Wireless Labs

7/28/2019 Wireless Labs

1/32

Birmingham City UniversityFaculty of Technology, Engineering

and the Environment

School of Computing,Telecommunications and Networks

Wireless Networking UG2


2/32

Wireless Security

Lab 1 - BACKTRACK 5

Wireless Penetration testing is a practical subject and it is important to first setup a labwhere we can try out all the different experiments in a safe and controlled environment. Itis important that you set up this lab first before proceeding.

We shall look at the following:

! Hardware and software requirements! BackTrack 5 installation! Setting up an access point and configuring it! Installing the wireless card!

Testing connectivity between the laptop and the access point

So let the games begin!

The following lab will investigate Backtrack 5; this is a version of Linux that allows fornetwork testing and vulnerability assessment.

This first lab is looking at Backtrack 5 and booting the system from DVD. You will begiven a DVD with BT5R1, all of the Lab PC that have a wireless card installed has beenconfigured to boot from DVD. Insert the BT5R1 DVD into the DVD drive and reboot from

Windows.

Hardware requirements! We will need the following hardware to set up the wireless lab:! Two PCs with internal/External Wi-Fi cards: We will use one of the PC as the victim inour lab and the other as the penetration tester's PC (please note the PC with the internalwill always be the attacker).! One access point: Any access point which supports WEP/WPA/WPA2 encryptionstandards would fit the bill. I will be using a Linksys Wireless N Router within these labs.! An Internet connection: This will come in handy to perform research, downloadsoftware, and for some of our experiments.

Software requirements! We will need the following software to set up the wireless lab:! BackTrack 5: BackTrack can be downloaded from their official website located athttp://www.backtrack-linux.org. The software is open source and you should be able todownload it directly from the website. (note: I also have a VMWare version)! Windows XP: This PC will be used as the victim machine for the rest of the labs! It is important to note that even though we are using a Windows-based OS for ourtests, the techniques learnt can be applied to any Wi-Fi capable devices such as SmartPhones and Tablets, among others.
http://www.backtrack-linux.org/http://www.backtrack-linux.org/http://www.backtrack-linux.org/


3/32

Lab topology

Setting up Backtrack 5

Backtrack is relatively simple to install. We will run BackTrack by booting it as a Live DVDand then install it on the hard drive.

Perform the following instructions step-by-step:

! 1. Boot the PC with this DVD and select the option BackTrack Text Default BootText Mode from the boot menu:


4/32

2. If booting was successful then you should see the familiar BackTrack screen:

3. You can boot into the graphical mode by entering startx on the command prompt. Onceyou are in the GUI, your screen should resemble the following:


5/32

Setting up the Access-pointFor the wireless network and access point I will be using the Linksys WRT160N routerand a Linksys WUSB600N card.

I have reset the access point and logged in under the default username/password ofadmin/admin. With the default ip address of 192.168.1.1 for the AP and 192.168.1.100 forthe client PC

I have set the network name (SSID) to Wireless_Lab. In this first lab we will look at thenetwork that is open with no security enabled. As shown below the AP have been set with

no security.


6/32

Now that the network is configured with BT5 and the wireless access point set up we aregoing to look at the AP from BT5. Open up the wireless network manager, this can befound under applications and internet.

As you can see the wireless network manager has found the wireless_lab AP, in thiscase BT5 is behaving as a normal user and could connect to the network by clicking theconnect button. However this is not what we want to achieve in the lab.

Close the wireless manager by clicking the x button. Now open the terminal console andissuing the following commands.

1. ifconfig


7/32

As you can see we have a number of interfaces that are shown, the one that we areinterested in is the wlan0 interface. To check that the wlan0 interface is capable ofwireless type: iwconfig in to the terminal window.

Passive Network Attack

We are now going to run the first attack on the network, this is a passive attack and theend users will not know that you are scanning the network for wireless networks.

Using iwconfig

You use iwconfig to configure a wireless network interface. If youre familiar with theifconfig command, the iwconfig command is similar but works only with wireless interfaces.You use iwconfig to set the network interface parameters, such as frequency. As well, youcan use iwconfig to set the wireless parameters and display statistics. The syntax is asfollows:


8/32

essid: Use the ESSID parameter to specify the ESSID or Network Name. For example,the following specifies that you want to set the ESSID for the wireless adapter to ANY forwardriving.iwconfig eth0 essid any

nwid/domain: Use the Network ID parameter to specify the network ID or Domain ID. Forexample, the following specifies that you want to disable Network ID checking.

iwconfig eth0 nwid off

freq/channel: Use this parameter to set the operating frequency or channel. A value below1,000 represents the channel number, while a value over is the frequency in Hz. Forexample, the following specifies that you want to set the frequency to 2.422 GHz.iwconfig eth0 freq 2.422G

Or for example, the following specifies that you want to usechannel three.

iwconfig eth0 channel 3

sens: Use this parameter to set the sensitivity threshold. For example,the following specifies the level as 80 dBm.iwconfig eth0 sens -80

mode: Use this parameter to set the operating mode of the device. Theoperating mode is one of the following:

Ad-hoc: no Access Point. Managed: more than one Access Point, with roaming.

Master: synchronization master or an Access Point. Repeater: node forwards packets between other wireless nodes. Secondary: node acts as a backup master or repeater. Monitor: the node acts as a passive monitor and only receivespackets. Auto: self-explanatory.For example, the following specifies that the network is infrastructuremode.

iwconfig eth0 mode managed

ap: Use this parameter to force the card to register to the Access Point given by theaddress. Use off to re-enable automatic mode without changing the current Access Point,


9/32

or use any or auto to force the card to re-associate with the current best Access Point. Forexample, the following forces association with the access point with the hardware addressof 00:60:1D:01:23:45.

iwconfig eth0 ap 00:60:1D:01:23:45

nick[name]: Use this parameter to set the nickname or station name. For example, thefollowing sets the nickname to Peter Node.

iwconfig eth0 nickname Peter Node

rate/bit[rate]: Use this parameter to set the bit-rate in bits persecond for cards supporting multiple bit rates. For example, the followingsets the bit rate to 11 Mbps.

iwconfig eth0 rate 11M

From the terminal type: iwlist wlan0 scanning

This will list all of the wireless networks, look for the wireless_lab as shown above, asyou can see the output shows the ESSID name, and the bit rates this network supports.

Using iwlist


10/32

iwlist allows you to display more detailed information from a wireless interface than youcan get with iwconfig. For instance, you can get the ESSID, node name, frequency, signalquality and strength and bit data and error rate. The syntax is as follows:

Now you are going to access the AP, issue the command iwconfig wlan0 essid

"Wireless_Lab" and then iwconfig wlan0 to check the status. If you have successfullyconnected to the access point, you should see the MAC address of the access point in theAccess Point: field in the output of iwconfig, as shown in the following screenshot:

Note: You need to make a note of the AP MAC ADDRESS you will need this later in thelab.

We know the access point has a management interface IP address "192.168.0.1" from itsmanual Alternatively, this is the same as the default router IP address when we run theroute n command. Let's set our IP address in the same subnet by issuing the commandifconfig wlan0 192.168.0.101 netmask 255.255.255.0 up. Verify the commandsucceeded by typing ifconfig wlan0 and checking the output:


11/32

Now let's ping the access point by issuing the command ping 192.168.1.1. If thenetwork connection has been set up properly, then you should see the responses

from the access point. You can additionally issue an arp a to verify that theresponse is coming from the access point. You should see that the MAC address ofthe IP 192.168.1.1 is the access point's MAC address we have noted earlier. It isimportant to note that some of the more recent access points might have responseto ICMP Echo Request packets disabled. This is typically done to make the accesspoint secure out-of-the-box with only the bare minimum configuration settingsavailable. In such a case, you could try to launch a browser and access the webinterface to verify that the connection is up and running.

Video of Lab 1


12/32

Lab 2 - WLAN and its problems

In this lab we will investigate the issues with wireless and look at the management framesthat are used to control the network. WLANs by design have certain insecurities which are

relatively easy to exploit, such as packet spoofing, packet injection, and sniffing (whichcould even happen from far away). We will explore those flaws in this lab.

In this lab, we will look at the following:

Revisiting WLAN frames

Different frame types and sub-types

Using Wireshark to sniff Management, Control, and Data frames

Sniffing data packets for a given wireless network

Injecting packets into a given wireless network

Revisiting WLAN frames

In WLANs, communication happens over frames. A frame would have the following header structure:

The "Frame Control" field itself has a more complex structure:


13/32

The Type field defines the type of WLAN frame, which has three possibilities:

1. Management frames: Management frames are responsible for maintainingcommunication between the access points and wireless clients. TheManagement frames can have the following sub-types:

Authentication

De-authentication

Association Request

Association Response

Reassociation Request

Reassociation Response

Disassociation

Beacon

Probe Request

Probe Response

2. Control frames: Control frames are responsible for ensuring a proper exchange ofdata between the access point and wireless clients. Control frames can have thefollowing sub-types:

Request to Send (RTS)

Clear to Send (CTS)Acknowledgement (ACK)

3. Data frames: Data frames carry the actual data sent on the wireless network. Thereare no sub-types for data frames.

We will discuss the security implications of each of these frames when we discuss differentattacks in later in these labs.

We will now look at how to sniff these frames over a wireless network using Wireshark.There are other tools like Airodump-NG, Tcpdump, or Tshark which can used for sniffing as

well. We will, however, use Wireshark for most of this book, but we encourage you toexplore other tools. The first step in doing this is to create a monitor mode interface.

Creating a Monitor Point

Set up the basic wireless lab as set out in lab 1, start BT5 and make sure that you can seeyou own network.

The first step is to create a monitor interface for Wireshark to inspect traffic, for this we willuse airmon-ng. From the terminal console, check the wlan0 is up and working.


14/32

To put our card into monitor mode, we will use the airmon-ng utility which is available by

default on BackTrack. First run airmon-ng to verify it detects the available cards. Youshould see the wlan0 interface listed in the output:

Now issue the airmon-ng start wlan0 and you should see that the mon0 interface listed.You can also check with the ifconfig command.


15/32

Wirershark

Follow these instructions to begin sniffing packets:

1. Start Wireshark by typing Wireshark& in the console. Once Wireshark is running,

click on the Capture | Interfaces sub-menu:

Select packet capture from the mon0 interface by clicking on the Start button to theright of the mon0 interface as shown in the preceding screenshot. Wireshark willbegin the capture and now you should see packets within the Wireshark window:


16/32

These are wireless packets which your Wireless card is sniffing off the air. In order to viewany packet, select it in the top window and the entire packet will be displayed in themiddle window:


17/32

As can be see from the above screen shot the management frame is showing the SSID ofwireless_lab

We just sniffed our first set of packets off the air! We launched Wireshark which used themonitor mode interface mon0 we have created previously. You will notice by looking at thefooter region of Wireshark the speed at which the packets are being captured and also thenumber of packets captured till now.

Wireshark traces can be a bit daunting at times, and even for a reasonably populatedwireless network, you could end up sniffing a few thousand packets. Hence, it is importantto be able to drill down to only those packets which interest us. This can be accomplishedusing filters in Wireshark. Explore how you can use these filters to identify unique wirelessdevices in the tracesboth access points and wireless clients.

Now we will learn how to apply filters in Wireshark to look at management, control, anddata frames.

Please follow these instructions step-by-step:1. To view all the Management frames in the packets being captured, enter the filter

wlan.fc.type == 0 into the filter window and click on Apply. You can stop thepacket capture if you want to prevent the packets from scrolling down too fast:

Examine the output, find the MAC address of your AP.

To view Control Frames, modify the filter expression to read wlan.fc.type == 1:To view the Data Frames, modify the filter expression to wlan.fc.type == 2:

To additionally select a sub-type, use the wlan.fc.subtype filter. For example, to viewall the Beacon frames among all Management frames use the following filter (wlan.


18/32

fc.type == 0) && (wlan.fc.subtype == 8).

We just learned how to filter packets in Wireshark using various filter expressions. Thishelps us to monitor selected packets from devices we are interested in, instead of trying toanalyze all the packets in the air.

Also, we can see that the packet headers of Management, Control, and Data frames are inplain text and does not contain any encryption. This way anyone who can sniff the packetscan read these headers. It is also important to note that it is also possible for a hacker tomodify any of these packets and re-transmit them. As there is no integrity or replay attackmitigation in the protocol, this is very easy to do. We will look at some of these attacks inlater labs.

Remove the filters

Challenge Lab 2A

Create a group of two teams, (groups of four) and set up a wireless lab as in lab 1,however this time each group will attack the other group.

Group A will set up their AP with a password of their choosing (No more the 8 letters)Group B will do the same, each group will then attempt to gain access to the other groupsAP by finding the username and password.

Video of Lab 2


19/32

Lab 3 Packet Injection

We will be using the aireplay-ng tool which is available in BackTrack for this lab.

Follow these instructions carefully:

1. In order to do an injection test, first start Wireshark and the filter expression (wlan.bssid == 00:1E:E5:5A:D9:50) && !(wlan.fc.type_subtype == 0x08). This willensure that we only see non-beacon packets for our lab network. (where00:1E:E5:5A:D9:50 is the MAC of your AP)

2. Now run the following command aireplay-ng -9 -e Wireless_Lab -a00:1E:E5:5A:D9:50 mon0 on a terminal:

(Note: I have used the aireplay-ng -9 -e Wireless_Lab -a 00:1E:E5:5A:D9:50 --ignore-negative-one mon0 this is due to the VM)

3. Go back to Wireshark and you should see a lot of packets on the screen now. Someof these packets have been sent by aireplay-ng which we launched, and others are

from the access point Wireless Lab in response to the injected packets:


20/32

As can be seen from the above screen shot the de-authentication packets are beingsent from the attacker PC. We just successfully injected packets into our test labnetwork using aireplay-ng. It is important to note that our card injected thesearbitrary packets into the network without actually being connected to the accesspoint Wireless Lab.

Lab 3A Sniffing Data Packets

This is a similar to lab 2 and will look more at the traffic being sent to and from the AP. Asbefore set up the wireless network as outlined in lab 1.

We will be using the aireplay-ng tool which is available in BackTrack for this exercise.

Follow these instructions carefully:

1.Now issue the airmon-ng start wlan0 and you should see that the mon0 interfacelisted. You can also check with the ifconfig command.

2. In order to do an injection test, first start Wireshark and the filter expression (wlan.bssid == 00:1E:E5:5A:D9:50) && !(wlan.fc.type_subtype == 0x08). This willensure that we only see non-beacon packets for our lab network.

3. Now run the following command aireplay-ng -9 -e Wireless Lab -a00:1E:E5:5A:D9:50 mon0 on a terminal:

Now from the client PC open a webpage to the AP and login, you will be looking for aspecific packet, this is a HTTP Get packet and your looking for the GET/favicon.icoas shown below:


21/32

One you have found the packet, with in wireshark look at the papcket details an see ifyou can find the username/password.

Important note on WLAN sniffing and injection

WLANs typically operate within three different frequency ranges2.4 GHz, 3.6 GHz, and4.9/5.0 GHz. Not all Wi-Fi cards support all these ranges and associated bands.

Another interesting aspect of Wi-Fi is that in each of these bands, there are multiplechannels. It is important to note that your Wi-Fi card can only be on one channel at anygiven moment. It is not possible to tune into multiple channels at the same time. Theanalogy I can give you is your car radio. You can tune it to only one of the available

channels at any given time. If you want to hear something else, you will have to changethe channel of the radio. The same principle applies to WLAN sniffing. This brings us to animportant conclusionwe cannot sniff all channels at the same time, we will need to selectwhich channel is of interest to us. What this means is, that if our access point of interest ison channel 1, we will need to set our card on channel 1.

Though we have addressed WLAN sniffing in the previous paragraphs, the same appliesto injection as well. To inject packets on a specific channel, we will need to put the cardradio on that channel.

Let's now do some exercises on setting our card to specific channels, channel hopping,setting regulatory domains, power levels, and so on.


22/32

Lab 3B - Looking at the wireless card

1. Enter the iwconfig wlan0 command to check the capabilities of your card. As you cansee in the following screenshot, the card can operate in the a/b/g/n bands:

To set the card on a particular channel we use the iwconfig mon0 channel X

commands:

The iwconfig series of commands does not have a channel hopping mode. One couldwrite a simple script over it to make it do so. An easier way is to use airodump-ngwith options to either hop channels arbitrarily or only a subset or only selectedbands. All these options are illustrated in the following screenshot when we runairodump-ng help:


23/32

Bypassing WLAN Authentication

WLANs have weak authentication schemas, which can be easily broken and bypassed. Inthese labs, we will look at the various authentication schemas used in WLANs and learnhow to beat them.

In these labs, we will look at the following:

Uncovering hidden SSIDs

Beating MAC filters

Bypassing Open Authentication

Bypassing Shared Key Authentication

Hidden SSIDs

In the default configuration mode, all access points send out their SSIDs in the Beaconframes. This allows clients in the vicinity to discover them easily. Hidden SSIDs is aconfiguration where the access point does not broadcast its SSID in the Beacon frames.Thus, only clients which know the SSID of the access point can connect to it.

Unfortunately, this measure does not provide robust security, but most networkadministrators think it does. We will now look at how to uncover hidden SSIDs.

Lab 4 - Finding hidden SSIDs

1. First check that the SSID is being transmitted, this can be done by looking at wireshark:

As can be seen from the example above the broadcast is being sent from the AP, now

going to the AP and disable the SSID broadcast.


24/32

Again check on wireshark that the SSID is not being shown, there are a number of waysof finding hidden SSIDs, the first is using a network scanner called kismet.

The SSID for the wireless_lab is hidden kismet will still show this network, as shownbelow.

With Kismet, the system is mainly menu driven, the tool will display all wireless networksin range and will list the channel and data being sent.


25/32

Explore the options with kismet, find the clients off the network, research an attack for theclients PCs within the network.

The second way of finding a hidden AP is to use a passive technique of waiting for alegitimate client to connect the access point. This will generate Probe Request and ProbeResponse packets which will contain the SSID of the network, thus revealing its presence.

Alternatively, you can use aireplay-ng to send De-authentication packets to all stations onbehalf of the Wireless Lab access point by typing aireplay-ng -0 5 -a 00:1E:E5:5A:D9:50mon0. The -0 option is for choosing a De-authentication attack, and 5 is the number of De-authentication packets to send. Finally, -a specifies the MAC address of the access pointyou are targeting:

Within wireshark look for probe requests/response frames, these will show the SSID

Even though the SSID is hidden and not broadcast, whenever a legitimate client tries toconnect to the access point, they exchange Probe Request and Probe Response packets.These packets contain the SSID of the access point. As these packets are not encrypted,they can be very easily sniffed from the air and the SSID can be found.


26/32

In many cases, all clients may be already connected to the access point and there may beno Probe Request/Response packets available in the Wireshark trace. Here, we canforcibly disconnect the clients from the access point by sending forged De-authenticationpackets on the air. These packets will force the clients to reconnect back to the accesspoint, thus revealing the SSID.

Challenge LAB 4B Find the SSID

In groups of two teams (groups of 4) set up a Wireless network (as per lab1) but changethe SSID name and make it hidden, then attack the other teams network to find the SSID.PLEASE KEEP THE SSID NAMES CLEAN!

In the previous exercise, we sent broadcast De-authentication packets to forcereconnection of all wireless clients. Try and check how you can selectively target individualclients using aireplay-ng.

It is important to note that even though we are illustrating many of these concepts usingWireshark, it is possible to orchestrate these attacks with other tools like aircrack-ng suiteas well. We will encourage you to explore the entire aircrack-ng suite of tools and otherdocumentation located on their website: http://www.aircrack-ng.org.

MAC filters

MAC filters are an age old technique used for authentication and authorization and havetheir roots in the wired world. Unfortunately, they fail miserably in the wireless world.

The basic idea is to authenticate based on the MAC address of the client. This list ofallowed MAC addresses will be maintained by the network administrator and will be fedinto the access point. We will know look at how easy it is to bypass MAC filters.

Lab 5 MAC ADDRESS FILTERS

1. Let us first configure our access point to use MAC filtering and then add the clientMAC address of the victim laptop. The settings pages on my router look asfollows:
http://www.aircrack-ng.org/http://www.aircrack-ng.org/http://www.aircrack-ng.org/


27/32

Add in the MAC address of the client PC to the list of permitted PC on the AP. Once MACfiltering is enabled only the allowed MAC address will be able to successfully authenticatewith the access point. If we try to connect to the access point from a machine with a non-whitelisted MAC address, the connection will fail as shown next:


28/32

Wireshark show the authentication fail:

In order to beat MAC filters, we can use airodump-ng to find the MAC addresses of clientsconnected to the access point. We can do this by issuing the commands airodump-ng-c 1 -a --bssid 00:1E:E5:5A:D9:50 mon0. By specifying the bssid, we will onlymonitor the access point which is of interest to us. The -c 1 sets the channel to 1

where the access point is. The -a ensures that in the client section of the airodump-ngoutput, only clients associated and connected to an access point are shown. This willshow us all the client MAC addresses associated with the access point:

As can be see from the above screen shot the MAC address from the client is highlighted.Once we find a whitelisted client's MAC address, we can spoof the MAC address of theclient using the macchanger utility which ships with BackTrack. You can use the command

macchanger m 60:FB:42:D5:E4:01 wlan0 to get this done. The MAC address youspecify with the -m option is the new spoofed MAC address for the wlan0 interface:


29/32

root@bt:~# macchanger -m 58:B0:35:70:C1:CE wlan0

Current MAC: 68:7f:74:f7:77:fd (unknown)

Faked MAC: 58:b0:35:70:c1:ce (unknown)

root@bt:~# ifconfig wlan0

wlan0 Link encap:Ethernet HWaddr 58:b0:35:70:c1:ce

BROADCAST PROMISC MULTICAST MTU:1500 Metric:1

RX packets:210 errors:0 dropped:0 overruns:0 frame:0

TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:72228 (72.2 KB) TX bytes:1736 (1.7 KB)

No bring the wlan0 interface back up with the ifconfig wlan0 up and then connect to theAP via the wireless manager from BT5

You have monitored the air using airodump-ng and found the MAC address of legitimateclients connected to the wireless network. We then used the macchnager utility to changeour wireless card's MAC address to match the client's. This fooled the access point into

believing that we are the legitimate client, and it allowed us access to its wireless network.

You are encouraged to explore the different options of the airodump-ng utility by goingthrough the documentation on their website: http://www.aircrack-ng.org/doku. php?id=airodump-ng.

Challenge Lab 5B MAC ADDRESS FILTERS

In groups of two teams, setup the lab and apply MAC Address filtering on a client PC, the

other team then have to spoof the MAC Address of the client PC from BT5 and gainaccess to the AP.
http://www.aircrack-ng.org/dokuhttp://www.aircrack-ng.org/doku


30/32

Shared Key Authentication

Shared Key Authentication uses a shared secret such as the WEP key to authenticate theclient. The exact exchange of information is illustrated next (taken from http://www.netgear.com):

The wireless client sends an authentication request to the access point, which respondsback with a challenge. The client now needs to encrypt this challenge with the shared keyand send it back to the access point, which decrypts this to check if it can recover theoriginal challenge text. If it succeeds, the client successfully authenticates, else it sends anauthentication failed message.

The security problem here is that an attacker passively listening to this entire

communication by sniffing the air has access to both the plain text challenge and theencrypted challenge. He can apply the XOR operation to retrieve the keystream. Thiskeystream can be used to encrypt any future challenge sent by the access point withoutneeding to know the actual key.

In this lab, you will learn how to sniff the air to retrieve the challenge and the encryptedchallenge, retrieve the keystream, and use it to authenticate to the access point withoutneeding the shared key.
http://www/http://www/


31/32

LAB 6 Shared Key

Let us first set up Shared Authentication for our Wireless Lab network. I have done this onmy access point by setting the Security Mode as WEP and Authentication as SharedKey:

Log the client PC with the passkey.

Now we need to attack the network to find the key. In order to bypass Shared KeyAuthentication, we will first start sniffing packets between the access point and its clients.However, we would also like to log the entire shared authentication exchange. To do thiswe use airodump-ng using the command airodump-ng mon0 -c 11 --bssid00:1E:E5:5A:D9:50 -w keystream.

The -w option which is new here, requests airodump-ng to store the packets in a filewhose name is prefixed with the word "keystream". On a side note, it might be a good


32/32

idea to store different sessions of packet captures in different files. This allows you toanalyze them long after the trace has been collected.

We can either wait for a legitimate client to connect to the access point or force areconnect using the Deauthentication technique used previously. Once a client connectsand the shared key authentication succeeds, airodump-ng will capture this exchange

automatically by sniffing the air. An indication that the capture has succeeded is when theAUTH column reads SKA that is, Shared Key Authentication as shown next.

Documents

Wireless Labs