👾
Rootkid - Cyber Journal
Portfolio
  • 👩‍🚀Introduction
    • 🤖About Cyber Journal & Rootkid
    • 📜License Agreement
    • ⚠️Disclaimer
  • 📚Exam Prep Notes
    • 🗒️KLCP Exam (PEN-103) - Notes
      • 1. Linux Fundamentals
      • 2. Introduction
      • 3. About Kali Linux
      • 4. Getting Started with Kali Linux
      • 5. Installing Kali Linux
      • 6. Configuring Kali Linux
      • 7. Helping Yourself and Getting Help
      • 8. Securing and Monitoring Kali Linux
      • 9. Debian Package Management
      • 10. Advanced Usage
      • 11. Kali Linux in the Enterprise
      • 12. Introduction to Security Assessments
      • 13. Conclusion: The Road Ahead
    • 📒ISO/IEC 27001:2022 Lead Auditor - Notes
      • ISO - Training - Day - 1
      • ISO - Training - Day - 2
      • ISO - Training - Day - 3
      • ISO - Training - Day - 4
      • Practice Questions - Notes
      • Other PDF References
    • 📑Junior Penetration Tester (eJPTv2) - Notes
      • 💡Assessment Methodologies
        • 🔍Information Gathering
          • 🌏Passive Information Gathering
          • 🧐Active Information Gathering
        • 👣Footprinting & Scanning
          • 🗺️Mapping a Network
          • 🎛️Port Scanning
        • 🕵️Enumeration
          • 📜SMB Enumeration
          • 📂FTP Enumeration
          • 🐚SSH Enumeration
          • 🕸️HTTP Enumeration
          • 🗄️MySQL & MSSQL Enumeration
        • 🐛Vulnerability Assessment
          • 🩸Case Study: Heartbleed Vulnerability (CVE-2014-0160)
          • 🔵Case Study: EternalBlue Vulnerability (CVE-2017-0143)
          • 👨‍💻Case Study: Log4J Vulnerability (CVE-2021-44228)
      • 🧰Assessment Methodologies: Auditing Fundamentals
      • 📶Host & Network Penetration Testing
        • 💻System/Host Based Attacks
          • 🪟Overview Of Windows Vulnerabilities
          • 💣Exploiting Windows Vulnerabilities
            • 🧨Exploiting Microsoft IIS WebDAV
            • 🧨Exploiting WebDAV With Metasploit
            • 🧨Exploiting SMB With PsExec
            • 🧨Exploiting Windows MS17-010 SMB Vulnerability (EternalBlue)
            • 🧨Exploiting RDP - Brute Force
            • 🧨Exploiting Windows CVE-2019-0708 RDP Vulnerability (BlueKeep)
            • 🧨Exploiting WinRM
          • 📈Windows Privilege Escalation
            • 🔥Windows Kernel Exploits
            • 🔥Bypassing UAC With UACMe
            • 🔥Access Token Impersonation
          • 🗃️Windows File System Vulnerability - Alternate Data Streams
          • 💳Windows Credential Dumping
            • 🔑Searching For Passwords In Windows Configuration Files
            • 🔑Dumping Hashes With Mimikatz
            • 🔑Pass-The-Hash Attacks
          • 💎Linux Vulnerabilities
          • 🎰Exploiting Linux Vulnerabilities
            • 🐚Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)
            • 🗄️Exploiting FTP - Linux
            • 🔐Exploiting SSH - Linux
            • 📭Exploiting SAMBA - Linux
          • ‼️Linux Privilege Escalation
            • 💥Linux Kernel Exploits
            • 💥Exploiting Misconfigured Cron Jobs
            • 💥Exploiting SUID Binaries
          • 🔐Linux Credential Dumping
        • 📶Network-Based Attacks
          • 📦Tshark & Filtering Basics
          • 🕷️Arp Poisoning
        • 💣The Metasploit Framework (MSF)
        • 💥Exploitation
          • 🖲️Vulnerability Scanning
          • ⚠️Searching For Exploits
          • 🐚Bind & Reverse Shells
          • 👾Exploitation Frameworks
          • 🪟Windows Exploitation
          • 🥌Linux Exploitation
          • ☣️AV Evasion & Obfuscation
        • 🚩Post-Exploitation
          • 🌬️Windows Local Enumeration
          • 📟Linux Local Enumeration
          • 🚜Transferring Files To Windows & Linux Targets
          • 🔼Upgrading Shells
          • 👀Windows Privilege Escalation
          • ⚒️Linux Privilege Escalation
          • 🔮Windows Persistence
          • 🧙Linux Persistence
          • 〰️Dumping & Cracking Windows Hashes (NTLM Hashes)
          • 🍘Dumping & Cracking Linux Password Hashes
          • ➿Pivoting Overview
          • 🧹Clearing Your Tracks On Windows & Linux
        • 🧑‍🔬Social Engineering Fundamentals
      • 🕸️Web Application Penetration Testing
        • ℹ️Intro to Web
        • 🎯Directory Enumeration
        • 🧰BurpSuite and ZAP-Proxy Overview
        • 🛠️Nikto, SQLMap, XSSer & Hydra Overview
      • 👽Extra Resources
        • ➕CIDR Conversion Table
        • 📦Machines or Lab Solved to Practice
    • 📓Certified in Cybersecurity - (ISC)2 - Notes
      • 📝Chapter-1 Security Controls - Notes
      • 📝Chapter-2 Incident Response, Business Continuity & Disaster Recovery - Notes
      • 📝Chapter 3: Access Control Concepts - Notes
      • 📝Chapter 4: Network Security - Notes
      • 📝Chapter 5: Security Operations - Notes
    • 📕Certified Ethical Hacker v12 - Practical - Notes
      • 👣Module 02: Footprinting and Reconnaissance
      • 🔎Module 03: Enumeration
      • Module 04: Scanning Networks
      • Module 05: Vulnerability Analysis
      • 💻Module 06: System Hacking
      • 🐛Module 07: Malware Threats
      • 🧙Module 08: Sniffing
      • 🐧Module 09: Social Engineering
      • ⚠️Module 10: Denial-of-Service
      • 🪝Module 11: Session Hijacking
      • Module 12: Evading IDS, Firewalls, and Honeypots
      • 🗄️Module 13: Hacking Web Servers
      • Module 14: Hacking Web Applications
      • 💉Module 15: SQL Injection
      • Module 16: Hacking Wireless Networks
      • Module 17: Hacking Mobile Platforms
      • Module 18: IoT and OT Hacking
      • Module 19: Cloud Computing
      • Module 20: Cryptography
      • Extra Resources
        • 📚Helpful Resources
        • 📜Cheat Sheet
  • ✍️Blogs
    • Mastering the Art of Logic Flaws: Unraveling Cyber Mysteries !!!
    • How to write a Detailed Vulnerability Report
    • Payment Gateway Bypass on Government Domain.
Powered by GitBook
On this page
  • Objective
  • Overview of Wireless Networking
  • Lab 1: Perform Wireless Traffic Analysis
  • Task 1: Wi-Fi Packet Analysis using Wireshark
  • Lab 2: Perform Wireless Attacks
  • Task 1: Crack a WEP network using Aircrack-ng
  • Task 2: Crack a WPA2 Network using Aircrack-ng

Was this helpful?

  1. Exam Prep Notes
  2. Certified Ethical Hacker v12 - Practical - Notes

Module 16: Hacking Wireless Networks

Objective

The objective of the lab is to protect the target wireless network from unauthorized access. To do so, you will perform various tasks that include, but are not limited to:

  • Wi-Fi Packet Analysis

  • Crack WEP and WPA2 Wi-Fi networks

Overview of Wireless Networking

In wireless networks, communication takes place through radio wave transmission, which usually takes place at the physical layer of the network structure. Thanks to the wireless communication revolution, fundamental changes to data networking and telecommunication are taking place. This means that you will need to know and understand several types of wireless networks. These include:

  • Extension to a wired network: A wired network is extended by the introduction of access points between the wired network and wireless devices

  • Multiple access points: Multiple access points connect computers wirelessly

  • LAN-to-LAN wireless network: All hardware APs have the ability to interconnect with other hardware access points

  • 3G/4G hotspot: A mobile device shares its cellular data wirelessly with Wi-Fi-enabled devices such as MP3 players, notebooks, tablets, cameras, PDAs, and netbooks

Lab 1: Perform Wireless Traffic Analysis

Overview of Wireless Traffic Analysis

Wireless traffic analysis helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. You can use various Wi-Fi packet-sniffing tools to capture and analyze the traffic of a target wireless network.

Task 1: Wi-Fi Packet Analysis using Wireshark

  • To use Wireshark, open any .cap file in the tool or capture all the traffic. Use different flags and search queries to filter the traffic according to the requirements.

tcp.port == 80
  • Description: Filter packets where the TCP port is 80 (HTTP traffic).

ip.addr == 192.168.1.1
  • Description: Filter packets that contain the IP address 192.168.1.1.

http
  • Description: Filter for HTTP traffic.

dns
  • Description: Filter for DNS traffic.

tcp contains "GET"
  • Description: Filter TCP packets containing the string "GET" (common in HTTP requests).

udp.port == 53
  • Description: Filter packets where the UDP port is 53 (DNS traffic).

frame contains "password"
  • Description: Filter frames containing the word "password".

eth.addr == aa:bb:cc:dd:ee
  • Description: Filter packets containing the specified Ethernet (MAC) address.

tcp.flags.syn == 1
  • Description: Filter packets where the TCP SYN flag is set (used in TCP handshakes).

ssl
  • Description: Filter for SSL/TLS traffic.

icmp
  • Description: Filter for ICMP traffic (e.g., ping requests and responses).

ip.src == 10.0.0.1
  • Description: Filter packets originating from the IP address 10.0.0.1.

ip.dst == 10.0.0.2
  • Description: Filter packets destined for the IP address 10.0.0.2.

tcp.analysis.retransmission
  • Description: Filter for TCP retransmissions.

ftp
  • Description: Filter for FTP traffic.

http.request
  • Description: Filter for HTTP request packets.

http.response
  • Description: Filter for HTTP response packets.

tcp.flags.fin == 1
  • Description: Filter packets where the TCP FIN flag is set (used to terminate a TCP connection).

ip.proto == 1
  • Description: Filter for packets using the ICMP protocol.

ip.proto == 6
  • Description: Filter for packets using the TCP protocol.

ip.proto == 17
  • Description: Filter for packets using the UDP protocol.

arp
  • Description: Filter for ARP traffic.

bootp
  • Description: Filter for BOOTP/DHCP traffic.

tcp.stream eq 1
  • Description: Filter packets belonging to the TCP stream number 1.

frame.number == 100
  • Description: Filter to display frame number 100.

You can also use other wireless traffic analyzers such as:

  • AirMagnet WiFi Analyzer PRO (https://www.netally.com)

  • SteelCentral Packet Analyzer (https://www.riverbed.com)

  • Omnipeek Network Protocol Analyzer (https://www.liveaction.com)

  • CommView for Wi-Fi (https://www.tamos.com)

  • Capsa Portable Network Analyzer (https://www.colasoft.com)

Lab 2: Perform Wireless Attacks

Overview of Wireless Attacks

There are several different types of Wi-Fi attacks that attackers use to eavesdrop on wireless network connections in order to obtain sensitive information such as passwords, banking credentials, and medical records, as well as to spread malware.

These include:

  • Fragmentation attack: When successful, such attacks can obtain 1,500 bytes of PRGA (pseudo random generation algorithm)

  • MAC spoofing attack: The attacker changes their MAC address to that of an authenticated user in order to bypass the access point’s MAC-filtering configuration.

  • Disassociation attack: The attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the access point and client.

  • Deauthentication attack: The attacker floods station(s) with forged deauthentication packets to disconnect users from an access point.

  • Man-in-the-middle attack: An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers.

  • Wireless ARP poisoning attack: An attack technique that exploits the lack of a verification mechanism in the ARP protocol by corrupting the ARP cache maintained by the OS in order to associate the attacker’s MAC address with the target host.

  • Rogue access points: Wireless access points that an attacker installs on a network without authorization and that are not under the management of the network administrator.

  • Evil twin: A fraudulent wireless access point that pretends to be a legitimate access point by imitating another network name.

  • Wi-Jacking attack: A method used by attackers to gain access to an enormous number of wireless networks.

Task 1: Crack a WEP network using Aircrack-ng

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. The program runs on both Linux and Windows.

aircrack-ng '/home/attacker/Desktop/Sample Captures/WEPcrack-01.cap'

The above cmd is used to crack WEP (Wired Equivalent Privacy) encryption on a captured wireless network traffic file. It attempts to recover the WEP key by analyzing the provided capture file.

Task 2: Crack a WPA2 Network using Aircrack-ng

WPA2 is an upgrade to WPA; it includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an AES-based encryption protocol with strong security. WPA2 has two modes of operation: WPA2-Personal and WPA2-Enterprise. Despite being stronger than both WEP and WPA, the WPA2 encryption method can also be cracked using various techniques and tools.

aircrack-ng -a2 -b [Target BSSID] -w /home/attacker/Desktop/Wordlist/password.txt '/home/attacker/Desktop/Sample Captures/WPA2crack-01.cap'

The above cmd is used to perform a dictionary attack to crack WPA2 encryption on a captured wireless network traffic file. It attempts to recover the WPA2 key using a wordlist.

  • -a2: Specifies the attack mode for WPA2.

  • -b [Target BSSID]: Specifies the MAC address (BSSID) of the target access point.

  • -w /home/attacker/Desktop/Wordlist/password.txt: Specifies the path to the wordlist file to be used for the dictionary attack.

You can also use other tools such as

  • Elcomsoft Wireless Security Auditor (https://www.elcomsoft.com)

  • Portable Penetrator (https://www.secpoint.com)

  • WepCrackGui (https://sourceforge.net)

  • Pyrit (https://github.com)

  • WepAttack (http://wepattack.sourceforge.net)




Hacker's Mantra:The Hacker Way is an approach to building that involves continuous improvement and iteration. Hackers believe that something can always be better, and that nothing is ever complete. - Mark Zuckerberg

PreviousModule 15: SQL InjectionNextModule 17: Hacking Mobile Platforms

Was this helpful?

is a network protocol sniffer and analyzer. It lets you capture and interactively browse the traffic running on a target network. Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), and 802.11 wireless LAN. Npcap is a library that is integrated with Wireshark for complete WLAN traffic analysis, visualization, drill-down, and reporting. Wireshark can be used in monitor mode to capture wireless traffic. It is able to capture a vast number of management, control, data frames, etc. and further analyze the Radiotap header fields to gather critical information such as protocols and encryption techniques used, length of the frames, MAC addresses, etc.

📚
📕
Wireshark