteoaTach:5S: C3: CC * 3 a f f a l o : i l : 32
Hpl1teo&7cch:SS:03:CC * 3 u f f a lo : A l: 32
lj|)l.teon7ech:S5:C3:CC * 3 a f f a l : : A l : 22
p1:teoalcn:55:c2:
*5 a rra 1 5 :A i:5 2
S>11toaTch:55:C3:C1* * :f f al o: Al : 32:
i|L 1tco a T cc h :S E sC 3 sC 3* :af f al oAl 92
Bl.teoa7ech:33:C3:OC * 3 u f f a l o : A l : 52
pEinernet srcaocast *9 u rra1 9:A 1:s2 :
*jEth#rn#t 816 * *>i i f f a l ' r i l : 12
JÊthernet Sreadcaat * 3 a f f a l s : A l : 22
9E1hc!aet &:cedcaat * 3 a f f a l ; : A l : !2
I^ Eiher& et SzceOcast * 5 a f r 3 1 3 : A l: 52
jEth#rat Bre15r*r t p <: r r l? r il: 2
Êthernet Srcadeaat * 3 a f f a lo : A l : 22
QEtheraet Ezceocaat
3 i f f a l ; : A l : 12
SJEiheraei BiceOcast * 3 j f f a l 2 : A l : 52
Ethernet Brceocast * 5 j r r a i o : A l : : 2
*lite o a le c h :5 5 :0 3 :0 c * 3 a f fa L 0 : A l: 32
*11teoaIech:55:C 3:C C * 3 u f f a lo : A l: 32
31-tcoaIcch:55:02:CC * 3 j f f a l = : A l : 52
3
j> Buffalo :Al: 32:31

S * B u f f a l o : A l:82:31
*b:
Web
Server*
Cterti
**e?
Vokc ft Video
Cab
**?
Vkuak
f ?ttrMjp
3C^tt
SLdlbUcs
SDdK
toco2
Sumvtry
V/irdesi
| ALAN
Signal
8
9
10
::
1:
13
14
:
U
1
1:
* B u f f a lo :Al: 32:31
* B u f f a lo (A lt82: 31
* B u f f a lo :Al: 32:31
* B u f f a l o :A l:32:31
*B u rra io :A 1 :8 2 :3 1
* B u f f a l o :A lt82!31
* 3 u f f a l o ! A ll 32131
* B u f f a l o : A l:92:31
* aurra10:A1:52:31
* B u f f a lo : Al! 82! 3L
* B u f f a lo 1A lt 32131
* B u f f a l o :A l:82;31
20
21
22
21
2*
2S
2c
2
2:
*.-*u SS alo :A l:32:3l

* B u f f a lo :A ll 82131
* B u f f a lo :Al: 32:31
* B u f f a lo :Al: 32:31
*3 u rra 1 0 :A 1 :3 2 :3 1
* 3 u f f a l o : Al: 32: 31
* B u f f a l o :A l:82:31
* B u f f a l o :A l:32:31
*B arra1 0:A 1:82 :3 1
<1
=lags
*?
?
sSSID
* 3 a f f a l = : A l : 32 :31
* B a rm s : Al: 52:: 31
.................
*P
*?
Wf
'lit
Wf
Wf
Wf
Wf
p
*p
*?
*p
*p
*p
*p
*p
p
Wf
Wf
Channel
1
1
Signal Data Rate

1 %
170
1 %
1.3
100(
1
1 .:
103t
1.0
See
113
113
1001
1001
100
loot
100%
loot
loot
loot
loot
1001
loot
loot
loot
loot
loot
loot
loot
loot
loot
1001
loot
loot
74
71
74
74
74
71
74
74
113
US
115
115
113
115
115
115
115
115
71
74
74
74
13.9
12.0
9.0
6.0
8.0
6.0
6.0
6.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
21.0
13.0
12.0
9.0
^
-I
11
115
_L
Pactrts: 2003
Fj -tep, piessFi
Duration OOC:4
ijM.c-re
FIGURE 3.4: TELNET-UnWEP packets analyzer
6.
Click die right arrow to view the next packet.

le
Edit
View
Capture
Send
Monitor
Tools
Window
! V U * . : an J jJ 31 . * * a i
^ O m n iP e e k
____Suit
Connect m anages
an organizations
Omnipliance and
TimeLine network
recorders, and
provides all the
con sole
capabilities of
OmniPeek
Enterprise with
the exception of
local capture and
VoIP call
playback
E -
W ild
' li] & 1i i B: J
icketi O m n iP ee k
VVEP pl<t - Packet 3 x
WEP.pkt
. 4J2EB3HQDQ
Help
i\TS
&"
: # FackeC tJuafcer:
*Flag:
0x00000000
0x00000000
9
9
9
j#
9
j
B
|
PaeVat Larvgrh:
Tiscrcasp:
Eata Pare:
Channel:
S ic ra l Laval:
f ic c ! a s t :
j- 9 Noise Level:
* - S e is e d2c:
T~ 802-21 m e Eeader
I - version:
< Type:
I- 9 Si&type:
B J r a c Control Plag3:
:
! 1-9
j i-
06
: CCC CC CC
0:33:
CC31 C4 CC
iC CS C4 CC
p:5S:
0099:
322 r CO DC
FF
CA
Cl
07
FF
42
00
00
115
14:29:38.441934700 C5
2
1.9 Mbps
1 2412M31 602.11b
1001
45
0 :0 Haak oxc-3]
*00 Managenens [0 Mask OxOC]
%1000 Seacon [0 Mask OxFO]
100000000 [1]
0
flo n - s tr ic t c rc e r
.0
A'ca-Protected Fras9
. .0
Wo Ncre Data
. . . 0 . . . . Fcvcx Management - a c t i m rsaa
0 . .. 77;15 5 ne t a R~-Transvissioa
0 . . l e s t or I'n fr a g jc n ts d Franz
0. Kcc an E xit Trout tne D istrio izlo a syszen
FF FF FF
6C 1 63
00 2A 01
OC 43 00
FF 00
63 53
00 DD
00 00
16
6C
18
00
01
61
00
00
AL
?4
SO
00
82
65
72
00
31 00 16 Cl A l 2 31 10 23 14 33 34) 00 00 00 00 04
01 08 e2 64 EE S6 12 24 48 K 33 31 01 32 04 8C 98 B0 . 1 . . .31a:'<31atc............ * H I . . . 2 -----02 01 01 CC CC C3 A4 00 00 27 A4 30 00 42 43 SC 00 62
.......... * ......... P................... . . .SC* .b
00
FIGURE 3.5: TELNET-UnWEP packets frame window
7.
Close die tab from die top and select different options from the nglit pane;
click Graphs.

F
Edit
View
Capture
fcl H
~O m niP eek
Enterprise also
provides
advanced Voice
and Video over IP
functionality
including
signaling and
Media analyses of
voice and video,
VoIP playback,
voice and video
Expert Analysis,
Visual Expert, and
more
j5k| 53*0
Dashboards
t tetvrort
vwoe & vceo
Aadex
Capture
=acte3
Send
Monitor
Tools
Window
: !3ft J _!j g) f : 4 fe S1; j!
Start
WlEP.pkt x
Help
WEP.pkt - Packet *382
^ n><r / j X
Ua
<3>liL ! ii
Acde Cbun; Conpersons

Appicetion _ayer Protocols by 3ytes
Appicstion Layer Poto:ols by 3ackets
ARP An^\ss
eoacosts COfTpgred to Total
Brail PotDCQls
Eert Events
Boert VoP -H.323 Cal Erors
E>oert V0P - RTPBrcrs
Boert:
- SIP Errors
Ex>srt 'jireess Clent -^ slcal Errors
Doert N re bs ReossocioticnDeried
G^cbfc =our Pert Ublirobor (bts/3]
Gâbfc =our Pert Uttli2attor (perc1:)
C-tgabtt TtvoPytLttuaton (bits/s)
C-KXbt! Twopytutliraron Cpercent)
. Network lltlixeto! (bits/s)
Packet Size D istribution
Y0P
*b:
Web
Cterts
A0es
Vokc a Video
C9IS
StdlbULk
MSflM
SurMnary
Windes*
Sgâi
'f :
::::.::c't:
rc R eacts * n Reoies
TCPAravs*
TCP vsLCP
\-0lP ^Votocos
v/b Protocoe
v;#b Jftlc
v/rdess: Access s o n 3 bv Trust
V/rdess. A.cess Points vs. Cients
V/rdes* Asjccobons arc Ree3joaoto1:
V/rdew 3 tes to/frorr Dutroubor Syote
Wr#tesr Cierts ay Trust
v/rdess: Data 'vpes
v/rdess: acke: Trees
V/rdess; 3adcts to'fron Dstnbubon Sys
V/rdess: ^rcbe Req vs. ^rcbe Rso
V/rdess: Metres
Packrts: zcXX)
Duration 000:40
rteip, press F1
FIGURE 3.6: WEP Graphs window
8.
N ow traverse through all the options 111 die left pane o f the window.
Lab Analysis
Docum ent die BSSID o f the target wireless network, connected clients, and
recovered W EP key. Analyze various Airecrack-ng attacks and their respective data
packet generation rate.
P L E A S E TALK T O Y O U R I N S T R U C T O R IF YOU
T o o l/U tility
HAVE
QUESTIONS
Information C o llected /O b jectives A chieved

Packet Information:
Packet Num ber
Flags
O m niPeek
Status
N etw ork
Packet Length
Timestamp
Data Rate
Channel
Signal level
Analyzer

Signal dBm
N oise Level
N oise dBm
802.11 MAC Header Details
Questions
1.
Analyze and evaluate the list o f captured packets.
0 Yes
No
P latform S upported
0 C lassroom
!Labs


CEH v8 Labs Module 15 Hacking Wireless Networks PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEH v8 Labs Module 15 Hacking Wireless Networks PDF

Uploaded by

Copyright:

Available Formats

CEH Lab Manual

Module 15 - Hacking Wireless Networks

Hacking Wireless Networks

communication. I t provides wireless access to applications and data across a radio

this lab, you will learn how to:

Crack W EP using various tools

Capture network traffic

Analyze and detect wireless traffic

Overview of W ireless Netw ork

E th ica l H a ck in g a nd C ounterm easures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

W 1F 1 Packet Sniffing Using AirPcap with Wireshark

Cracknig a \\EP Network with Aircrack-ng for Windows

Sniffing die Network Using the OmniPeek Network Analyzer

E th ica l H a ck in g a nd C ounterm easures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

WiFi Packet Sniffing Using AirPcap

E th ica l H a ck in g a nd C ounterm easures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

To execute the kb, you need:

Install AirPcap adapter dnvers; to install navigate to D:\CEH-Tools\CEHv8

Wireshark located at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless

Run diis lab 111 Windows Server 2012 (host machine)

Administrative privileges to run AirPcap and other tools

Overview of WEP (Wired Equivalent Privacy)

E th ica l H a ck in g an d C ounterm easures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

You can download

m Tlie AirPcap adapters

FIGURE 1.2: Windows Server 2012Apps

The AirPcap Control Panel window appears.

E th ica l H a ck in g an d C o untenneasures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

AirPcap Control Panel

Media: 802.11 a/b/g/n

2437 MHz [BG 6]

@ Include 802.11 FCS in Frames

FIGURE 1.3: AirPcap Control Panel window

AirPcap Control Panel *

Media: 802.11 a/b/g/n

]Include802.11 FCS inFrames

2412 MHz [BG 1]

FIGURE 1.4: AirPcap Control Panel window

C E H L ab M anual Page 824

E th ica l H a ck in g an d C ounterm easures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

After configuring settings and keys, click OK.

Add New Key

FIGURE 1.5: AirPcap Control Panel window

Launch Wireshark Network Analyzer. The Wireshark main window

T he W o rld 's M o s t P o p u lar N e tw o rk P rotocol A n a lyze r

You can download

Th User's Guid (local version, if instaied

Choose one or more nterfaces to capture from, then Start

A rich assortment of example capare files on th* wiki

Work with Wireshark as secu!*ty as posstte

J Microsoft Corporation: \Device\MPFJ82C13C97'

FIGURE 1.6: Wireshark Network Analyzer main window

E th ica l H a ck in g an d C ounterm easures Copyright by EC-Council

Module 15 - Hacking Wireless Networks

Configure AirPcap as ail interface to \ \

ark. Select Capture ->

Interface... (Ctrl +l). You can also click die