# Module 16: Hacking Wireless Networks

## Objective <a href="#objective" id="objective"></a>

The objective of the lab is to protect the target wireless network from unauthorized access. To do so, you will perform various tasks that include, but are not limited to:

* Wi-Fi Packet Analysis
* Crack WEP and WPA2 Wi-Fi networks

### Overview of Wireless Networking <a href="#overview-of-wireless-networking" id="overview-of-wireless-networking"></a>

In wireless networks, communication takes place through radio wave transmission, which usually takes place at the physical layer of the network structure. Thanks to the wireless communication revolution, fundamental changes to data networking and telecommunication are taking place. This means that you will need to know and understand several types of wireless networks. These include:

* **Extension to a wired network**: A wired network is extended by the introduction of access points between the wired network and wireless devices
* **Multiple access points**: Multiple access points connect computers wirelessly
* **LAN-to-LAN wireless network**: All hardware APs have the ability to interconnect with other hardware access points
* **3G/4G hotspot**: A mobile device shares its cellular data wirelessly with Wi-Fi-enabled devices such as MP3 players, notebooks, tablets, cameras, PDAs, and netbooks

## Lab 1: Perform Wireless Traffic Analysis <a href="#lab-1-perform-wireless-traffic-analysis" id="lab-1-perform-wireless-traffic-analysis"></a>

**Overview of Wireless Traffic Analysis**

Wireless traffic analysis helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. You can use various Wi-Fi packet-sniffing tools to capture and analyze the traffic of a target wireless network.

### Task 1: Wi-Fi Packet Analysis using Wireshark <a href="#task-1-wi-fi-packet-analysis-using-wireshark" id="task-1-wi-fi-packet-analysis-using-wireshark"></a>

[**`Wireshark`**](https://www.wireshark.org/download.html) is a network protocol sniffer and analyzer. It lets you capture and interactively browse the traffic running on a target network. Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), and 802.11 wireless LAN. Npcap is a library that is integrated with Wireshark for complete WLAN traffic analysis, visualization, drill-down, and reporting. Wireshark can be used in monitor mode to capture wireless traffic. It is able to capture a vast number of management, control, data frames, etc. and further analyze the Radiotap header fields to gather critical information such as protocols and encryption techniques used, length of the frames, MAC addresses, etc.

* To use Wireshark, open any .cap file in the tool or capture all the traffic. Use different flags and search queries to filter the traffic according to the requirements.

```bash
tcp.port == 80
```

* **Description**: Filter packets where the TCP port is 80 (HTTP traffic).

```bash
ip.addr == 192.168.1.1
```

* **Description**: Filter packets that contain the IP address 192.168.1.1.

```bash
http
```

* **Description**: Filter for HTTP traffic.

```bash
dns
```

* **Description**: Filter for DNS traffic.

```bash
tcp contains "GET"
```

* **Description**: Filter TCP packets containing the string "GET" (common in HTTP requests).

```bash
udp.port == 53
```

* **Description**: Filter packets where the UDP port is 53 (DNS traffic).

```bash
frame contains "password"
```

* **Description**: Filter frames containing the word "password".

```bash
eth.addr == aa:bb:cc:dd:ee
```

* **Description**: Filter packets containing the specified Ethernet (MAC) address.

```bash
tcp.flags.syn == 1
```

* **Description**: Filter packets where the TCP SYN flag is set (used in TCP handshakes).

```bash
ssl
```

* **Description**: Filter for SSL/TLS traffic.

```bash
icmp
```

* **Description**: Filter for ICMP traffic (e.g., ping requests and responses).

```bash
ip.src == 10.0.0.1
```

* **Description**: Filter packets originating from the IP address 10.0.0.1.

```bash
ip.dst == 10.0.0.2
```

* **Description**: Filter packets destined for the IP address 10.0.0.2.

```bash
tcp.analysis.retransmission
```

* **Description**: Filter for TCP retransmissions.

```bash
ftp
```

* **Description**: Filter for FTP traffic.

```bash
http.request
```

* **Description**: Filter for HTTP request packets.

```bash
http.response
```

* **Description**: Filter for HTTP response packets.

```bash
tcp.flags.fin == 1
```

* **Description**: Filter packets where the TCP FIN flag is set (used to terminate a TCP connection).

```bash
ip.proto == 1
```

* **Description**: Filter for packets using the ICMP protocol.

```bash
ip.proto == 6
```

* **Description**: Filter for packets using the TCP protocol.

```bash
ip.proto == 17
```

* **Description**: Filter for packets using the UDP protocol.

```bash
arp
```

* **Description**: Filter for ARP traffic.

```bash
bootp
```

* **Description**: Filter for BOOTP/DHCP traffic.

```bash
tcp.stream eq 1
```

* **Description**: Filter packets belonging to the TCP stream number 1.

```bash
frame.number == 100
```

* **Description**: Filter to display frame number 100.

You can also use other wireless traffic analyzers such as:

* **AirMagnet WiFi Analyzer PRO** (<https://www.netally.com>)
* **SteelCentral Packet Analyzer** (<https://www.riverbed.com>)
* **Omnipeek Network Protocol Analyzer** (<https://www.liveaction.com>)
* **CommView for Wi-Fi** (<https://www.tamos.com>)
* **Capsa Portable Network Analyzer** (<https://www.colasoft.com>)

## Lab 2: Perform Wireless Attacks <a href="#lab-2-perform-wireless-attacks" id="lab-2-perform-wireless-attacks"></a>

**Overview of Wireless Attacks**

There are several different types of Wi-Fi attacks that attackers use to eavesdrop on wireless network connections in order to obtain sensitive information such as passwords, banking credentials, and medical records, as well as to spread malware.

These include:

* **Fragmentation attack**: When successful, such attacks can obtain 1,500 bytes of PRGA (pseudo random generation algorithm)
* **MAC spoofing attack**: The attacker changes their MAC address to that of an authenticated user in order to bypass the access point’s MAC-filtering configuration.
* **Disassociation attack**: The attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the access point and client.
* **Deauthentication attack**: The attacker floods station(s) with forged deauthentication packets to disconnect users from an access point.
* **Man-in-the-middle attack**: An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers.
* **Wireless ARP poisoning attack**: An attack technique that exploits the lack of a verification mechanism in the ARP protocol by corrupting the ARP cache maintained by the OS in order to associate the attacker’s MAC address with the target host.
* **Rogue access points**: Wireless access points that an attacker installs on a network without authorization and that are not under the management of the network administrator.
* **Evil twin**: A fraudulent wireless access point that pretends to be a legitimate access point by imitating another network name.
* **Wi-Jacking attack**: A method used by attackers to gain access to an enormous number of wireless networks.

### Task 1: Crack a WEP network using Aircrack-ng <a href="#task-1-crack-a-wep-network-using-aircrack-ng" id="task-1-crack-a-wep-network-using-aircrack-ng"></a>

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. The program runs on both Linux and Windows.

```bash
aircrack-ng '/home/attacker/Desktop/Sample Captures/WEPcrack-01.cap'
```

The above cmd is used to crack WEP (Wired Equivalent Privacy) encryption on a captured wireless network traffic file. It attempts to recover the WEP key by analyzing the provided capture file.

### Task 2: Crack a WPA2 Network using Aircrack-ng <a href="#task-2-crack-a-wpa2-network-using-aircrack-ng" id="task-2-crack-a-wpa2-network-using-aircrack-ng"></a>

WPA2 is an upgrade to WPA; it includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an AES-based encryption protocol with strong security. WPA2 has two modes of operation: WPA2-Personal and WPA2-Enterprise. Despite being stronger than both WEP and WPA, the WPA2 encryption method can also be cracked using various techniques and tools.

{% code overflow="wrap" %}

```bash
aircrack-ng -a2 -b [Target BSSID] -w /home/attacker/Desktop/Wordlist/password.txt '/home/attacker/Desktop/Sample Captures/WPA2crack-01.cap'
```

{% endcode %}

The above cmd is used to perform a dictionary attack to crack WPA2 encryption on a captured wireless network traffic file. It attempts to recover the WPA2 key using a wordlist.

* `-a2`: Specifies the attack mode for WPA2.
* `-b [Target BSSID]`: Specifies the MAC address (BSSID) of the target access point.
* `-w /home/attacker/Desktop/Wordlist/password.txt`: Specifies the path to the wordlist file to be used for the dictionary attack.

You can also use other tools such as

* **Elcomsoft Wireless Security Auditor** (<https://www.elcomsoft.com>)
* **Portable Penetrator** (<https://www.secpoint.com>)
* **WepCrackGui** (<https://sourceforge.net>)
* **Pyrit** (<https://github.com>)
* **WepAttack** (<http://wepattack.sourceforge.net>)

***

***

***

**`Hacker's Mantra:`**`The Hacker Way is an approach to building that involves continuous improvement and iteration. Hackers believe that something can always be better, and that nothing is ever complete. - Mark Zuckerberg`