Module 16: Hacking Wireless Networks

Objective

The objective of the lab is to protect the target wireless network from unauthorized access. To do so, you will perform various tasks that include, but are not limited to:

• Wi-Fi Packet Analysis

• Crack WEP and WPA2 Wi-Fi networks

Overview of Wireless Networking

In wireless networks, communication takes place through radio wave transmission, which usually takes place at the physical layer of the network structure. Thanks to the wireless communication revolution, fundamental changes to data networking and telecommunication are taking place. This means that you will need to know and understand several types of wireless networks. These include:

• Extension to a wired network: A wired network is extended by the introduction of access points between the wired network and wireless devices

• Multiple access points: Multiple access points connect computers wirelessly

• LAN-to-LAN wireless network: All hardware APs have the ability to interconnect with other hardware access points

• 3G/4G hotspot: A mobile device shares its cellular data wirelessly with Wi-Fi-enabled devices such as MP3 players, notebooks, tablets, cameras, PDAs, and netbooks

Lab 1: Perform Wireless Traffic Analysis

Overview of Wireless Traffic Analysis

Wireless traffic analysis helps in determining the appropriate strategy for a successful attack. Wi-Fi protocols are unique at Layer 2, and traffic over the air is not serialized, which makes it easy to sniff and analyze wireless packets. You can use various Wi-Fi packet-sniffing tools to capture and analyze the traffic of a target wireless network.

Task 1: Wi-Fi Packet Analysis using Wireshark

• To use Wireshark, open any .cap file in the tool or capture all the traffic. Use different flags and search queries to filter the traffic according to the requirements.

tcp.port == 80

• Description: Filter packets where the TCP port is 80 (HTTP traffic).

ip.addr == 192.168.1.1

• Description: Filter packets that contain the IP address 192.168.1.1.

http

• Description: Filter for HTTP traffic.

dns

• Description: Filter for DNS traffic.

tcp contains "GET"

• Description: Filter TCP packets containing the string "GET" (common in HTTP requests).

udp.port == 53

• Description: Filter packets where the UDP port is 53 (DNS traffic).

frame contains "password"

• Description: Filter frames containing the word "password".

eth.addr == aa:bb:cc:dd:ee

• Description: Filter packets containing the specified Ethernet (MAC) address.

tcp.flags.syn == 1

• Description: Filter packets where the TCP SYN flag is set (used in TCP handshakes).

ssl

• Description: Filter for SSL/TLS traffic.

icmp

• Description: Filter for ICMP traffic (e.g., ping requests and responses).

ip.src == 10.0.0.1

• Description: Filter packets originating from the IP address 10.0.0.1.

ip.dst == 10.0.0.2

• Description: Filter packets destined for the IP address 10.0.0.2.

tcp.analysis.retransmission

• Description: Filter for TCP retransmissions.

ftp

• Description: Filter for FTP traffic.

http.request

• Description: Filter for HTTP request packets.

http.response

• Description: Filter for HTTP response packets.

tcp.flags.fin == 1

• Description: Filter packets where the TCP FIN flag is set (used to terminate a TCP connection).

ip.proto == 1

• Description: Filter for packets using the ICMP protocol.

ip.proto == 6

• Description: Filter for packets using the TCP protocol.

ip.proto == 17

• Description: Filter for packets using the UDP protocol.

arp

• Description: Filter for ARP traffic.

bootp

• Description: Filter for BOOTP/DHCP traffic.

tcp.stream eq 1

• Description: Filter packets belonging to the TCP stream number 1.

frame.number == 100

• Description: Filter to display frame number 100.

You can also use other wireless traffic analyzers such as:

• AirMagnet WiFi Analyzer PRO (https://www.netally.com)

• SteelCentral Packet Analyzer (https://www.riverbed.com)

• Omnipeek Network Protocol Analyzer (https://www.liveaction.com)

• CommView for Wi-Fi (https://www.tamos.com)

• Capsa Portable Network Analyzer (https://www.colasoft.com)

Lab 2: Perform Wireless Attacks

Overview of Wireless Attacks

There are several different types of Wi-Fi attacks that attackers use to eavesdrop on wireless network connections in order to obtain sensitive information such as passwords, banking credentials, and medical records, as well as to spread malware.

These include:

• Fragmentation attack: When successful, such attacks can obtain 1,500 bytes of PRGA (pseudo random generation algorithm)

• MAC spoofing attack: The attacker changes their MAC address to that of an authenticated user in order to bypass the access point’s MAC-filtering configuration.

• Disassociation attack: The attacker makes the victim unavailable to other wireless devices by destroying the connectivity between the access point and client.

• Deauthentication attack: The attacker floods station(s) with forged deauthentication packets to disconnect users from an access point.

• Man-in-the-middle attack: An active Internet attack in which the attacker attempts to intercept, read, or alter information between two computers.

• Wireless ARP poisoning attack: An attack technique that exploits the lack of a verification mechanism in the ARP protocol by corrupting the ARP cache maintained by the OS in order to associate the attacker’s MAC address with the target host.

• Rogue access points: Wireless access points that an attacker installs on a network without authorization and that are not under the management of the network administrator.

• Evil twin: A fraudulent wireless access point that pretends to be a legitimate access point by imitating another network name.

• Wi-Jacking attack: A method used by attackers to gain access to an enormous number of wireless networks.

Task 1: Crack a WEP network using Aircrack-ng

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP, and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless networks. The program runs on both Linux and Windows.

aircrack-ng '/home/attacker/Desktop/Sample Captures/WEPcrack-01.cap'

The above cmd is used to crack WEP (Wired Equivalent Privacy) encryption on a captured wireless network traffic file. It attempts to recover the WEP key by analyzing the provided capture file.

Task 2: Crack a WPA2 Network using Aircrack-ng

WPA2 is an upgrade to WPA; it includes mandatory support for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an AES-based encryption protocol with strong security. WPA2 has two modes of operation: WPA2-Personal and WPA2-Enterprise. Despite being stronger than both WEP and WPA, the WPA2 encryption method can also be cracked using various techniques and tools.

aircrack-ng -a2 -b [Target BSSID] -w /home/attacker/Desktop/Wordlist/password.txt '/home/attacker/Desktop/Sample Captures/WPA2crack-01.cap'

The above cmd is used to perform a dictionary attack to crack WPA2 encryption on a captured wireless network traffic file. It attempts to recover the WPA2 key using a wordlist.

• -a2: Specifies the attack mode for WPA2.

• -b [Target BSSID]: Specifies the MAC address (BSSID) of the target access point.

• -w /home/attacker/Desktop/Wordlist/password.txt: Specifies the path to the wordlist file to be used for the dictionary attack.

You can also use other tools such as

• Elcomsoft Wireless Security Auditor (https://www.elcomsoft.com)

• Portable Penetrator (https://www.secpoint.com)

• WepCrackGui (https://sourceforge.net)

• Pyrit (https://github.com)

• WepAttack (http://wepattack.sourceforge.net)

Hacker's Mantra:The Hacker Way is an approach to building that involves continuous improvement and iteration. Hackers believe that something can always be better, and that nothing is ever complete. - Mark Zuckerberg