Module 16: Hacking Wireless Networks
Objective
The objective of the lab is to protect the target wireless network from unauthorized access. To do so, you will perform various tasks that include, but are not limited to:
Wi-Fi Packet Analysis
Crack WEP and WPA2 Wi-Fi networks
Overview of Wireless Networking
In wireless networks, communication takes place through radio wave transmission, which usually takes place at the physical layer of the network structure. Thanks to the wireless communication revolution, fundamental changes to data networking and telecommunication are taking place. This means that you will need to know and understand several types of wireless networks. These include:
Extension to a wired network: A wired network is extended by the introduction of access points between the wired network and wireless devices
Multiple access points: Multiple access points connect computers wirelessly
LAN-to-LAN wireless network: All hardware APs have the ability to interconnect with other hardware access points
3G/4G hotspot: A mobile device shares its cellular data wirelessly with Wi-Fi-enabled devices such as MP3 players, notebooks, tablets, cameras, PDAs, and netbooks
Lab 1: Perform Wireless Traffic Analysis
Overview of Wireless Traffic Analysis
Wireless traffic analysis helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. You can use various Wi-Fi packet-sniffing tools to capture and analyze the traffic of a target wireless network.
Task 1: Wi-Fi Packet Analysis using Wireshark
Wireshark is a network protocol sniffer and analyzer. It lets you capture and interactively browse the traffic running on a target network. Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), and 802.11 wireless LAN. Npcap is a library that is integrated with Wireshark for complete WLAN traffic analysis, visualization, drill-down, and reporting. Wireshark can be used in monitor mode to capture wireless traffic. It is able to capture a vast number of management, control, data frames, etc. and further analyze the Radiotap header fields to gather critical information such as protocols and encryption techniques used, length of the frames, MAC addresses, etc.
To use Wireshark, open any .cap file in the tool or capture all the traffic. Use different flags and search queries to filter the traffic according to the requirements.
Description: Filter packets where the TCP port is 80 (HTTP traffic).
Description: Filter packets that contain the IP address 192.168.1.1.
Description: Filter for HTTP traffic.
Description: Filter for DNS traffic.
Description: Filter TCP packets containing the string "GET" (common in HTTP requests).
Description: Filter packets where the UDP port is 53 (DNS traffic).
Description: Filter frames containing the word "password".
Description: Filter packets containing the specified Ethernet (MAC) address.
Description: Filter packets where the TCP SYN flag is set (used in TCP handshakes).
Description: Filter for SSL/TLS traffic.
Description: Filter for ICMP traffic (e.g., ping requests and responses).
Description: Filter packets originating from the IP address 10.0.0.1.
Description: Filter packets destined for the IP address 10.0.0.2.
Description: Filter for TCP retransmissions.
Description: Filter for FTP traffic.
Description: Filter for HTTP request packets.
Description: Filter for HTTP response packets.
Description: Filter packets where the TCP FIN flag is set (used to terminate a TCP connection).
Description: Filter for packets using the ICMP protocol.
Description: Filter for packets using the TCP protocol.
Description: Filter for packets using the UDP protocol.
Description: Filter for ARP traffic.
Description: Filter for BOOTP/DHCP traffic.
Description: Filter packets belonging to the TCP stream number 1.
Description: Filter to display frame number 100.
You can also use other wireless traffic analyzers such as:
AirMagnet WiFi Analyzer PRO (https://www.netally.com)
SteelCentral Packet Analyzer (https://www.riverbed.com)
Omnipeek Network Protocol Analyzer (https://www.liveaction.com)
CommView for Wi-Fi (https://www.tamos.com)
Capsa Portable Network Analyzer (https://www.colasoft.com)
Lab 2: Perform Wireless Attacks
Overview of Wireless Attacks
There are several different types of Wi-Fi attacks that attackers use to eavesdrop on wireless network connections in order to obtain sensitive information such as passwords, banking credentials, and medical records, as well as to spread malware.
These include:
Fragmentation attack: When successful, such attacks can obtain 1,500 bytes of PRGA (pseudo random generation algorithm)
MAC spoofing attack: The attacker changes their MAC address to that of an authenticated user in order to bypass the access point’s MAC-filtering configuration.
Disassociation attack: The attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the access point and client.
Deauthentication attack: The attacker floods station(s) with forged deauthentication packets to disconnect users from an access point.
Man-in-the-middle attack: An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers.
Wireless ARP poisoning attack: An attack technique that exploits the lack of a verification mechanism in the ARP protocol by corrupting the ARP cache maintained by the OS in order to associate the attacker’s MAC address with the target host.
Rogue access points: Wireless access points that an attacker installs on a network without authorization and that are not under the management of the network administrator.
Evil twin: A fraudulent wireless access point that pretends to be a legitimate access point by imitating another network name.
Wi-Jacking attack: A method used by attackers to gain access to an enormous number of wireless networks.
Task 1: Crack a WEP network using Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. The program runs on both Linux and Windows.
The above cmd is used to crack WEP (Wired Equivalent Privacy) encryption on a captured wireless network traffic file. It attempts to recover the WEP key by analyzing the provided capture file.
Task 2: Crack a WPA2 Network using Aircrack-ng
WPA2 is an upgrade to WPA; it includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an AES-based encryption protocol with strong security. WPA2 has two modes of operation: WPA2-Personal and WPA2-Enterprise. Despite being stronger than both WEP and WPA, the WPA2 encryption method can also be cracked using various techniques and tools.
The above cmd is used to perform a dictionary attack to crack WPA2 encryption on a captured wireless network traffic file. It attempts to recover the WPA2 key using a wordlist.
-a2: Specifies the attack mode for WPA2.-b [Target BSSID]: Specifies the MAC address (BSSID) of the target access point.-w /home/attacker/Desktop/Wordlist/password.txt: Specifies the path to the wordlist file to be used for the dictionary attack.
You can also use other tools such as
Elcomsoft Wireless Security Auditor (https://www.elcomsoft.com)
Portable Penetrator (https://www.secpoint.com)
WepCrackGui (https://sourceforge.net)
Pyrit (https://github.com)
WepAttack (http://wepattack.sourceforge.net)
Hacker's Mantra:The Hacker Way is an approach to building that involves continuous improvement and iteration. Hackers believe that something can always be better, and that nothing is ever complete. - Mark Zuckerberg