CEH Lab Manual Hacking Wireless Networks Module 16 (CoH Lab Manat Page 1470 "Al RightsReserved, Reproducton fs StrctyProhiste.con Ke © Vateatte AF Tescyour knowledge BL Web exer 1D Workbook review (CoH Lab Manual Page 1472 Module 16 - Hacking Wireless Networks, Hacking Wireless Networks Through radio frequency technology, Wi-Fi allows devices to access wireless networks svithout cables jram anywhere within range of an avcess point Lab Scenario Wireless networking is revolutionizing the way people work and play. A wireless local area network (WLAN) is an unbounded data communication system, based on the IEEE 802.11 standard, which uses radio frequency technology to communicate with devices and obtain data, This network frees the user from complicated and multiple wired connections. With the need for a physical connection or cable removed, individuals are able to use networks in new ways, and data has become ever more portable and accessible, Although wireless networking technology is becoming increasingly popular, because of its convenience, it has many security issues, some of which do not exist in wired ctworks. By nature, wirelessly transferred data packets are airbome and available to anyone with the ability to intercept and decode them. Kor example, several reports, have demonstrated the weaknesses in the Wired Equivalent Privacy (WEP) security algorithm, specified in the 802.11x standard, which is designed to enerypt wireless data. Asan ethical hacker of penctration tester (hereafter, pen testes), you must have sound knowledge of wireless concepts, wireless encryption, and related threats in order to protect your company’s wireless network from unauthorized access and attacks. You should determine critical sources, risks, or vulnerabilities associated with your onganization’s wireless network, and then check whether the current security system is able to protect the network against all possible attacks. Lab Objectives ‘The objective of the lab is to protect the target wireless network from unauthorized access. To do so, you will perform various tasks that include, but are not limited to: © Discover Wi-Fi networks © Capture and analyze wireless traffic * Crack WEP, WPA, and WPA2 Wi-Fi networks Lab Environment ‘To carry out this lab, you need Windows 10 virtual machine © Parrot Security virtual machine © Linksys 802.14 g WLAN adapter "Web browsers with an Internet connection Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.(CoH Lab Manat Page 1472 Module 16 - Hacking Wireless Networks, = Administrator privileges to run the tools Lab Duration ‘Time: 125 Minutes Overview of Wireless Networking In wireless networks, communication takes place through radio wave transmission, which usually takes place at the physical layer of the network stracture. ‘Thanks to the wireless communication revolution, fundamental changes to data networking and telecommunication are taking place. This means that you will need to know and understand several types of wireless networks, These include: * Extension to a wired network: A wired network is extended by the introduction of access points between the wired network and wireless devices © Multiple access points: Multiple access points connect computers wirelessly = LAN-0-LAN wireless network: All hardware APs have the ability 10 interconnect with other hardware access points * 3G/4G hotspot: A mobile device shares its cellular data wirelessly with Wi- Fi-enabled devices such as MP3 players, notebooks, tablets, cameras, PDAs, and netbooks Lab Tasks Ethical hackers or pen testers use numerous tools and techniques to hack target wireless networks. The recommended labs that will assist you in learning vasious wireless network hacking techniques include: 1__| Foorprint a Wireless Network v 11 Find WiFi Networks in Range using | NesSurveyor 2_| Pesfonm Wireless Traffic Analysis q 7 2. Find WHPINerworks and Saif Wiri | y 7 Packets using Wash and Wireshark 3_| Pesfonm Wireless Attacks v 7 T 31 Find Hidden SSIDs using Airerick-ng v 32. Crack a WEP Network using 1 Witiphisher 33 Grack a WEP Nework using Aircrack-ng ‘ ‘ 34 Crack a WPA Neswork using Vera : Wifi Cracker * Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve Prohiited(CoH Lab Manat Page 1473 Module 16 - Hacking Wireless Networks, 3.5 Crack a WPA2 Newwork using i j Aircrack-ny 3.6 Create a Rogue Access Point to Captuse Data Packets using MANA. 1 Toolkit Remark EC-Council has prepared considered amount of lab exercises for student to practice ducing the 5-day dass anid at thei fee time to enhance theis knowledge and sk. "Core - Lab exerie(s) marke under Core are recommended by EC-Couneil ty be practised daring the Seay las. ‘+4Selfstudy - Lab exercie(s) marked under sets for stents to practi ¢ thie Fee time. Stops to scent wddond lab exewcveycan be found inthe frst page of CEH volte T book. ‘+88iLabs Lab exercises) marked winder Labs are avalible in our il abs solution. Labs is clow-based ‘ictus kab covtomeentpreconligd with vulearabaites, explits, tools aed sexipt, and can be wesc Foes esyohae wil ws Internet Connecti. Ifyou are fnbeested to Ieee more beet on iLabs tnt, please eutact your taining center or vst hups/ /labseceouncl oxy. Lab Requirements Before you begin the labs in this module, you must configure your environment, so that you can connect your machine to a wirdless network. For this purpose, you will need a wireless network adaptor and an access point. “The demonstrations in this lab use a Linksys 802.44 g WLAN adapter and GEH-LABS as the access point. The CEH-LABS access point has been configured with WEP, WPA, and WPA2 encryption as per the lab requirements. Note: Here, the WEP cneryption key is 1234567890. The WPA and WPA2 eneryption password is password4, ‘Note: If you decide to use a different wireless adapter, the steps to set up the adapter might differ. 1. Connect your access point CEH-LABS. Note: Ensure that wircless router is plugged in to the network/Inteenet. 2. Turn on the Windows 10 virtual machine, and log in with the credentials Admin and PaS$wOrd. 3. Navigate to E:CEH-Tools\CEHV11 Lab Prerequisites\Linksys Adapt right-click setup64.exe, and click the Troubleshoot compatibility ‘option. Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Tasha ‘one |_ Bie ven feptatenoe ome 2% By ES deem rome | @ nema tcc coor ate Ceae vbrerne eee ARP 27 > a won sxont fou moo) eae [B Documents Donde oe Mase ee : as Bes atone ete) |) See = 0H | Gy Unystrwestaregeioe we lecddik ey | DUneyshircentengeee ge The Linky Adar Feder 4, ‘The Program Compatibility Troubleshooter wizard appears and begins Detecting Issues. 5. After the issues have been detected, the Select troubleshooting option wizard appears; click Try recommended settings. © Bil Progam Compatibility Toubleshooter Select troubleshooting option 9 Try recommended settings Set th > Troubleshoot program Select this option to choose compatbitysetings bared on problems youctice gn 2 Ck Ty comand trys (CoH Lab Manual Page 1474 ‘Ethical Hacking and Countermessures Copyright © by EC-Coumel "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 6. In the Test compatibility settings for the program wizard, click Test the Program... {Bi Program Compatibility Troubleshooter ‘Test compatibility settings for the program Seating applied to setup Windows compatiblity mode: Windows Vite (Service Pack) ‘You need otc the program to make re these new etings fined the problem before you cen cick Het to continie gee :rogae Compy Taber iad 7. A User Account Control pop-up appears; click Yes. 8. The Linksys Adapter Setup Wizard appears; click Next. RETR TaN ye ya tere Welcome to Linksys Setup Wizard ‘es ard lu you bveugh afew easy eps 0 Seup ard corge | Weicome Jour ays asa ets Sect yourlanguage:[Enatsh oer _—— @ Clann cre = Figae &:Lnkeys Adipter Sep Wises Ethical Macking and Countermeasures Copyright © by EE-Soumell (CoH Lab Manual Page 1475 "Al RightsReserved, Reproducton fs StrctyProhiste.(CoH Lab Manual Page 1476 Module 16 - Hacking Wireless Networks, 9. In the License Agreement wizard, check the | accept this agreement checkbox and click Next. 10. The Preparing System for Install wizard appears; wait for it to complete. TaN co iette Preparing System for instal 1 Oreck sytem conan ee fern Cn ig 5: Prep Scr for leet wired 11. ‘The Insert Adapter wizard appears. Plug your Linksys 802.14 g WLAN adapter into an available USB port. eo atioy Insert Adapter oe yor ape tan saab USB po youd he ada Pea ‘senate sarng ts naa remove aoe taper eg ‘Mar incoring your apt, muti lon boxes may appear Iecessary ste! "Conte Anyuny eos proven Fag sent ptr wiz Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 12, After connecting the Linksys 802.14 g WLAN «clapicr, 1 New USB Device Detected window appears, Select the Connect to a virtual machine cadio- button under Choose where you would like to connect Linksys 802.1 WLAN, sind uncer Virtual Machine Name, sclect Windows 40; click OK. Few Ub Dover Deas hese mh you rau certniy 6021.9 LA Figute 7: New USI Device Detected window 13, Inthe Linksys Adapter Setup Wizard window, observe that the adapter starts Installing... 14. After the installation completes, a Congratulations! Your adapter has been installed correctly notification appears; click Next. Te oats) Adapter Install Congrats! Your asper as been states caret fom cea Fipie 8 Adapter Ital tiation (CoH Lab Manat Page 1477 Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.(CoH Lab Manat Page 1478 Module 16 - Hacking Wireless Networks, 15. An Installing Linksys Wireless Manager wizard appears and installs the Linksys software. On completion, the Connect to a Wireless Network wizard appears and the adapter starts searching for available wireless networks. 16. The list of the available wireless network in range appears, as shown in the screenshot. 17. Sclect CEH-LABS and click the Connect button. err CG typenemienstinmei ji : Cone a Wiles Newer ial 18. In the Quiekly Connect Using Push Button wizard, click Skap. 19. In the Connect to a Wireless Network wizard, type the password of wireless network CEH-LABS (in this example, password1) in the Your network requires a security key. Enter it here: ficld, and click Next. echt Ti bepay Owoes Fig 102 Comet Wises Nenwock wisi Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 20. The wizard shows the message Checking Connection as the adapter attempts to connect to the network. ‘The Connected to Your Network screen appears in the wizard once the connection has been established. Click Finish to exit the setup. eae tote Connected to Your Network Pa ‘pelo a) esc ed aw ae (S80) © Loam ate cnet seves:a nae Figure 11 Consett to Your Nervork mesage 22, When the Linksys Adapter Setup Wizard notification appears, click OK. By Unie RlopSchp Wend Unksys Adapter Setup Wizard Yur sttngstave ben soved to your Gen as nia Azote Figate 12: Linksys Adapee Snup Wind otietion 23, A Manage your wireless networks pop-up appears, click OK. Manage your wireless networks ‘Toe manage your connections to wireless networks, the Linksys Wireless Manager ulity has been instilled on your compute. You can access this ly From the Start Menu, or by double-ctang the ean shown below, located in te system tay. gn 15 Map oir vie nef (CoH Lab Manat Page 1479 Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 24, Close all windows and click Show hidden icons (@M) from the bottom right comer of i You can observe the Wireless Network Connection icon (»), as shown in the screenshot. 25. You can doublecick the Wireless Network Comection icon Hh co manage wireless network connections Figure 1: Winds Network Connectioa eon 26. Your Linksys 802.11 g WLAN adapter has been configured suecessfally 27. In this way, you can conneet your virtual machines to a wireless network Repeat these steps if you wish to connect to the wireless network with another ‘virtual machine. Note: You can use the adapter for only one virtual machine at atime. Now that we have set up the wireless adapter, we shall disable the ethemet adapter. “To do this, follow these steps: 28. In the Windows 40 virtual machine, open Control Panel and navigate 1 Network and Internet -> Network and Sharing Center. 29. In the Network and Sharing Genter window, click Change adapter settings in the left pane. Tanaka Sumy cae Tre [F< newer Barna cower 7 variPanel ‘View your basic network information and set up connections Change svanced sting cansuaas cco type: —_ntnt tng Pc meter Connections WF (COHLAES) GF Saup one Setup a beadond dup, o VPN connection oe p30 nes and ep nebo problems, 9 roubesocing eatin | igure 1: Netw and Stig Canter window (CoH Lab Manat Page 1480 Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 30. In the Network Connections window, right-click the BthemetO adapyer ancl click Disable from the options. 31. The Etheret0 is disabled; observe that WHI adapter is connected to the (CEH-LABS nctwork. BY Network Connections PB Net > Network. > V8 Organize + _Enablethismetwork device» Npcap Loopback Adapter Enabled @ Nocop Loopback Adapter ge 16 WH ager acted 32. Close all open windows and turn off the Windows 10 virtual machine. Lab Analysis Analyze and document the results related to this lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB (CoH Lab Manual Page 148 ‘Ethical Hacking and Countermessures Copyright © by EC-Coumel "Al RightsReserved, Reproducton fs StrctyProhiste.“Toon Key © Valuable Salento F Tex You ysledge B wa CD Workbook Review (CoH Lab Manat Page 1482 Module 16 - Hacking Wireless Networks, Footprint a Wireless Network Footprinting a wireless network involves: diveovering and foutprinting the wireless network in an active or passive may. Lab Scenario ‘As a professional ethical hacker or pen tester, your first step in hacking wireless networks isto find a Wi-Fi network or device. Yon can locate a target wireless network using various Wi-Fi discovery tools and procedures, including wireless footprinting and identifying an appropsiate target that is in range. “Attackers sean for Wi-Fi networks with the help of wircless nctwork scanning tools, which tune to the various radio channels of networking devices. ‘The SSID Service Set Identifier), which is the wireless network's name, is found in beacons, probe requests, and responses, as well as association and re-association requests. Attackers can obtain the SSID of a network by passive or active scanning, After doing so, they can connect to the wireless network and launch attacks, Asan ethical hacker and pen testes, you must perform footprinting to detect the SSID of a wireless network in the target onganization. This will help to predict how effective additional security measures will be in strengthening, and protecting your target “organization’s networks. “The labs in this exercise demonstrate how to footprint a wireless network using various tools and techniques. Lab Objectives © Find Wi-Fi networks in range using NetSurveyor Lab Environment ‘To carry out this lab, you need: ® Windows 10 virtual machine * Linksys 802.11 g WLAN adapter ® Web browsers with an Internet conncction * Administrator privileges to mun the tools Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.TASK Module 16 - Hacking Wireless Networks, = NetSurveyor located at EAGEH-Tools\CEHv11 Module 16 Hacking Wireless NetworksiWi-Fi Discovery ToolsiNetSurveyor * You can also download the latest version of NetSurveyor fiom the official website. If you do so, the screenshots shown in the lab might differ. Lab Duration “Lime: 1) Mires Overview of Footprinting a Wireless Network ‘To footprint a wireless network, you must identify the BSS (Basic Service Set) ot Independent BSS (IBSS) provided by the access point. This is done with the help of the wireless network’s SSID, which ean be used to establish an association with the access point to compromise its security. Therefore, you need to find the SSID of the target wircless network. Footprinting methods to detect the SSID of a wireless network inchude: "Passive Footprinting, in which you detect the existence of an access point by sniffing packets from the airwaves "Active Footprinting, in which a wircless device sends a probe request with the SSID to see if sponds n access point Find Wi-Fi Networks in Range using NetSurveyor SE tasK Install and Launch (CoH Lab Manat Page 1483 Here, we will use NetSurveyor to find the Wi-Fi networks in range. 1. ‘Turn on the Windows 10 virtual machi Admin and PaS$word. ind log in with the credentials Note: Ensure that the Linksys 802.11 g WLAN adapter is plugged in and connected to the Windows 40 virtual machine. If the adapter is not connected to the virtual machine, unplug and plug it in again. A New USB Device Detected window appears: select the Connect to a virtual machine radio-button, and under Virtual Machine Name, select Windows 10; click OK. 2, Navigite (0 EACEH-Tools\CEHv11 Module 16 Hacking Wireless Networks\Wi-Fi Discovery Tools\NetSurveyor and double-click NetSurveyor-Setup.exe. Note: If a User Account Control pop-up appears, click Yes. Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 3 & Nesumeqoris aa jetup - NetSurveyor window appears; S21 (Wek) nesork dacorery to infomation about nexby winds arcs pints in realsime and deploys tin Welcome to the NetSurveyor tse way Ito sepors Setup Wizard the SSID frac nde nctwork dete aon "Hs tal NetSuveyr 20.9685. on your computer. ih di chide by thesones print ering 1s recommended that you dove a other appear before thot nro Ung carla Natures, epens on Ciktext to conve, or Cnc to ent Sep. teegeratntin Ate PDI foot ge 1.1 Sep - Neuro 4, Follow the steps to install the application using the default settings. “After the installation completes, the Completing the NetSurveyor Setup Wizard screen appears. Ensure that the Yes, restart the computer now radio button is selected and click Finish Completing the NetSurveyor ‘Setup Wizard To conplete the retlaton of NetSurveyer Setup must restore your compute, Would you Ret estar ron? To, Fi restart he computer ater pure 1.1.2 Completing the Neueor Sep Wied ‘et Lab Manual Pope 1484 {hcl Hacking and Countermeasures Copy © by EE Commel "Al RightsReserved, Reproducton fs StrctyProhiste.TASK Discover Access Points in the Network CEH Lab Manual Page L485 Module 16 - Hacking Wireless Networks 6. Afier the system reboots, log in with the credentials Admin/PaS$wOrd, Note: Ensure that the Linksys 802.44 g WLAN adapter is connected to the Windows 10 virtual machine. As before, if the adapter is not cones USB Device Detected window machine radio-bution, a 10; click OK. ced, unplug and plugiit in again, A New ippears: select the Connect to a virtual id under Virtual Machine Name, select Windows Launch NetSurveyor by double-clicking the NetSurveyor shortcut from Desktop. Note: If a User Account Control pop-up appears, click Yes. 8. NetSurveyor initializes, and a list of discovered access-points in the network appears under the Network Discovery tab, along with details SSID, BSSID, Channel, Beacon Strengt senshot. such as etc. as shown in the 9. In the lower section of the window, the Chanel Usage tal displays a geaphical view of the usage of 80211 channels by discove points. ed access Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 10, In the lower section of the window, click the AP Timecourse tab to view the timecourse of Beacon qualities by SSID in a graphical format. (eH Lab Manual Page L486 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 11, Click the Channel Spectrogram tab co view the spectrogram of the 802.11 channel usage. This information can be used to perform spectrum analysis, actively monitor spectrum usage in a particular area, and detect the spectrum signal of the target network, gu 1.1.5: NeSurvyor Ohta! Spctagea a 12, Similarly, you can gather detailed information about the discovered access points with other graphical diagnostic views by navigating, t different tabs in the lower section. Information you can discover includes differential beacon qualities by SSID, the timecourse of 802.11 channel map of 802.11 channel usage. Dl oraexs 13. To save the gathered information in a report, click File from the menu —__ bar and select Greate Report... from the options. Generate a . . Report FEL NetSurveyor :: 802.11 Discovery Tool Nuts Aby View Logging _ Help eH Lab Manual Page L487 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 14. The Report Charts As An Adobe PDF File (*.pdf) window appears. Downloads), casurc the File name is NetSurveyor Report, and click Save. ‘Navigate to the location where you want to save the Gile (in this case, EL Report chert Asn Raabe POF Fie pa) © Hy THBPC > Downloads V8) | Sexrch Download Organize ~ New folder @ oncnive Noitems match your search i tierc B20 Objects I Desitop Siew Report Chars As An Adobe PDF File (pl window 15. A How do you want to open this file? pop-up appears. Choose any option (in this example, we will use Microsoft Edge) and click OK. 16, The NetSurveyor Report opens in the default pdf viewing application (here, Microsoft Edge), displaying alist of discovered access points. Scroll down to view the detailed report about them, (CoH Lab Manat Page 488 Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.You can ako use cher Wi dnconery tools such ay in SSIDer Plus (haps /wrwemetagecke om, WiFi Scanner (heaps Mranteatomsco 1m), Acrylic Wi (hups/ /wwwacryewie on), WirelessMon. (haps: /wosepasmarke omy and Baha HeaMapper tuupe://wwekabaves tn) to dscoveraceas pia Home eH Lab Manual Page L489 Module 16 - Hacking Wireless Networks, a : et 4 @ 1 a7 |= 2 yo 4 8 | 4 [2019-12-19 12:44:902] 1902.11 Network Discovery “Channel RESE (am) Security ee EE wt BTS] a econ a ‘Timecourse of Beacon Qu Figur 1.9: NetSurveyor Report: Timeeoure of Beacon Quite by SSID Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve Prohiited(eH Lab Manual Page 1490 Module 16 - Hacking Wireless Networks, BTS] @ secure x enh oe 2 = yon|y£n @ Bl 8 [2019-12-19 12:44:562] Differential Beacon Qualities by SSID 17. ‘This concludes the demonstration of how to find Wi-Fi networks in range using Wi-Fi discovery tools. 18. Close all open windows and document all the acquired information, 19, Tuca off che Windows 40 virtual machine and unplug the Linksys 802.14 9 WLAN adapier. Lab Analysis Analyze and document all the results discovered in the lab exercise Dyes ONo Platform Supported Classroom OliLabs Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedoN KEY © Vatuable [aformation AF Ves Your Knowledge B Web Beercise 1D Workbook Review (CoH Lab Manat Page 1401 Module 16 - Hacking Wireless Networks, Perform Wireless Traffic Analysis Wireless traffic anabysis is the process of identifying vulnerabilities and susceptible iets in target wireless network. Lab Scenario As a professional ethical hacker or pen tester, your next step in hacking wireless networks is to capture and analyze the traffic of the target wireless network. ‘This wireless traffic analysis will help you to determine the weaknesses and vulnerable devices in the target network. In the process, you will determine the network's broadeasted SSID, the presence of multiple access points, the possbility of recovering SSIDs, the authentication method used, WLAN encryption algorithms, ete “The labs in this exercise demonstrate how (0 use various tools and techniques 10 capture and analyze the teaflic of the target wiscless network. Lab Objectives ® Find Wii networks and sniff Wi-Ki packets using Wash and Wireshark Lab Environment ‘To carry out this lab, you need: © Parrot Security virtual machine "Linksys 802.11 g WLAN adapter © Web browsers with an Internet connection ® Administrator privileges to sun the tools Lab Duration ‘Time: 15 Minutes Overview of Wireless Traffic Analysis Wireless traffic analysis helps in determining the appropriate steategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, ‘which makes it easy to saiif and analyze wiseless packets. You can use various Wi-Fi packet-sniffing tools to capture and analyze the traffic of a target wireless network. Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks Find Wi-Fi Networks and Sniff Wi-Fi Packets using Wash and GUTASK 1_ Wireshark Here, we will use Wash to find Wi-Fi networks and Wireshark to sniff Wi-Fi packets. © Wanissuaiy dar + Turn on the Parrot Security virtual machine. In the login page, the canbe used emis attacker uscmame will be sclected by default. Enter password as teor in access the Password field and press Enter to log in to the machine wees network. Rao mato duck ifthe acces point iin locked orunlocked sta. This is inmpotant, beet met WPSerabled mnters automaticaly ck afer five or mene ueuccesfl login anes: aempred bre face rack), and en be ticle aly nil the admittance "If a Parrot Updater pop-up appears at the top-right comer of Desktop, ignore and close it. * If a Question pop-up window appears asking you to update the machine, click No to close the window Gras aa 2. Plug in the Linksys 802.11 g WLAN adapter. Put the Wireless «> --\ New USB Device Detected window appears. Sclect the Connect to = eckeitaceis virtual machine radio-button under Choose where you would like to Monitor Mode ‘connect Linksys 802.11 g WLAN, ari under Virtual Machine Name, sclect Parrot Security; click OK. CEH Lab Manual Page 1452 Ethical Hacking and Countermeasures Copyigh © by EE-Counell ‘Al RightsReserved. Reproduction Sve Prohiited(eH Lab Manual Page 1493, Module 16 - Hacking Wireless Networks, New USB Device Detected Choose where you woud to connect rksys 802.119 WLAN connect to the host (ClRemener my choc and donot ask agan Cx Figs 212: New USI Beso: Deed window 4, Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window 5. A Parrot Terminal window appears. In the terminal window, type sude su and press Enter to sun the progeams as a root user. 6. In the [sudo] password for attacker ficld, type toor as a password and press Enter. Note:’Ihe password that you type will not be visible Now, type ed and press Enter to jump to the root directory Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks 8. Inthe Parrot Terminal window, ype Heonfig and press Enter. Observe that the wireless interface (in this case, wtanO) shown in the screenshot. ts connected to the machine, as ip 215 ong laying wt 9. In the terminal window, type alrmon-ng start wlanO and press Enter. ‘This command puts the wireless inte: , wlan) into monitor mode face (in this cas 10. ‘The result appears, displaying the error: “Found 2 processes that could cause troub! put the interface in monitor mode, these processes must be killed. 11. ‘Type alrmon-ng check kill and press Enter to stop the nenwork managers and kill the interfering processes, (eH Lab Manual Page 1498 Ethical Macing and Countermeasures Copyih by EE-Counel ‘A Rights Reserved. Reproduction icy ProneModule 16 - Hacking Wireless Networks 12, Now, run the command airmon-ng start wlan0 again to put the wireless interface in monitor mode. 13, Note that Linksys WUSBS4GC v3 802.11g Adapter is now running in monitor mode on the wlanOmon intesface, as shown in the screenshot. gare 2.17 Suing up the wzeles ert moni Drase 1.2 14, Now, we shall find Wi-Fi networks (access points) by using the wireless interface wlanOmon, Discover 4 Adc bees 15. ‘Type wash 4 wlandmon and press Enter to detect WPS-enabled devices Note:The command 4, ~interface= specifics the interface to capture the packets 16. The results appear, displaying the discovered Wi-Fi access points, as shown in the screenshot. Note: If no results appear, restart the Parrot Security virtual machine and pecform Steps 4 - 8, type wash i wlanOmon in the Terminal window, and press Ent 17. Now, dlick Applications in the top-left comer of Desktop and navigate to Grasn 1.3 Pentesting > Information Gathering > wireshark. Capture Wireless 18: A security pop-up appears, enter the password as toor in the Password fick ‘Traffic and dlick OK. CEH Lab Manual Page 1495, Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 19, The Wireshark Network Analyzer window appears; double-click the wireless network interface (in this case, whanOmon) to start capturing network traffic. © Wieshurcisa re poe er soalaalre Isou paren eenrentd teen te eae rummy ‘ona angst acd Wiest on rode dit fom Etre, ok Ring, FDI, sx (PPP and SLIP, a L211 wiles LAN. Capture Nocap isa thats gs er [Ee sasire ite =) Ante shown inetd wh Wie sack So cemplete WLAN EE vec anal, en Expresso. + ‘listo, dl don, Loopback seal poring wy queue ‘lcoramete capture: escocump DisplayPort AUX channel mono capture: dpawmen Random packet generat randpkt sytem Journal Export: soul © Wirsshark ean be seed taste ec bo ‘expe wees wali I Ew remete capture sshaump fsa weaprae vat UDP Untene remote capt wpe number of manazemint ‘contol data fame ce ipa 219; The Wins mi window fa furinraalec the : RolnopaerGkkiy 20. Wireshark starts capturing network traffic. Note that the caprured ‘gaher eave nomnaion wireless packets are labeled 802.41 under the Protocol column, as shown suche prntocol and creation technics ted length othe frames, MAC adie, te in the screenshot. Er Yourish we oetssrss oe 2 on ocean ot is Fi saper ee Boe ‘Mtge WF ee Sa rere Chpe/foowsvaon | 32 Ste ah {Silonite tee oe fo peerem A sass aoe Soares | ee : Frseat are ce ee (hape//wwudiveacsonc a oh GonnVew oe Fae wa SRR) ane ere a a wer Sees Geve/femesnoce Sahat os Sr Capen Fora Network Analyzer ‘08 12 60 Ze as 08 ot eee ees Taceere Sewanee = itty ee "Al RightsReserved, Reproducton fs StrctyProhiste.(CoH Lab Manat Page 1497 Module 16 - Hacking Wireless Networks, Note: Ina real-life attack, attackers use packet capture and filtering techniques to capture packets containing passwords (only for HTTP websites), perform attacks such as session hijacking, ete 21. This concludes the demonstration of how to find Wi-Fi networks and sniff Wi-Fi packets using Wireshark. 22. Close all open windows and document all the acquired information. 23, ‘Tum off the Parrot Security virtual machine and unplug the Linksys 802.14 SS WLAN adapter. Lab Analysis Analyze and document all the results discovered in the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB eet Byes ONo Platform Supported © Classroom ZiLabs ‘Ethical Hacking and Countermessures Copyright © by EC-Coumel "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, Perform Wireless Attacks Various tools and techniques can be used to lannch attacks om target mireless networks and sa test their security Lab Scenario Asan expert ethical hacker or pen tester, you must have the required knowledge to perform wireless attacks in onder to test the target network's security infrastructure. After performing the discovery, mapping, and analysis of the target wircless network, ‘you have gathered enough information to launch an attack. You should now carry out various types of attacks on the target network, including Wi-Fi encryption cracking (WEP, WPA, and WPA2), fragmentation, MAC spoofing, DoS, and ARP poisoning attacks. WEP encryption is used for wireless networks, but it has several exploitable vulnerabilities. When secking to protect a wireless network, the first step is always to change your SSID from the default before you actually connect the wireless router to the access point. Morcover, if an SSID broadcast is not disabled on an access point, ensure that you do not use a DHCP server, which would automatically assign IP addresses to wireless clients. ‘This is because war-driving, tools can casily detect your internal IP address. ‘As an ethical hacker and pen tester of an organization, you must test its wireless security, exploit WEP flaws, and crack the network's access point keys. ‘The labs in this exercise demonstrate how to perform wircless attacks using various hacking tools and techniques. Lab Objectives "Find hidden SSIDs using Airerack-ng, * Crack a WEP network using Wifiphisher * Crick a WEP network using Aircrack-ng * Cracka WPA network using Feen Wifi Cracker * Crick a WPA2 network using Airerack-ng = Create a rogue access point to capture data packets using MANA-Toolkit (CoH Lab Manat Page 1408 Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.(CoH Lab Manat Page 1409 Module 16 - Hacking Wireless Networks, Lab Environment “To camry out this lab, you need: Parrot Security virtual machine Windows 10 viral machine Linksys 802.11 g WLAN aclaprer Web browsers with an Intemet connection Administrator privileges to sun the tools Lab Duration ‘Time: 100 Minutes Overview of Wireless Attacks ‘There are several different types of Wi-Fi attacks that attackers use to cavesdrop on wireless network connections in order to obtain sensitive information such as passwords, banking credentials, and medical records, as well as to spread malware. ‘These include: ‘Fragmentation attack: When successfa, such attacks can obtain 1,500 bytes of PRGA (pseudo random generation algorithm) ‘MAC spoofing attack: The attacker changes their MAC address to that of aan authenticated user in order to bypass the access point’s MAC-fltering, configuration Disassociation attack: The attacker makes the other wireless devices by destroying the connectiv point and client ‘ctim unavailable to between the access Deauthentication attack: ‘The attacker floods station(s) with forged ‘deauthentication packets to disconnect users from an access point ‘Man-in-the-middle attack: An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers Wireless ARP poisoning attack: An attack technique that exploits the lack ‘of a verification mechanism in the ARP protocol by corrupting the ARP cache maintained by the OS in order to associate the attacker's MAC address with the target host Rogue access points: Wircless access points that an attacker installs on a network without authorization and that are not under the management of the network administrator Evil twin: A fraudulent wireless access point that pretends to be a legitimate access point by imitating another network name Wi-Jacking attack: A method used by attackers to gain access to an enormous number of wireless networks Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, Find Hidden SSIDs using Aircrack-ng Here, we will use Aircrack-ng to reveal a hidden SSID. m= TASK 4 ES Base em te o> Jieciimie Note: Before starting this task, configure the target acce: [iuthobwewsy?"may WED encryption and a hidden SSID. ‘organise the point (CEH-LABS) with SIO GREE®* “Note: Ensure that more than one machine or device is connected to the access a point (CEH-LABS). trent t Rect they apart of he 1. ‘Turn on the Parrot Seeurity vierual machine SEER ian 2.‘ the login page, the attacker uscename wil be selected by default. Eater betray tacks password as toor in the Password ficld and press Enter to log in to the breach he sco of he ie eaeeee, However ing 3 cmpmitonsSSID docs Note: nai sat cy ev * If a Parrot Updater pop-up appears at the top-right comer of Desktop, ienore and close it. + LF a Question pop-up window appears asking you co update the machine, cick Ne 10 close the window, Atoka 3. Plug in the Linksys 802.414 g WLAN adapter emiincofadaccn, 4, A New USB Device Detected window appears. Select the Conneet to a ee virtual machine radio-button undcr Choose where you would like to ae ad ‘connect Linksys 802.14 g WLAN, and under Virtual Machine Name, sclect for 8121 wick Parrot Security; click OK. servos. The pga tus on both Ta and Taw USB Device Decca Winds Chore here you oul Be to conect Linksys 6021 LAN, Ocomacttn the st Wt Mecine Nave I! Clrenerber my hace and do otk ogon Ea Bee ‘en ab manual Page 1500 Ethical Maching ond Countermeasures Copigh © by EE Samet "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks 5, Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window 6. A Parrot Terminal window appears. In the terminal window, type sudo su nd press Enter to run the programs as a ro0t user. In the [sudo] password for attacker ficld, type toer as a password and press Enter. Note: The password that you type will not be visible. 8. Now, type ed and press Enter to jump to the root directory. 9. In the Parrot Terminal window, ‘ype alrmon-ng start wland and press Enter. This command puts the wireless intesface (in this casc, wlan) into Task Put the Wireless, monitor mode. Interface into Monitor Mode 10, ‘The result appears, displaying the error: “Found 2 processes that could ‘cause trouble”. To put the interface in monitor mode, these processes must be killed. Note: This process might differ in your lab environment. CEH Lab Manual Page 1501 Ethical Hacking and Countermeasures Copyigh © by EE-Counell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks 11. Type airmon-ng check kill and press Enter to stop the network managers and kill the interfering processes. 12. Now, run the command alrmon-ng start wand adapter into monitor or promiscuous mode. wain to put the wireless 13. Note that Linksys WUSBS4GC v3 802.11g Adapter is now running in monitor mode on the wlanOmen interface, as shown in the screenshot. Note: ‘The interface name might differ in your lab environment. TASK Tz 14 Type airodump-ng wlanOmon and press Enter. ‘This command requests alist of detected access points, and connected clients Discover the Available Access Points, 15. The result appears, displaying the available access points. Note the hidden ESSID associated with BSSID: B4:75:0E:89:00:60. Note: ‘The BSSID associated with the hidden ESSID will differ in your lab environment, (eH Lab Manual Page 502 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks Note: airodump-ng hops from channel 10 channel and shows alll access points from which it can receive beacons. Channels 1 to 14 are used for 802.11b and g igre 31 7:seodump ag arching He ava 16, Click the Mave termina con MD at the top of the Desktop window tb open ote Tere Wind Stasw 1-3 17. A Parrot Terminal window appears. In the new termi Capture Iv su and press Enter (o run the programs as a soot user. Packets from the Target Access Point window, type sudo 18, In the [sudo] password for attacker field, ‘ype toor as a password and press Enter. Note: The password that you type will aot be visible. 19. Now, type ed and press Enter to jump to the root disectory 20, In the terminal window, type airedump-ng ~bssid B42 ‘wlanOmon and press Enter, Note: In this command, " =bssid: MAC address of the target access point (in this example, 1B4:75:08:89:00:60), "= wlandmon: Wireless interface (eH Lab Manual Page 502 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 21. Airodump-ng starts capturing the Initialization Vector (IV) from the target AP, as shown in the sercenshot. 22. The list of connected clients (“stations”) appears. You can observe that there are two clients connected to the target access point (B4:75:08:89:00:60). In this task, we will send deauthentication packets to the client STATION: 20:A6:00:30:23:D3. Lcave airodump-ng running. Note: The client station BSSID will differ ia your lab cnvironmeat. Task ta Send De-Auth Packets to the Client (eH Lab Manual Page 1508 Figur. aodump-g oping the pack 23, Open another emia by clicking the MATE Terminal con A com the top of Desktop. 24. A Parrot Terminal window appears. In the texminal window, type sudo su and press Enter to run the programs as a root user. 25, In the [sudo] password for attacker ficld, type toer as a password and press Enter. Note: The password that you type will not be visible. 26. Now, type ed and press Enter to jump to the root directory. 27. In the new terminal window, type alreplay-ng ~deauth 45-0 1B4:75:0E:89:00:60 -c 20:A6:06:30:23:D3 wlanOmon and prcss Enter to generate de-authentication packets. Note: In this command, = -deauth: Activates deauthentication mode * 48; Number of deauthentication packets to be sent, = -a Sets the access point MAC address ion MAC address "= -e: Sets the destina = wlandmon: Wireless interface Note: If you get any errors while running the command, reissue the command multiple times until it executes successfully Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks 28. The source MAC address should be associated with the access point in order to accept the packet. Because, in this case, the source MAC address used to inject the packets has no connection with the access point, the access point usually ignores the packets and sends out a deauthentication packet, which contains the access point’s SSID, in plain text. In order to create a fake authentication, we aced to associate it with the access poiat. 29, Switch back to the terminal window where airodump-ng is muaning. You will observe that the hidden SSID associated with BSSID 1B4:75:06:89:00:60 appears under ESSID as CEH-LABS, as shown in the sercenshot Fig 3.1.11: Sp esraing he pce i chr Note: In real-fife attacks, attackers will obtain the hidden SSID of the target access point and crack the encryption method (WEP, WPA2) associated with it to obtain the access key or password. 30. This concludes the demonstration of how to use Aiecrack-ng to reveal a 31. Unplug the Linksys 802.11 g WLAN adapter lose all open windows and document all the acquired information. 33. Turn off the Parrot Security virtual machine (eH Lab Manual Page 505, Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, Crack a WEP Network using Wifiphisher Here, we will use Wifiphisher to crack a WEP network, You can also crack a WPA/WPA2 network with the same tool, but, if you do so, the steps might change, TASK 2 lair * Note: Before starting this lab, unhide the hidden SSID of the target access point Tesnowerk oecnduciog (CEH-LABS). Sze" Note: To perform this task, you must have a mobile device Ga this example, we UsogWifptiahes pes are using an Android phone). This will be the victim’s device in our scenario: the sous end sbiees victim will us itt connect to the rogue access point created by Wifiphisher, and oe once he/she enters the pre-shared WEP key, it will be captured by the application. Tin spaneios CREE T weckon —L Tuen on the Parrot Security virtual machine. vate 2. Inthe login page, the attacker uscraame will be selected by default. Eater assword as tar in the Password ficld and press Enter to log in to the oar p rf Note: = If 0 Parrot Updater pop-up appears at the top-ripht comer of Desktop, ignoze and close it. * Ifa Question pop-up window appears asking you to update the machine, click No to close the window. © Wiphidereanbe Phag in i Ripa 3. Plug in the Linksys 802.44 g WLAN adap Sieh 4. A New USB Device Detected window appears. Sclect the Connect to a eter eat ‘Sitied wisctie “AK ttioR nies -Chiogon' tiere youl Wodld Whe: 85 certo eapare ‘connect Linksys 802.11 g WLAN, and undc: Virtual Machine Name, sclect ceeds ch a fo Parrot Security; click OK. thin pany login pages of WPAAWPA2 PreShared Tew O58 Dees Dated Keys) orinfet the wet stations with malware. ose ne os ee Ww cect nko 82.119 AN gi 32.1: New USB Dee Detect win (CoH Lab Manual Page 1508 Ethical Macking and Countermeasures Copyright © by EE-Soumell "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks 5, Click the MATE Terminal icon at the top of the Desktop window to open a ‘Terminal window 6. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the progeams as a soot user. 7. In the [sudo] password for attacker ficld, type tear as a password and press Enter. Note: The password that you type will not be visible. 8. Now, type ed and press Enter (0 jump to the root directory 9. In the Parrot Terminal window, type apt-get install libnl-3-dev tibnl- geni-3-dev and prcss Enter to install the dependeacics for Wifiphisher. Brask 2.4 Install Dependencies igus 3.2.2Ineing the a5 dev Kage dev dependency 10. Once the installation has finished, type apt-get install libsstdev in the terminal window and press Enter to install the libsst-dev dependency Note: If the above command does not work, then run the dpkg configure -a command before trying apt-get install libssl-dev avain. (eH Lab Manual Page S07 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks (eH Lab Manual Page 508 ign 32;3: tang the Hil depo lation has completed, type git elone https2/github.com/wifiphisheriroguehostapd and press Enter to clone the roguehostapd repository Note: You can also access the tool repository from the CBH-Teols folder available in Windows 10 virtual machine, in case, the Git! lub link does not exist, or you are unable to clone the tool repository. Follow the steps below in onder to access CEH-Tools folder from the Parrot Security virtual machine: * Open a windows explorer and press Gtr#L. The Location field appears; type smbz/10.10.40.10 and press Enter to access Windows 10 shared folders, * ‘The security pop-up appears; enter the Windows 40 vietual machine credentials (Username: Admin onc Password: PaS$wOrd) and click Connect. * ‘The Windows shares on 10.10.10.10 window appears; navigate to the location GEH-ToolsiCEHv11 Module 16 Hacking Wireless NetworksiGitHub Tools! and copy the roguehostapd folder. = Paste the copied roguehostapd folder on the location heme/attacker!. * In the terminal window, type mv homelattackerfroguehostapd /roott 12, After cloning roguehostapd, type ed roguehostapd and press Enter 10 navigate to the cloned repository 13, Now, type python setup.py install and press Enter to install the roguchostapd application, Note: Roguchostapd is a fork of hostapd, the famous user space software access point. It provides Python etypes bindings and a number of additional attack features. It was primarily developed for use in the Wifiphisher project, Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks 14. After the installation finishes, type ed « and press Enter to navigate back to the reet directory 15, Now that all the requied dependencies have bees installed, itis time to clone and install Wifiphisher. Type git elone Clone Wifiphisher https:/github.com/wifiphisher/wifiphisher and press Enter to clone the Wifiphisher repositos Gi TasK 2.2 Note: You can also access the tool repository from the CEH-Teels folder available in Windows 10 virtual machine, in case, the GitHub link does not exist, or you are unable to clone the tool repository. Follow the steps below in order to access CEH-Tools fokier from the Parrot Security virtual machine: * Open awindows explorer and press Gtr. ‘The Leeation ficld appears; JA0.10.40.10 and press Enter to access Windows 10 shared ype sm folders. by EE-Counel (eH Lab Manual Page 1509 Ethical Macing and Countermeasures Copyih icy Prone ‘A Rights Reserved. ReproductionModule 16 - Hacking Wireless Networks * ‘The security pop-up appears; enter the Windows 40 virrual machine credentials (Usemame: Admin and Password: PaS$wOrd) and click Connect. "The Windows shares on 10.10.10.10 window appears; navigate to the location GEH-ToolsICEHv11 Module 16 Hacking Wireless NetworksiGitHub Tools! and copy the wifiphisher folder. * Paste the copied! wifiphisher folder on the location homefattacker. * Inthe terminal window, type mv homelattacker/wifiphisher root! 16. After cloning Wifiphisher, type ed wifiphisher and pzcss Enter to navigate to the cloned repository 17. Now, type python3 setup.py Wifiphisher stall and press Enter to install (eH Lab Manual Page 1510 Ethical Macing and Countermeasures Copyih ‘A Rights Reserved. Reproduction by EE-Counel icy ProneModule 16 - Hacking Wireless Networks, 18. After the installation finishes, type ed back to the roet directory. ind press Enter to navigate 19. Type wifiphisher ~force-hostapd and press Enter to launch the 20, Wifiphisher initialize \d appears in the Parret Terminal window 21. It seans the network for available access points and displays them, as showa in the sezcenshot. 22. In the list of available access points, we will sclect CEH-LABS. Use the Bown Arrow key on your keyboard to navigate to the GEH-LABS access point and press Enter. 23, Note the YOU HAVE SELECTED CEH-LABS notification in the lower section of the window. (eH Lab Manual Page 512 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, Fig 3.2.10 Discovered acess ois 24, The Available Phishing Scenario wizard appears. Use the Bown Arrow key to navigate to Network Manager Connect and press Enter to select the option Note: In this task, we are selecting the Network Manager Connect option. However, you can use any of the other available phishing options (Firmware Upgrade Page, OAuth Login Page, or Browser Plugin Update). Note: With the Network Manager Connect option, after connecting to the rogue access point, the victim receives a “Connection Failed” page in the browser. Thereafter, a network manager window appears, asking the victim y, it is captured by ‘Once the vietim enters the k Wifiphisher. 25. After selecting Network Manager Connect, you will observe a YOU HAVE SELECTED wifi connect aotification in the lower section of the window, as shown in the screenshot. Sletng the Network Manager Connect option (eH Lab Manual Page 512 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 26. A window appears, displaying the fake network that we have created under Extensions feed. Note that deauth (deauthentication) sent to the all the connected devices. pe 3.2.12 Sending da packs 27. Now, switch to your “victim” mobile device. Note that a rogue access point with the name CEH-LABS has been created along with the original CEHLLABS access point, as shown in the screenshot. GB vasn 28. Obsceve that the rogue access point does not have any security enabled. Connect to Rogue WLAN Access Point s i Using Pre-shared Key wan re) > cenLaes ‘ ‘F CEH-LABS Ad network Additonal setings coves ama ag 88 talaga coutamatsure opi by Bama ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 29. Click on the rogue access point CEH-LABS (the one that is unsecured). Note that your device initializes a connection with the access point and starts obtaining the IP address. (CEH-AAES Troy 08 igste 32.14 Conaectng tothe ae access point 30. After your device has connected to the CEH-LABS access point, you will notice that there is no Internet. Note: Connecting to the rogue access point may take some time, WLAN Cees gee 3215: Connection exalhed with oy imtemet (CeH Lab Manat Page 1514 ‘Ethical Hacking and Countermessures Copyright © by EC-Coumel "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks, 31. Now, switch back to the Wifiphisher window running in the Parrot Security virtual machine. You can see the connected device under the Connected Vietims section, as shown in the screenshot. pte 32.162 The eomneciedviin 32. Switch back to your connected Andrald device. Slide down from the top of the device and tap the Connect to WEF option, as shown in the screenshot. Note: Ifyou arc immediately redirected to the Enter the password for “CEH- LABS" page, proceed directly to Step 33. O® ‘hie WLAN network has ne access tthe ntermat c ‘nwo undates ae ready (CoH Lab Manual Page 1515 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 33. The Enter the password for “CEH-LABS® screen appears. Under Enter Btasmaas Password, type the pre-shared key in the Password ficld and click Join. (Crack WEP Pre- Note: In this example, the pre-shared WEP key is 1234567890. shared Key x CEH-LABS Connect automatically Enter the password for ‘CEH-LABS" Enter Password Password You can also access this Wi-Fi network by bringing y ‘any iPhone, IPad, or Mac wi work and has you in thelr cont gue 3218 Fer ihe pe-shanal ED hey 34, Now, switch back to the Wifiphisher window and note the eaptured WEP key, as shown ia the sezcenshot. pute 321% Cape WEP Key 35. After obtaining the key, press Ese in the Wifiphisher application window to quit 36. ‘This concludes the demonstration of how to Wifiphisher. 37. Close all open windows and document all the acquired information. ka WEP network using (CoH Lab Manual Page 1516 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, Crack a WEP Network using Aircrack-ng TASK 3 In this task, we will use the Aircrack-ng suite to crack the WEP encryption of a nctwork. ‘Note: Before starting this lab, unhide the hidden SSID of the target access point (CeHLaBs). 1. Turn on the Parrot Seeurity virtual machine 2. Inthe login page, the attacker username will be selected by default. Enter password as toor in the Password ficld and press Enter to log in to the machine. Note: "If a Parrot Updater pop-up appears at the top-right comer of Desktop, ignore and close it. © Ifa Question pop-up window appears asking you to update the machine, click Ne to close the window. 3. Plug in the Linksys 802.11 g WLAN aclapter. 4, A New USB Device Detected window appears, Select the Connect to a virtual machine radio-button under Choose where you would like to ‘connect Linksys 802.11 g WLAN, arid uncer Virtual Machine Name, sclect Parrot Security; click OK. [New USB Device Detected Choose where you would ike to connect Linksys 802.11 g WLAN OConnect to the host etual Machine Nave (Remember my choice and do not ask again (a ee Fig 32.1 New USB Devin: Date window (cet tab Manual Page 1517 {hcl Hacking and Countermeasures Copy © by EE Commel "Al RightsReserved, Reproducton fs StrctyProhiste.Module 16 - Hacking Wireless Networks 5, Click the MATE Terminal icon at the top of the Desktop window to open a ‘Terminal window 6. A Parrot Terminal window appears. In the terminal window, type sudo su. and press Enter to run the programs as @ root user. 7. In the [sudo] password for attacker ficil, type toor as a password and press Enter. Note: The password that you type will not be visible 8. Now, type ed and press Enter to jump to the root directory. 9, Inthe Enter. ‘This command puts the wireless interface (in this case, wlan) into errr rot Terminal window, type airmon-ng start wlan0 and press Put the Wireless, monitor mode. Interface into 10. ‘The result app displ ing the error: “Found 2 processes that could Mention Move cause trouble.” To put the interface in monitor mode, these processes must be killed Note: The processes might differ in your lab environment. Fig 33.4: Found 2 procenes that cond ease trouble erie eH Lab Manual Page 518, Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘A Rights Reserved. Reproduction icy ProneModule 16 - Hacking Wireless Networks 11. ‘Type airmon-ng check kill and press Enter to stop the network managers and kill the interfering processes. 12. Now, run the command alrmon-ng start wand adapter into monitor or promiscuous mode. wain to put the wireless 13. Note that Linksys WUSBS4GC v3 802.11g Adapter is now running in monitor mode on the wlanOmen interface, as shown in the screenshot. 14. Type alrodump-ng wlandmen and press Enter. ‘This command re airodump-ng to display a list of detected access points and connected quests clients (“stations”) (eH Lab Manual Page 519 Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks Figure 38 srduop-og smoking fr walle acut points Note: In this lab, we will crack CEH-LABS. Note: In this example, the connected client STATION is 208 ‘This might differ in your lab environment. 20s :D3. Note: airodump-ng hops from channel to channel and shows all the access points from which it can receive beacons. Channels 1 to 14 are used for 802.11b and 15. If you wish to can search only for available WEP networks, run the airodump-ng wlanOmon ~encrypt wep command, 16. The result appea shown in the screenshot. s, displaying only the actworks with WEP cnabled, as Figute 3.39 sredump-g searching or WEP aces poi 17. Before proceeding, you must check if an injection attack can be performed on the target access point. (eH Lab Manual Page 1520 Ethical Macing and Countermeasures Copyih ‘A Rights Reserved. Reproduction by EE-Counel icy ProneBrask 3.2 Test for Wireless Device Packet Injection Module 16 - Hacking Wireless Networks, 18. Clik the MATE termina con Eh to oper note: Terminal war i the top of the Desktop window 19. A Parrot Terminal window appears. In the new terminal window, type sudo su and press Enter to run the programs as a root user. 20. In the [sudo] password for attacker field, type toor as a password and press Enter. Note: The password that you type will not be visible. 21. Now, type ed and press Enter to jump to the root directory 22. In the terminal window, type aireplay-ng -9 -© CEH-LABS -a 1B4:75:08:89:00:60 wlanOmon sinc press Enter. Note: In this command, -9: tests injection and quality; -e: specifies the target IP access point SSID (in this case, CEH-LABS); -a: specifics the MAC address t access point (in this case, Bsa:75:0E:89:00:60); and wlanOmon: is the wireless interface. of the targ 25, The result appears, showing that Injection is workingt, as shown in the screenshot Note: If you re executes suecesstully any exrors, rerun the command multiple times until it TASK Capture Iv Packets from the Target Access Point (eH Lab Manual Page 528 igure 3.410 sila eecking ia injection anaes pose 24, Now, you must instruct airodump-ng to begin capturing the Initialization Vector (IV) from the access point. To do so, in the terminal window, type alrodump-ng ~bssid B4:75:0E: 0 -c 1 -w WEPerack wianOmon and press Enter. Leave airodump-ng running, Note: In this command, —bssié: is the MAC address of the tanget access point (in this case, B4:75:0E:89:00:60); -c: is the channel on which the target (ccess-point is running (in this case, CEH-LABS is running on channel number -w: is the name of the dump file prefix that contains the IVs 1 WEPerack); and wlanOmon: is wircless interface Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve ProhiitedModule 16 - Hacking Wireless Networks, 25. Airodump-ng will capture the IVs generated from the target access point, as shown in the screenshot task sa Generate ARP. (eH Lab Manual Page 522 26, Open another emia by elcking the MATE Terminal con AB com the top of Desktop 27. A Parrot Terminal window appears. In the new terminal window, type sudo ‘su and press Enter to run the programs as a r001 user. 28. In the [sudo] password for attacker ficld, type toer as a password and press Enter. Note: The password that you type will not be visible. 29. Now, type ed and press Enter to jump to the root directory. 30), In this new terminal window, type aireplay-ng -3 -b 1E:89:00:60 - fh 20:A6:06:30:23:03 wlanOmon and press Enter. ‘This command will generate ARP traffic in the network. The re: request packets is because the access points will usually rebroadcast them, and this will generate new IVs. Note: Reissue this command until it euns successfully Ethical Macking and Countermeasures Copyright © by EE-Soumell ‘Al RightsReserved. Reproduction Sve Prohiited