Hacking Wireless Networks Module 15 Module 15 - Hacking Wireless Networks

CEH Lab Manual

Hacking Wireless Networks

IVi-Fi is developed on IE E E 802.11 stand a ids and is widely used in wireless communication. I t provides wireless access to applications and data across a radio network.

ICON KEY Lab Scenario

[£Z7 Valuable Wireless network teclinology is becoming increasingly popular but, at the same tune, information it has many security issues. A wireless local area network (WLAN) allows workers to Test roui access digital resources without being tediered to their desks. However, the knowledge convenience o f WLANs also introduces security concerns that do not exist in a = Web exercise wired world. Connecting to a network no longer requires an Ethernet cable. Instead, data packets are airborne and available to anyone widi ability to intercept and Workbook review m decode them. Several reports have explained weaknesses 111 the Wired Equivalent Pnvacy (WEP) algorithm by 802.1 lx standard to encrvpt wireless data. To be an expert ethical hacker and penetration tester, you must have sound knowledge o f wireless concepts, wireless encryption, and their related threats. As a security administrator o f your company, you must protect the wireless network from hacking. Lab Objectives

The objective o f this lab is to protect the wireless network from attackers.

111 this lab, you will learn how to:

■ Crack WEP using various tools

■ Capture network traffic

■ Analyze and detect wireless traffic Lab Environment

111 the lab you will need a web browser with an Internet connection. C 7 Tools demonstrated in ■ Tins lab requires AirPcap adapter installed on your machine for all labs this lab are available in Lab Duration D:\CEH- Tools\CEHv8 Time: 30 Minutes Module 15 Hacking Wireless Overview of Wireless Network Networks A wireless network refers to any type o f computer network that is w ireless and is commonly associated with a telecommunications network whose interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic w aves such as

radio waves for die carrier. The implementation usually takes place at the physical level or layer o f die network.

^ TASK 1 Lab Tasks

Overview Pick an organization diat you feel is worthy o f vour attention. Tins could be an .perhaps a nonprofit chanty ־educational institution, a commercial company, 01 Recommended labs to assist you m Wireless Networks:

■ W1F1 Packet Sniffing Using AirPcap with Wireshark

■ Cracknig a \\”EP Network with Aircrack-ng for Windows

■ Sniffing die Network Using the OmniPeek Network Analyzer Lab Analysis

Analyze and document the results related to the lab exercise. Give your opinion 011 your target’s security posture and exposure.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

WiFi Packet Sniffing Using AirPcap with Wireshark

The AirPcap adapter is a USB device that, when used in tangent with the AirPcap drivers and WinPcap libraries, allows a pen tester to monitor 802.11b/g traffic in monitor mode.

■ con key Lab Scenario

[£Z7 Valuable Wireless networks can be open to active and also passive attacks. These types o f information attacks include DoS, M11M, spoofing, jamming, war driving, network liijacking, y 5 Test your packet sniffing, and many more. Passive attacks that take place on wireless networks knowledge are common and are difficult to detect since die attacker usually just collects

— Web exercise information. Active attacks happen when a hacker has gathered information about the network after a successful passive attack. Sniffing is die act o f monitoring die m Workbook review network traffic using legitimate network analysis tools. Hackers can use monitoring tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die wireless networks. These tools allow hackers to find an unprotected network diat they can hack. Your wireless network can be protected against tins type o f attack by using strong encryption and authentication methods.

111 tins lab we discuss the Wireshark tool, which can sniff the network using a wireless adapter. Since you are the etlucal hacker and penetration tester o f an organization, you need to check the wireless security, exploit the flaws 111 WEP, and evaluate weaknesses present 111WEP for your organization. Lab Objectives

The objective o f tins lab is to help smdents learn and understand how to:

■ Discover WEP packets

Lab Environment

To execute the kb, you need: £ 7 Tools demonstrated in ■ Install AirPcap adapter dnvers; to install navigate to D:\CEH-Tools\CEHv8 this lab are Module 15 Hacking Wireless NetworksVAirPcap -Enabled Open Source available in tools, and double-click setup_airpcap_4_1_1.exe to install D:\CEH- Tools\CEHv8 ■ When you are installing the AirPcap adapter drivers, 11 any installation error Module 15 occurs, install die AirPcap adapter dnvers 111 compatibility mode (right-click Compatibility, 111 ^־Hacking Wireless the AirPcap adapter driver exe hie, select Properties Networks compatibility mode, and select Windows7) " Wireshark located at D:\CEH-Tools\CEHv8 Module 15 Hacking Wireless Networks\AirPcap -Enabled Open Source tools\wireshark-win64- 1.4.4.exe

■ Run diis lab 111 Windows Server 2012 (host machine)

■ A11 access point configured widi WEP on die host machine

■ This lab requires the AirPcap adapter installed on your machine. If you don’t have this adapter, please do not proceed with this lab

■ A standard AirPcap adapter widi its dnvers installed on your host machine

■ WinPcap libraries, Wireshark, and Cain & Abel installed on your host machine ■ Administrative privileges to run AirPcap and other tools

Lab Duration Time: 15 Minutes Overview of WEP (Wired Equivalent Privacy)

Several serious w eaknesses 111 the protocol have been identified by cryptanalysts with die result diat, today, a WEP connection can be easily cracked. Once entered

onto a network, a skilled hacker can modify software, network settings, and other security settings. Wired Equivalent Privacy (WEP) is a deprecated security algorithm for IEEE 802.11 wireless networks. Lab Tasks

Configure AirPcap Download AirPcap drivers Ironi the site and lollow die wizard-driven installation steps to install AirPcap drivers. 1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.

ca You can download AirPcap drivers from http:// www.a1rdemon.net/ riverbed.html FIGURE 1.1: Windows Server 2012—Desktop view 2. Click the AirPcap Control Panel app to open the AirPcap Control Panel window.

m Tlie AirPcap adapters can work in monitor mode. In tliis mode, the AirPcap adapter captures all of the frames that are transferred on a channel, not just frames that are addressed FIGURE 1.2: Windows Server 2012—Apps to it. 3. The AirPcap Control Panel window appears.

AirPcap Control Panel

Settings Keys

Interface

AirPcap USB wireless capture adapter nr. 00 V Blink Led

c a Tlie Multi-Channel Model: AirPcap Nx Transmit: yes Media: 802.11 a/b/g/n Aggregator can be configured like any real Basic Configuration AirPcap device, and therefore can have its own Channel 2437 MHz [BG 6] @ Include 802.11 FCS in Frames decryption, FCS checking and packet filtering settings. Extension Channel

Capture Type 802.11 + Radio v FCS Filter All Frames

Help

C ancelReset Configuration Ok Apply CancelReset

FIGURE 1.3: AirPcap Control Panel window 4. On tlie Settings tab, click die Interface drop-down list and select AirPcap USB wireless capture adapter. 5. 111 the Basic Configuration section, select suitable Channel, Capture Type, and FCS Filter and check the Include 802.11 FCS in Frames check box.

ם _ * AirPcap Control Panel

Settings Keys

Interface

AirPcap USB wireless capture adapter nr. 00 V Blink Led

Q=& In Basic Model: AirPcap Nx Transmit: yes Media: 802.11 a/b/g/n Configuration bos settings: Channel: The channels Basic Configuration available in the Channel list box depend upon the selected adapter. Since Channel 2412 MHz [BG 1] ✓]Include 802.11 FCS in Frames channel numbers 14 in the 2.4GHz and 5GHz bands Extension Channel 0 v overlap and there are center frequencies Capture Type 802.11 Only v FCS Filter All Frames (channels) that do not have channel numbers., Each available channel is given by its center frequency. Help

C ancelReset Configuration Ok Apply CancelReset

FIGURE 1.4: AirPcap Control Panel window 6. Now, click die Keys tab. Check die Enable WEP Decryption check box. Tins enables die WEP decryption algoridnn. You can Add New Key, Remove Key, Edit Key, and Move Key UP and Down.

7. After configuring settings and keys, click OK.

AirPcap Control Panel *

Settings Keys

WEP Configuration In Basic Configuration Settings: [0 E n a b le W EP Decryption Extension Channel: For 802.1 In adapters, one can Keys Add New Key use the Extension Channel list to create a “wide” Remove Key channel. The choices are -1 (the preceding 20MHz Edit Key frequency band), 0 (no +1 extension channel), or Move Key Up (the succeeding 20MHz frequency band). The Move Key Down channel of the additional frequency band is called die extension channel.

Help

Reset Configuration Ok Apply Cancel

FIGURE 1.5: AirPcap Control Panel window Launch Wireshark Network Analyzer. The Wireshark main window appears. D TASK 2 '־ U The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1.8)] E l “ ! x׳l Capturing the file £dit View £0 Capture Analyze Statistics Telephony Iools Internals Help m T ± [Bp] ^ ^ 01 0 yt m ►י **packets IjW tfM tM BBKSAI

Filter | v | Expression... Clear Apply Save

The World's Most Popular Network Protocol Analyzer WIRESHARK Version 1.8.2 (SVN Rev 44520 from /tru n k -1.8)

,, Interface List O pen W ebsite ev*ousV captured fie ft Visit the project's website־

Open Recent: User's Guide M start Th« User's Guid« (local version, if instaied m You can download Choose one or more nterfaces to capture from, then Start ^ Sample Captures Wireshark from A rich assortment of example capare files on th* wiki " t" AirPcap US8 wireless capture adapter nr. 00: \\.\ai A Security http: //www. wireshark.org. Work with Wireshark as secu!*ty as posstte E8E8J s־F4E־CFE9־C5C4־f f ] \Devke\NPF_{0A6DAE573 J Microsoft Corporation: \Device\MPFJ82C13C97■‘' ' o ru r.oc c.^k.r \ mdc v I |־י£

^ Capture Options Start a capture with elcutfed opoons

IE Ready to load or capture Profile: Default

FIGURE 1.6: Wireshark Network Analyzer main window

9. Configure AirPcap as ail interface to \ \ ark. Select Capture -> Hie following are some of die many features Wireshark provides Interface... (Ctrl +l). You can also click die icon on die toolbar. available for UNIX and x ז□ן - Tj The Wireshark Network Analyzer [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i I/) Windows. File Edit View Go | Capture | Analyze Statistics Telephony Jools internals Help * Capture live packet data l i ^ K i t I B interfaces... ? & [WPI 61 €1 D I * 0 ® ^ from a network W Options... J v Expression... Clear Apply Save interface.

■ Display packets with very detailed protocol information. Open and Save packet י data captured. Interface List W ebsite b 0pen a Open a previously captured f*e VWt the project's websne ■ Import and Export packet data from and to Open Recent: User's Guide S ta rt a lot of other capture 3 The User $ Guide (local verson, if mstaied', e interfaces to capture from, then Start programs. ^ Sample Captures A rich assortmert of example capture files on tKe wild ^ AirPcap USB wireless capture adapter nr. 00: \\.\ai יךיי Work with Wireshark as securely as poss4>te = :E8E83־F4E־CFE9־Filter packets on many ® \Device\NPFJ0A6OAE57-3C5C4 ■ criteria. Microsoft Corporation: \Devke\NPFJ82C18C97-'J® OT Po.Hair p rio c pc c3>«;r, r~r*,^11c- \ mpc — * Search for packets on many criteria. Capture Options Start a capture *ith detailed options ■ Colorize packet display based on filters.

■ Create various statistics to load or capture Profile: DefaultReady

FIGURE 1.7: Wireshark Network A11aly2er widi interface option 10. The Wireshark: Capture Interfaces window appears. By default, die AirPcap adapter is not 111 running mode. Select die Airpcap USB wireless capture adapter nr. 00 check box. Click Start

Wireshark: Capture Interfaces

Description IP Packets Packets/s 10 | ,,t" AirPcap USB wireless capture adapter nr. 00 none 2154 15 Details

□ 0 none 0 0 Details

P I ff Microsoft Corporation fe80::3d78:efc3:c874:6f57 375 3 Details Note: Wireshark isn't an intrusion detection 1 ] Iff 1 Realtek PCIe GBE Family Controller none 375 3 Details system. It does not warn you when someone does tilings on your network Help Start Stop Options Close that he/ she isn't allowed to do. However, if strange things happen, Wireshark FIGURE 1.8: Wireshark Capture Interface might help you figure out what is really going on. 11. Automatically, die Capturing from AirPcap USB w ireless capture adaptor nr. 00 - Wireshark window appears, and it starts capUiring packets from AirPcap Adapter.

x ם I ־ eshark 1.8.2 (SVN Rev 44520 from/trunk-...1׳T| Capturing from Ai-Pcap USB wireless capture adapter nr. 00: \\.\airpcap00 [Wi/] File Edit View 60 Capture Analyze Statistics Telephony Tools internals Help K

Expression,... Clear AppK Save י ]

m Wireshark can Time Source Destination Protoccl Info ־ FN=0, F la g s ,־capture traffic from many 278 12. 8113270 Netgear_80: ab: 3e Broadcast 802.11 164 Beacon fra m e , SN4031 ־ FN=0, F la g s ,־Netgear_80:ab: 3e Broadcast 802.11 164 Beacon fra m e , SN4032 9136860 .12 279 . = FN=0, F la g s ,־different network media 280 12. 9347300 Netgear_32:7c :06 Broadcast 802.11 322 B e aco n fr a m e , SN264 ־ FN=0, F la g s ,־types - and despite its name 281 12. 9844520 Netgear_ae:24:cc Broadcast 802.11 109 Beacon fra m e , SN1753 ־ FN=0, F la g s,־Net gear_80: ab: 3e Broadcast 802.11 164 Beacon fra m e , SN4033 13.0160930 282 ?f ־ including wireless LAN as 283 13.0370690 Netgear_32:7c :06 Broadcast 802.11 322 Beacon fra m e , SN=265, FN=0, F la g s - well. Which media types are 284 13.0411940 e2:55:e5:27:bl:cO (e4:d2:6c:40:fe:27 (802.11 3707 802.11 Block Ack, Flags=0pm . r m ft ־ f n =0 , F la g s ,־Netgear _80:ab:3e Broadcast 802.11 164 B e aco n fram e, 5n4034 13.1184520 285 E ־ FN=0,Fla g s ,־supported, depends on 286 13.1394870 Netgear_32:7c :06 Broadcast 802.11 322 Beacon fram e, SN266 - ־ F la g s ,־FN0,־many things, such as the 287 13.1836990 Conpex_68:b6:f 5 Broadcast 802.11 132 Beacon fram e, SN1642 ־ Netgear_ae:24 :cc Broadcast 802.11 109 D eacon fram e, 5N=1756, FN=0, F la g s 13.1891990 288 operating system you are 289 13.2208270 Netgear_80:ab: 3e Broadcast 802.11 164 Beacon frame, SN*4035, f n - 0 , F la g s - using. 290 13. 2400780 Netgear_32:7c :06 Broadcast 802.11 91 Beacon frame, sn-267, fn-0, Flags- e 291 13. 2898380 2c:db:cf:c6:aa:64 45:c9:«7:6a:04:09 802.11 3838 A ckn o w l cdgcmcnt (No data), SN-91S, FN-3, rlac 292 13. 3233130 Netgear_80:ab: 3e Broadcast 802.11 164 Beacon frame, SN-4036, FN-0, Flags- 293 13. 3443830Netgear_32:7c:06 Broadcast 802.11 322 Beacon frame, SN-268, f n - 0, Flags- E 294 13.4257280 N«tg«ar_80: ab: 3q Broadcast 802.11 164 B o aco n fram «, s n - 4037, FN-0, Flags- '

IS Frame 1: 3247 b/tes on wire (25976 b its), 3247 bytes captured (25976 bits) on interface 0 l±j IEEE 802.11 unrecognized (Reserved frame), Flags: ------r . ft

OOOO 06 Ob 16 8f 49 54 c8 13 48 8c f d ec 65 71 93 5e IT . H.. .eq. __ ר . 6b c3 5d 83 63 fO e6 28 2b d9 5a lc 69 b2 8d f l k. ] . c . . ( + .z 0010 0020 c9 c c 8a df e f c3 aO 98 91 75 15 5e 5 f 52 44 3d ...... U. a_rd= 0030 91 86 aa b2 10 86 b4 2f 4e ac ca ab 6e 87 fa 16 ...... / N... n... 004 0 d5 5b be 5a cb 84 20 b3 05 fO l e 62 39 5d 68 c7 . [ . z ...... b9]h.

P rofile: Default0 AirPcap JSB wireless capture adapter nr. GO:... Packets: 489 Displayed: 489 Marked: 0 Profile: Default0

FIGURE 1.9: Wireshark Network Analyzer window with packets captured 12. Wait while Wireshark captures packets from AirPcap. II die Filter Toolbar option is not visible on die toolbar, select View -> Filter Toolbar. Tlie Filter Toolbar appears. Note: Wireshark doesn't benefit much from Multiprocessor/Hypertliread systems as time-consuming tasks, like filtering packets, are single direaded. N o mle is widiout exception: During an “update list o f packets 111 real time” capture, capturing traffic mns 111 one process and dissecting and displaying packets runs 111 another process, which should benefit from two processors. r x ם Capturing from AirPcap USB wireless capture adapter nr. 00: \V\airpcap00 [Wiresharlc 1.8.2 (SVN Rev 44520 from /trunk-... I ~ I

internals Help m m ם ו

Expand Subtrees Shift■*■ Right 3247 bytes captured (25976 bits) on interface 0 Expand Al Ctrl* Right Flags: ....s.F T Collapse All Ctrl■*■ Left

Colorize Conversation ► 00000 0 : 5 71 93 5e ___ I T .. H. ..e q .A 1000010: Reset Coloring 1-10 Ctrl■*■ Space 9 b2 8d f l k.].c.. ( t.z.i... 1000020; ^ Coloring Rules... f 52 44 3d ...... u . a_ rd= loo0030 e 87 f a 16 ...... / M .. . n . . . 1000040■ Show Packet in New Window 9 5d 68 c7 . [ . Z ...... b9]h. I® Ctrl+R 7211 Marked: 0 Profile: Default)isplayed: FIGURE 1.10: Wireshark Network Analyzer window with interface option

13. N ow select View -> W ireless Toolbar. The wireless toolbar appears 111 die window.

P x ם ’ — kD Capturing from AirPcap USB wireless capture adapter nr. 00: \\.\airpcap00 [Wireshark 1.8.2 {SVN Rev 44520 from /tru n k ... I

File Edit | View | Go Capture Analyze Statist cs Telephony Jools Internals Help % I & 0 ט •m * tg i >/ Wain Todbar ► * 5 ik [M]S Q 0 Flter Toolbar Clear Apply Save ״Expression ' Wireless Toolbar * [ ־ [ ...Status 3a 1 | v [Driver[v] Wireless Secings.. Decryption Keys ׳■ Chan £02.11

Packet List Protocol Length Info st 802.11 164 Beacon frame, SN-4025, FN-0, Flags- ...... P3cket Details ...... ־Q Wireshark is a e:6f:6b:18 802.11 109 Beacon frame, 5N-1628, FN-11, Flags ..... ־P*cket Bytes S t 8 0 2 .1 1 164 Beacon frame, 5n=4026, fn=o, Flags network packet analyzer S t 8 0 2 .1 1 164 Beacon frame, SN-4027, FN-0, Flags* ...... Jim • Display Format that captures network n_f2:45:0c 802.11 30 Deauthentication, 5N-1780, f n - 4, Flags-.. Name Resolution s t 8 0 2 .1 1 164 Beacon fram e. SN-4028, fn - 0, F la g s - ...... packets and tries to display Colori7e Packet list s t 8 0 2 .1 1 164 Beacon frame. SN-4029, FN-0, Flags- ...... that packet data as detailed Auto Scroll in Liye Capture s t 8 0 2 . 1 1 164 Beacon frame, s n - 4030, FN-0, Flags- ...... s t 8 0 2 . 1 1 164 Beacon frame, SN-4031, rN-0, Flags- ...... as possible. 200m n Ctrl•*■* s t 8 0 2 .1 1 164 Beacon frame, s n - 4032, FN-0, Flags- ...... St 8 0 2 .1 1 322 Beacon frame, 5 N -2 0 4 , fn-0, Flags-...... Zoom Qut Ctrl■*■■ S t 8 0 2 .1 1 109 Beacon frame, SN-1753, FN-0, Flags- ...... - S t 8 0 2 .1 1 164 Beacon fram e, SN-4033, fn - 0, F la g s ־■*•Normal S2 e Ctrl S t 8 0 2 .1 1 322 Beacon fram e, SN-265, FN-0, F la g s - ...... Resi:e All Columns c:40:fe :27 (802.11 3707 802.11 Block Ack, Flags-opm.RMFT Ospla>ed Columns s t 8 0 2 .1 1 164 Beacon fra m e , SN=4 0 34 , FN=0, F la g s = ...... s t 8 0 2 .1 1 322 Beacon frame, SN-266, FN-0, Flags- ...... Right ׳■Eipanc Subtrees Shift Expand A I Ctrl-Right 3247 bytes captured (2S976 bits) on interface 0 Left ־*•Collapse All Ctrl F la g s : ____R.FT Colori2e Conversation

R citl C u ljrh y 1-10 OODO 5 71 93 5e ____IT .. H... eq. a Coloring Rules...... ו . b2 3d fl k . ] . c . . ( + . Z 9 0010 0020 f 52 44 3d ...... u . a_ r d - 0030 Show Packet in New Window e 87 fa 16 ...... / N... n... CtrKR 9 5d 68 c7 . [ . z ...... b 9 ]h . ' Profile: Default כ :AirPcap USB .vireless capture adapter nr. O): ... Packets: 12986 Displayed 12986 Marked £

FIGURE 1.11: Wireshark Network Analyzer window with wireless toolbar option a n d d e s t i n a t i o n o f t h e p a c k e t c a p t u r e d b y14. You will see die source and destination o f the packet captured by14. Wireshark.

* r ח Capturing from AiiPcdp USB wireless capture adapter nr. 00: \V\airpcapOO [Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J (׳r t3 m One possible £ile £dit View (jo Cooture Analyze Statistics Telephony Tools Internals Help ||0א ו ^ו1א : ט ^ ^ ^ ו י אט33ו « ^ ^ alternative is to ran m u * 9t * 6 tcpdump, or the dumpcap Filter |~v | Expression... Clear Apply Save utility diat comes with Wireshark, with superaser 80211 Channel: v !Channel CHfset v FCS Filter All Frames None jv ] Wireless Settings... Decryption Keys.. Time Source Destination Protocol Length Info ־ privileges to capture 282 13.0160930 Netgear_80:ab:3e Broadcast 802.11 164 Beacon fra n e , SN=4033, FN=0, F la g s E ־ packets into a file, and later 283 13.0370690 Netgear_32:7c :06 Broadcast 802.11 322 Beacon fram e, SN=265, FN=0, F la g s 284 13. 0411940 e2:55:e5:27 :b l:cO ( e4 :d2 :6c:40:f e:27 C 802.ll 3707 802.11 Block Ack, Flags=opm.RMFT analyze diese packets by 285 13.1184520 Netgear_80: ab: 3e B roadcast 802.11 164 Beacon frame, SN-4034, FN-0, Flags- C ־running Wireshark with 286 13.1394870 Netgear_32:7c :06 B roadcast 802.11 322 Beacon frane, SN=266, FN=0, Flags ־ f n =o , F la g s ,־13.1836990C0mpex_65:be:f5 B roadcast 802.11 132 Beacon frane, sn1642 287 ־ f n =0, F la g s ,־restricted privileges on the 288 13.1891990 Netgear_ae: 24: cc B roadcast 802.11 109 Beacon frane, SN1756 ־ packet capture dump file 289 13. 2208270 Netgear_80:ab:3e B roadcast 802.11 164 Beacon fra n e . SN=4035. FN=0, F la g s 290 13. 2400780 Netgear_32:7c :06 B ro a d c a s t 802.11 91 Beacon frane, SN=267, FN=0, Flags= E 291 13. 2898380 2c:db:ef:e6:aa:64 45:c9:e7:6a:04:e9 802.11 3838 Acknowledgement (No data), SN-915, FN-3, Flac 292 13. 3233130 Netgear_80: ab; 3e B ro a d c a s t 802.11 164 Beacon frane, SN-4036, FN=0, Flags- 293 13. 3443830 Netgear_3z:7c:06 Broadcast 802.11 322 Beacon frane, SN=2b8, fn-u , Flags- 294 13.4257280 Netgear_80:ab:3e Broadcast ou2.11 104 Beacon Trane, 5N-4U3/, f n - u , F la g s - ...... 295 13. 5282000 Netgear 80:ab:3e Broadcast 802.11 164 Beacon frane. SN-4038. FN-0. Flags- ...... ?06 13. S4907?ONetgear_?2:7c:06 Broadcast 802.11 322 Beacon frane, SN-270, FN-0, Flags- ...... B 297 13. 6304580 Netgear_80: a b : 3e B roadcast 8 0 2 .1 1 164 Beacon f r a n c , 5 N -4 0 3 9 , F N -0 , F la g s - ...... 298 13. 6514500 Netgear _32:7c.OG B roadcast 802.11 322 Beacon frane, SN-271, FN-0, Flags- ...... C j r ______♦ Frame 293: 322 bytes on wire (2576 b its), 322 bytes captured (2S76 b its) on interface 0 + ie e e 8 0 2 .1 1 Beacon f r a n e , F la g s : ...... S IEEE 8 0 2 .1 1 wireless lan management frame

0000 80 00 00 00 ff ff ff ff f f f f 4C 60 de 32 7C 06 ...... L • 2 |. 0010 4c 60 de 32 7c 06 cO 10 96 31 8e 64 00 00 00 00 L'. 21... . 1. d ____ 0020 64 00 11 04 00 09 4b 75 73 75 Gd 20 57 4 c 52 01 d ...... K j sum WLR. 0030 08 82 84 Ob 16 24 30 48 6c 03 01 01 05 04 01 02 ... SOH 1...... 004 0 00 00 2a 01 00 2f 01 00 30 18 01 00 00 Of ac 02 m a n nn r\A n n n f P rofile : De fa u lt© AirPcap USB wi'eless capture adapter nr. OO:... Packets: 32940 Displayed: 32040 Marked: 0 Profile: Default©

FIGURE 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets

15. After enough packet capUires, stop Wireshark

Wireshark ־ Capturing from AirPcap USB wireless capture adapter nr. 00

£ile Edit View Go Capture Analyze Statistics Telephony Tools Help m m a ® * Expression... Clear Apply

$02.11 Channel: 2412 [BG1] | v ] Channel Offset |0 | v | FCS Filter All Frames |v |N o n e WirelessSettings... Decryption Keys...

). Time Source Destination Protocol Info IEEE 802.11 Fragnented i e e e S02.ll frame י2a:13:4C:al:CC:la 13 :80 : C 7:0 *90.58518 4992 ..p . m ... ־IEEE 802.11 unrecognized (Reserved frame), Flags 90.885677 4993 ,BI=100 ־Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame, SN=2080, FN=0, Flags 90.985558 4994 o־Flags ,־FN0 ,־ab:76:13:1c:e6:3f f f :57:a6:9:1EEE 802.11 unrecognized (Reserved frame), SN2851 91.049792 4995 ,־BI100 ־Flags ,־Netgear_ae:24:cc B ro a d c a s t IEEE 802.11 Beacon frame, SM=2081, FN0 91.087908 4996 4997 91.497565 Netgear_ae:24:cc B ro a d c a s t IEEE 802.11 Beacon frame, SN-2085, FN-O, Flags- BI-100, ־BI1]8896 ־fc :48:cc B ro a d c a s t IEEE 802.11 Beacon frame, SN=3733, FN=7, Flags:98:14:34 91.600033 4998 ,־B1100 ־fn -0, Flags ,־Dlg1talG_02:e8:d5 Broadcast ieee 802.11 Beacon frame, sn2087 *91.70239 4999 P.M...־fn=15, Flags ,־f 8:af:ed:3d:6c:62 f9:ea:f9:f IEEE 802.11 Null function (no data), SN3864 91.704757 5000 500191.705380 bl:7c:25:46:el:dl 13:e6:61:a IEEE 802.11 Data, SN-2916, fn-0, Flags-.p F. 5002 91. 804794 Netgear _ae:2 4 :cc Broadcast IEEE 802.11 Beacon frame. SN-2088, FN-0, Flags- BT-100, 5003 91.907138 N etgear_a«:2 4 :cc B ro a d c a s t IEEE 802.11 Beacon fr a m e , & N -20 89 , FN^-O, F la g s - B I-1 0 0 , 5004 92.112081 l c :12: 30:8b :2 4 : f 5 ff:ff:ff:3 IEEE 802.11 Beacon frame, SN-1151, FN-2, Flags- BI-55820 5005 92.246059 MonHaiPi _0a :7 2 : 8a 2 c :bO: 5d : 8■ IEEE 802.11 Null function (no data), SN-2733, FN-0, Fl4g*-...P... 5000 92.246276 horiHalpr_o.ieee 802.11 A c k n o w ledgenent, F la g s - 5007 92. 316789 N etge ar_a e:24 :cc Broadcast IEEE 802.11 Beacon frame, SN-2093, f n - 0, Flags- BI-100, IEEE 802.11 Qos Data + CF-P011. 5N-1B31, FN-15, Flags-.p.PR..T L ׳6c: 5c: 32: 50:d2 24 :4d: 22: e: 1 9 319258 .92 5008 5009 92. S2164S Netgear_ae:24:cc Broadcast IEEE 802.11 Beacon frame. SN-2095, f n - 0. Flags- BT-100, + Frame 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits) S IEEE 802.11 Acknowledgement, F la g s: ...... Type/Subtype: Acknowledgement (Oxld) (Frame C o n tr o l: OxOODi (N o rm al ש 0000 d4 00 00 00 2c bO 5d 80 ab 3e 6a 3e 19 81 .... ].

0 AiP.dp LSBv adajLei nr. 00:... Pdikel*; 5C09 DbpldycU: 3009 Marked: C Piorile; Default.idpluie

FIGURE 1.13: Stop wiieshaik packet capture 16. Go to File from menu bar, and select Save

Wireshark ־ AirPcap USB wireless capture adapter nr 00 ט d!>■■

Marked: 0 Drcppec: C לFile: "C:\Oters\ADMN - '\AppOata\local\T... Packets: 7649 Displayed: 6£9 ^

FIGURE 1.14: Save the captured packets 17. Enter die File name, and click Save.

Wireshark: Save file as -

Save tn | j j . AirPcap -Enabled Open Source tools

Name - Date modified Type ** aircrack-ng-0.9-airpcap 10/19/2012 2:44 PM File folder 1 Recent places

K Desktop S Lbranes

'V Computer

Network <1 III H i > 1File name: | Packet capture A Save | cpdump ■ kfcpcap f pcap :* cap) _^J Cancel ו׳ . Save as type | Wresh ark

Help

(♦ Captured Displayed ♦ Vpackets 7649 ו Selected packet (" Marked packets 0 0 (" First to last marked 0 0 0 ־־c Range 1 r Remove Ignored packets 0 0

FIGURE 1.15: Save the Captured packet file Lab Analysis

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security* posture and exposure.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.

Tool/Utility Information Collected/Objectives Achieved

Used Adapter: AirPcap USB wireless capture adapter nr.00

Result: Wireshark Number ol sniffed packets captured by Wireshark 111 network, which include: Packet Number, Time, Source, Destination, Protocol, and Info

Questions

1. Evaluate and determine the number o f wireless cards supported by die wireless scanner. 2. Analyze and evaluate how AirPcap adapters operate.

Internet Connection Required

0 Yes 0 N o Platform Supported

0 Classroom □ !Labs

Lab

Cracking a WEP Network with Aircrack-ng for Windows

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that recovers keys once enough data packets have been captured. I t implements the standard FA IS attack along with some optimisations like KoreK attacks, as )),ell as the all-new PT\V attack, thus making the attack much faster compared to other W E P cracking tools. ICON KEY Lab Scenario '/ Valuable information Network administrators can take steps to help protect their wireless network from outside tlireats and attacks. Most hackers will post details o f any loops or exploits >> Test your online, and if they find a security hole, they will come 111 droves to test your wireless knowledge network with it. WEP is used for wireless networks. Always change your SSID from — Web exercise the default, before you actually connect the wireless router for the access point. If an c a Workbook review SSID broadcast is not disabled on an access point, die use o f a DHCP server to automatically assign IP address to wireless clients should not be used because war dnving tools can easily detect your internal IP addressing it the SSID broadcasts are enabled and the DHCP is being used.

As an etlucal hacker and penetration tester o f an organization, your IT director will assign you the task o f testing wireless security, exploiting the flaws in \\”EP, and cracking the keys present 111 WEP o f an organization. 111 tliis kb we discuss how WPA key are cracked using standard attacks such as korek attacks and PTW attacks. & Tools demonstrated in Lab Objectives this lab are The objective of tins lab is to protect wireless network from attackers. available on D:\CEH- 111 tins lab, vou will learn how to: Tools\CEHv8 Module 15 ■ Crack WEP using various tools Hacking Wireless ■ CapUire network traffic Networks ■ Analyze and detect wireless traffic

Lab Environment

To execute the kb, you need:

■ Aircrack-ng located at D:\CEH-Tools\CEHv8 Module 15 Hacking Wireless Networks'!WEP-WPA Cracking Tools\Aircrack-ng\bin m Visit Backtrack home site ■ Tins tool requires Administrative pnvileges to ran http://w\v\v. backtrack- Ii1u1x.org for a complete ■ A client connected to a wireless access point list of compatible Wi-Fi adapters. ■ This lab requires AirPcap adapter installed on your machine. If you don’t have this adapter please do not proceed with the lab Lab Duration

Time: 20 Minutes Overview of Aircrack-ng m Airplay filter options: A wireless network refers to any type of computer network that is wireless, -b bssid: MAC address, and is commonly associated with a telecommunications network whose access point. interconnections between nodes are implemented without the use of wires. Wireless telecommunications networks are generally implemented with some type of remote information transmission system that uses electromagnetic waves, such as radio waves, for the carrier, and this implementation usually takes place at the physical level or layer o f the network.

TASK 1 Lab Task

Cracking a WEP 1. Launch Aircrack-ng GUI from D:\CEH-Tools\CEHv8 Module 15 Hacking Network Wireless Networks\AirPcap -Enabled Open Source tools\aircrack-ng-0.9- airpcapbin by double-clicking Aircrack-ng GUI.exe. 2. Click the Airdump-ng tab.

To start wlanO in ט monitor mode type: airmon-ng start wlanO.

m To stop wlanO type: airmon-ng stop wlanO.

FIGURE 2.1: Airodump-ng window

3. Click Launch. This will show the airodump window. x ם — airodump-ng 0.9

airodump-ng 0.9 — 2006 Thomas d'Otreppe Original work: Christophe Devine m To confirm that die card is in monitor mode, usage: airodump-ng > [ivs only flag] run the command “iwconfig”. You can then Known network adapters: confirm the mode is “monitor” and the interface 1 AirPcap USB wireless capture adapter nr. 00 name. Network interface index number ->

FIGURE 2.2: Airodump-ng selecting adapter window 4. Type the Airpcap adapter index number as 0 and select all channels by typing 11. Press Enter

airodump-ng 0.9

tewJ Aircrack-ng option: - airodump-ng 0.9 - 2006 Thomas d'Otreppe b bssid Long version — Original work: Christophe Devine bssid. Select the target network based on the access point's MAC usage: airodump-ng > Cius only flag] address. Known network adapters: 1 AirPcap USB wireless capture adapter nr. 00 Network interface index number -> 0 Channel~~: 1 to 14. 0 = all -> 11 (note: if you specify the sane output prefix, airodump will resume the capture session by appending data to the existing capture file) Output f ilename pref ix ->~~

m For cracking WPA/WPA2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up WPA/WPA2 key FIGURE 2.3: Airodump-ng selecting adapter window processing. 5. It will prompt you for a file name. Enter Capture and press Enter.

~~airodump-ng 0.9 I ~ I כ~~

~~airodump-ng 0.9 - 2006 Thomas d'Otreppe Original work: Christophe Devine~~

m Aircrack-ng completes determining die usage: airodump-ng > Civs only flag] key; it is presented to you in hexadecimal format such Known network adapters: as KEY FOUND! 1 AirPcap USB wireless capture adapter nr. 00 [BF:53:9E:DB:37], Network interface index number -> 0 ־> ChanneKs): 1 to 14, 0 - all 11 Output filename prefix ->|capture |

~~FIGURE 2.4: Airodump-ng selecting adapter window~~

~~6. Type y 111 Only write WEP IVs Press Enter~~

~~airodump-ng 0.9 m Airodump option: -f : Time in ms between hopping channels. airodump-ng 0.9 - 2006 Thomas d'Otreppe Original work: Christophe Devine~~

~~usage: airodump-ng > Civs only flag]~~

Known network adapters: 1 AirPcap USB wireless capture adapter nr. 00 ־> Network interface index number 0 ChanneKs): 1 to 14, 0 = all -> 11 (note: if you specify the same output prefix, airodump will resume the capture session by appending data to the existing capture file) -> cap tureOutput filename prefix -> captureOutput ־ (Only write WEP IUs

~~m Airplay filter option: d dmac : MAC address, Destination.~~

FIGURE 2.5: Airodump-ng dumping the captured packets window 7. After pressing y it will display Wi-Fi traffic; leave it running for few minutes. 8. Allow airodump-ng to capturea large number of packets (above 2,000,000).

~~1 1 Channel :11 - airodump-ng 0.9.3 L - l ° l -~~

~~BSSID PUR B e a co n s It D a ta CH MB ENC ESSID r H~~

B8:A3:86:3E :2 F :3 7 -7 8 5 0 1 48 WEP? SAACHI Link_DIR-524־1C:7E:E5:53:04:48 -80 5496 2146 11 48 UPA D 4C:60:DE:32:3B:4E -80 181 1 6 48 UPA Ithey Ithey 4C:60:DE:32 :7 C :0 6 -8 1 5 0 11 48 WEP? Kusum WLR 80:A1:D7:25:63:13 -77 13 0 1 5 4 OPN WEP? G0E 4 5 1 0 21 ־A 1 :D 7 :2 5 :6 3 :1 078: 0 8 80:fll:D7:25 :63:12 - 8 0 12 0 1 5 4 OPN OPN 54 1 0 18 ־A1:D7:25:63:1178:80

B8:A3:86:3E 2F:37 00:24:2C:38:39:96 -7 5 1 SAACHI Link_DIR-524־1C:7E:E5:53 A4:48 AC:72:89:6B:BD:B3 -81 38 D 1C:7E:E5:53 A4:48 30:69:4B:C7:F9:F7 -84 29 D-Link_DIR-524 1C:7E:E5:53 04:48 D0:B3:3F:12:A1:FF -79 7 D-Link_DIR-524 1C:7E:E5:53 04:48 E0:F8:47:95:05:D6 -82 421 D-Link_DIR-524 94:44:52:F2 45:0C 4C:ED:DE:A2:5B:BF -80 2 GANTEC 94:44:52:F2 45:0C 4C:ED:DE:94:CE:El -80 5 GANTEC 94:44:52:F2 45:0C 00:26:82:CF:09:C2 -80 16256 GANTEC 94:44:52:F2 4 5 :0 C 5 0 : 0 1 : BB:58:05:27 -7 6 1 GANTEC 94:44:52:F2 45:0C 00:23:15:73:E7:E4 -7 3 293 GANTEC 00:09:5B:AE 24:CC 1C:66:A0:7C:F0:79 -8 1 213 NETGEAR 00:09:5B:AE 24 :CC 04:54:53:0E:2C:OB -3 3 1 2 5 9 2 0 NETGEAR

~~< | III >~~

FIGURE 2.6: Airodump-ng Channel listing window m airmon-ng is a bash script designed to turn 9. N ow close the window. wireless cards into monitor mode. It auto-detects 10. Go to Aircrack-ng andclick Advanced Options which card you have and x ם - run the right commands. Aircrack-ng GUI m Airodump-ng is used Aircrack-ng Airodump-ng ] Airdecap-ng | WZCook | About for packet capturing of raw 802.11 frames and is (s) Choose.Filename particularly suitable for collecting WEP IVs Encryption (§) WEP Key size 1128 v | bits □ Use wordlist □ Use PTW attack (Initialization Vector) for O WPA the intent of using them with aircrack-ng.

~~□ Specify ESSID~~

~~I I Specify BSSID~~

Fudge factor I Key search filter Baiteforce I aJ ן Last keybytes Disable KoreK l~ l Alphanumeric characters bruteforce — LZj □ 1 - attacks □ 2 1 1 BCD characters @ Multithreading bruteforce □ 3 = 1 1 Numeric (Fritz!BO)Q □ 4 1 1 Single Bruteforce attack □ 5 □ 6 ל □ ל U 8 V

~~Launch~~

FIGURE 2.7: Aircrack-ng options window 11. Click Choose and select the filename capture, ivs Note: Tliis is a different file from the one you recorded; this file contains precaptured IVS keys. Tlie path is D:\CEH-Tools\CEHv8 Module 15 Hacking Wireless Networks\AirPcap -Enabled Open Source tools\aircrack-ng-0.9-airpcap

Note: To save time capturing the packets, for your reference, the capture.ivs file (tins capture.ivs tile contain more than 200000 packets) is at D:\CEH-Tools\CEHv8 Module 15 Hacking W ireless NetworksVAirPcap -Enabled Open Source tools\aircrack-ng-0.9- airpcap. 12. After selecting file, click Launch.

~~Qi-J Aircrack-ng GUI~~

~~Aircrack-ng Airodump-ng j Airdecap-ng [ WZCook About~~

C ho o se 1Filename(s) "D:\CEH-T00ls\CEHv8 Module 15 Hacking Wireless Networics\AirPcap ■Enabled Open Choose 1Filename(s) Iffll To put your wireless card into monitor mode: Enctyption (§) WEP Key size 128 v bits Q Usewordlist Q Use PTW attack airmon-ng start rausbO. O WPA

~~@ Advanced options~~

~~□ Specify ESSID~~

~~□ Specify BSSID~~

Fudge factor 2 Key search filter Bruteforce Last keybytes 1 1*1 Q Alphanumeric characters Disable KoreK m A bruteforce — tZJ attacks n 2 □ BCD characters M Multithreading bruteforce □ 3 = 1 1 Numeric (FritzlBOX) □ 4 1 1 Single Bruteforce attack □ 5 □ 6 □ 7 □ 8 V

~~Launch~~

FIGURE 2.8: Aircrack-ng launch window 13. If you get the enough captured packets, you will be able to crack the m You may use this key packets. without the in your wireless client connection 14. Select your target network from BSSID and press Enter. prompt and specify that the key is in hexadecimal I * ם "־”!!-C:\W1ndows\System32\cmd.exe- "C:\Users\Adm1n1strator\Desktop\a1rcrack-ng format to connect to the wireless network. Opening D:\CEH-T001s\CEHv8 Module 15 Hacking W ireless NetworksSHirPcap -Enabled Open Source tools\aircrack-ng-0.9-airpcap\capture.ius Read 231344 packets.

~~00:09:5B:AE:24:CC WEP <231233 IUs> 94:44:52:F2:45:0C WEP <111 IUs>~~

~~Index number of target network ? 1~~

~~FIGURE 2.9: Select target network~~

~~Aircrack-ng 0.9.3~~

~~[00:00:06] Tested 1 keys~~

KB depth byte 0 0/ 1 BF< 42 >B9< 15> 4B< 13> 41 < 12> FF< 9> F6< 4> m Aircrack-ng can 1 0/ 3 53< 40 >C9< 32> 34< 20> flF< 19> B4< 19> 40< 16> S 2 0/ 4 9E< 40) D8< 28> 64< 23> 88< 23> E4< 18> 82< 18> recover the WEP key once 3 0 / 1 DB< 143> 9?< 46 > 33< 33> 43 < 29> 38< 27> 36< 26 > enough encrypted packets KEV FOUND! t BF:S3:9E:DB:3? J have been captured with Decrypted correctly: 100X airodump-ng.

~~C :\U sers\fldninistrator\D esktop\aircrack-ng-0.9.3-w in\airerack-ng-0.9.3-win\bin>~~

~~FIGURE 2.10: aircrack-ng with WEP crack key Lab Analysis~~

~~Document die BSSID o f the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.~~

~~PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.~~

~~Tool/Utility Information Collected/Objectives Achieved~~

~~Number of packet captured: 224385~~

~~Cracked wireless adaptor name: NETGEAR Aircrack-ng Output: Decrypted key BF:53:9E:DB:37~~

~~Questions~~

~~1. Analyze and evaluate how aircrack-ng operates. 2. Does die aircrack-ng suite support Airpcap Adapter?~~

~~Internet Connection Required~~

~~□ Yes 0 No~~

~~Platform Supported~~

~~0 !Labs~~

C E H Lab M anual Page 839 Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited. Module 15 - Hacking Wireless Networks 3 Sniffing the Network Using the OmniPeek Network Analyzer

OmniPeek is a standalone network analysis tool used to solve network problem. ICON KEY Lab Scenario / Valuable information Packet sniffing is a form o f wire-tapping applied to computer networks. It came into vogue widi Ethernet; tins mean that traffic 011 a segment passes by all hosts attached s Test your to that segment. Ediernet cards have a filter that prevents the host machine from knowledge seeing traffic address to other stations. Sniffing programs turn off the filter, and thus w W eb exercise see everyone traffic. Most o f the hubs/switches allow the inducer to sniff remotely using SNMP, which has weak authentication. Using POP, IMAP, HTTP Basic, and c a Workbook review talent authentication, an intruder reads the password off the wire in cleartext.

To be an expert ethical hacker and penetration tester, you must have sound knowledge of sniffing network packets, performing ARP poisoning, spoofing die network, and DNS poisoning. OmniPeek network analysis performs deep packet inspection, network forensics, troubleshooting, and packet and protocol analysis of wired and wireless networks. 111 tliis lab we discuss wireless packet analysis of capuired packets.

& Tools Lab Objectives demonstrated in The objective o f diis lab is to reinforce concepts o f network security policy, policy this lab are enforcement, and policy audits. available in D:\CEH- Lab Environment Tools\CEHv8 Module 15 111 tins lab, you need: Hacking Wireless Advanced OmniPeek Network Analyzer located at D:\CEH-T0 0 ls\CEHv8 י Networks Module 15 Hacking Wireless Networks\Wi-Fi Packet Sniffer\OmniPeek Network Analyzer ■ You can also download the latest version ot OmniPeek Network Analyzer from the link http: / / \v^~vv.w1ldpackets.com

~~■ If you decide to download the latest version, then screenshots shown 111 die lab might differ~~

~~■ Run diis tool 111 Windows Server 2008~~

~~■ A web browser and Microsoft .NET Framework 2.0 or later~~

~~■ Double-click OmniPeek682demo.exe and follow the wizard-driven installation steps to install OmniPeek~~

~~■ Administrative privileges to mil tools Lab Duration~~

~~Tune: 20 Minutes Overview of OmniPeek Network Analyzer~~

You can download OmniPeek Network Analyzer gives network engineers real-time visibility and expert OmniPeek Network Analyzer from analysis o f each and even7 part o f die network from a single interface, which http://www.wi1dpackets.co uicludes Ediernet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11 a /b /g /n . Lab Tasks

~~Wildpackets (־ All Programs ^־־ m. TASK 1 1. Launch OmniPeek by selecting Start Omni packets Demo. Analyzing WEP Packets 2. Click View sample files.~~

~~י - » י - mniPeek׳ J< Ech View Capture Send Monitor Tools Window Help WildPdcket 6= : ,,ג »B• יטט ± it,;a a a ja fe 1 & . r ■ & ; Start Page x j O O a SI~~

~~f$ HU New Capture Open Capture File View OmniEngines Start Monitor~~

Recent Files Location Summary BlackSlate Kay - 123«5€785D ־ om =109 (x86)\WidPac*ate\OmPMk Denc\aanptoe\AEP pkl SSD׳WsP.att C\Prog Fao<«t Exa-noba.pxt CAProgrem Filoa (x8€)'V/JdPacfcaUVO■mP881 D«rx\aanpl8»VPacl>at Example#, pkt BlickSlit* PS< = widpackatt ־ P**l D«no\*anplM\APA.pkt SSDוזדWPAfkt C.XProgrwn Filta (x8€)IWIdPac*at*Y0

~~Recent Capture Tem plates I oration Summary he raeaat tenpUMK~~

Documentation Resource* ► (flWWPWWT* ► LgIfStl!e2PUQ-lflS ► \Aowr fra Cerwj Staled Go do ► jvow aarapfe *ilea I ► Vtevr DrUtf HUMBON nitruCtOI* ► WkjRBCcmcttwsa Events d B k •rol^ais 6po *hite papers, and moro LiiiJ־Sud* ► Vow Het.vo ׳>**i»ae me L- ► ► ^ae CnrCrgire Oefcirg Started Ouide

Technical Support Training 8> Services ca 1 euoso rt reaou •ce3 f 9 r Wild Packet 3 pro ducia G2D ► wlcPa;«t8 Academy L iU י vfevr :ech ► vfevr :ech י ca 1 euos o rt reao u •ce 3 f 9 r Wild Pack et 3 pro du cia G 2 D cP3:tets oorsuitns Q D״•WMFBCttts :ecfncaisuooort EZD ► fine caac:ut 1 יכ^13ג » יכ^13ג W M F B C ttts :ec fnc a isu o oo rt EZ D ס ט >DrmPe3< Sjppcrted harcv/3rs L'iiil ► ► l'vP6e ► i

~~I 4 _rj ic p, press FI J } here ־Fd]~~

~~FIGURE 3.1: Omnipeek main window Select WEP.pkt~~

P S ^ n lP e e k׳ ! e Send Monitor Tool! Window Help W lld P .. kt ״FI. Edit v*w C*x E ^ © ^,:oE . בש t ! • m fe: a a j a t, * * Bi ^ita ♦ 1 • ^ ׳ Start Fac« x ־) O Jd d4 י5 WildPackets OmniPeek Sample Files

~~PasK.e! bampies .cM~~

~~Sancte Re wch a variety of wired traffic. ד■כ >£ 1־~~

(J45675«i־ SBCkSlate Key 12 ־ O m n i P e e k ^ gives network engineers real- time visibility and (BlackSlilt 9SK « wldpacUtt י Expert Analysis 2 •ncrypUd traffic. (SSlD into every part of AlPiOcS. nc 154C Tied: Boulevard. S the network from AotrU C eek. 2jlfoma מ25)9כ*לנ2נa single interface, 0 including Ethernet, Gigabit, 10 Gigabit, -te p, press Pi :ב 802.11a/b/g/n w ireless, VoIP, FIGURE 3.2: Omiiipeek Sample Files Window and Video to 4. It will open WEP.pkt in die window. Select Packets from die left pane. remote offices.

~~FIGURE 3.3: TELNET-U11 WEP packets Window~~

~~5. Double-click any o f die packets 111 die nglit pane.~~

rnnlP»*ek׳ F it Ed* View. Capture Send Monitor Tools Window Help Wild '.»( ki t 6 1 u i « l i A l ״ f a 9. 1 [ x — > - ^ Lij נ lii .!23 ־ 12 - S:a1t Pi$4 WEP.pkt x Enter 3 fiter e ו5 - ! ר 1 .-׳ z~ Comprehensive *> 0115]@ 1 H I£ âdce: Source Destination sSSID =lags Channel Signal Data Rate See ^ vott &voeo I- 113 170 %1פפ network Aadex 1 * B u ff a lo :Al: 32:31 ■JjjEtheraet Biceocart * 3 a f fa l= :A l: 32:31 *?1 113 1.3 %1פפ 1 ?״ :Zyirosss 1 * B u ff a lo :Al: 82:31 ■9 Ethernet Broadcast * Barm s: Al: 52:31 performance Capture 100( 11־ 1:. 1וככ rcsbcaat *3 a ffa lo :A l:3 2 :31 *P־ dde3 ■j> Buffalo :Al: 32:31 ■Êthernet׳= ► *°s S * B u ff a lo : A l:82:31 Ethernet Brcedcait *B u ffa lo s A l: B2 *? 103t 1.0 115 management and Expert * 1.teoniech: 5 5: C3:CC *3affal2:A 1:22 *B u ffa lo :Al: 32:31 i^ I •teon7e^:.c.e:c;-: *■fcrf;al?:A i:32 Wf 1001 13.9 74 monitoring of *b: 8 * B u ff a lo (A lt82: 31 liteoaTach:5S:C3:CC *3affalo:il: 32 1001 12.0 71 9 * B u ff a lo :Al: 32:31 Hpl1teo&7cch:SS:03:CC * 3 u f fa lo : A l: 32 100» 9.0 74 entire enterprise Web 10 * B u ff a lo :A l:32:31 lj|)l.teon7ech:S5:C3:CC * 3 a f f a l: : A l: 22 'lit loot 6.0 74 Server* :: *Burraio:A1:82:31 ■p1:teoal«cn:55:c2: *5arra15:Ai:52 Wf 100% 8.0 74 ffalo:Al:32: Wf loot 6.0 71־: * *Cterti 1: * B u ff a lo :A lt82!31 ■S>11t«oaT«ch:55:C3:C1 affalo«Al«92 Wf loot 6.0 74־: *networks, **©e? 13 *3uffalo! All 32131 ■i|L1tcoaTcch:SEsC3sC3 14 * B u ff a lo : A l:92:31 ■Bl.teoa7ech:33:C3:OC * 3 u f f a lo : A l: 52 Wf loot 6.0 74 aurra10:A1:52:31* ■pEinernet srcaocast *9urra19:A 1:s2: •p loot 1.0 113 צ: including network Vokc ft Video iiffal'ril: 12 *p 1001 1.0 US■* ז»*זג<נCab U * B u ffa lo : Al! 82! 3L ■*jEth#rn#t 816 Buffalo 1 A lt32131 ■JÊthernet Sreadcaat * 3 a f f a ls : A l: 22 *? loot 1.0 115* ־1 יי*?ו* segments at Vkuak 1: * B u ff a lo :A l:82;31 ■9E1hc!aet &:cedcaat * 3 a f f a l; : A l: !2 *p loot 1.0 115 f ?ttrMjp IÊiher&et SzceOcast *5 a fr 3 1 3 :A l:52 loot 1.0 113 remote offices 3’C^tt 20 *.-*uSSalo:Al:32:3l ■•jEth#ra»t Bre15r*»r t p ■< :rr»l?ril: ■2 *p loot 1.0 115 SLdlbUcs 21 * B u ff a lo :All 82131 ■Êthernet Srcadeaat * 3 a ffa lo : A l: 22 *p loot 1.0 115 SDdK 22 * B u ff a lo :Al: 32:31 ■QEtheraet Ezceocaat 3 iff a l;: A l: 12 *p loot 1.0 115 toco 2 21 * B u ff a lo :Al: 32:31 ■SJEiheraei BiceOcast * 3 j f f a l 2 : A l : 52 *p loot 1.0 115 Sumvtry 2* *3urra10:A 1:32:31 Ethernet Brceocast * 5 jr r a io : A l: : 2 •p loot 1.0 115 V/irdesi 2S * 3 u f f a lo : Al: 32: 31 *lite o a le c h :5 5 :0 3 :0 c * 3 a ffa L 0 :A l: 32 loot 21.0 71 | ALAN 2c *Buffalo:Al:82:31 *11teoaIech:55:C3:CC *3uffalo:Al: 32 1001 13.0 74 Buffalo:Al:32:31 ■31-tcoaIcch:55:02:CC *3jffal=:Al: 52 Wf loot 12.0 74* ־2 Signal 2: *Barra10:A1:82:31 3 Wf loot 9.0 74 <1 ...... ■ 1 _L Pactrts: 2003 Duration OOC:4€ Fj -tep, piessFi ijM.c-re

~~FIGURE 3.4: TELNET-UnW’EP packets analyzer 6. Click die right arrow to view the next packet.~~

le Edit View Capture Send Monitor Tools Window Help W ild icketi O m niPeek V • U * . : an J jJ 31 . * * a i i\TS ► E - ' li] & 1iiB: J 1 • ׳! • E ► ^ O m n i P e e k ____Suit WEP.pkt VVEP pl

~~FIGURE 3.5: TELNET-UnW’EP packets frame window 7. Close die tab from die top and select different options from the nglit pane; click Graphs.~~

־F Edit View Capture Send Monitor Tools Window Help • fcl • H : !3ft J _!j g) f : 4 fe S1; j! s « j Start WlEP.pkt x WEP.pkt - Packet *382 *י0־ Om niPeek j5k| 53~£ ii ב! ^Dashboards n>liL e» Cbun; Conpersons־Enterprise also t ‘tetvrort Acd vwoe & vceo Appicetion _ayer Protocols by 3ytes Packet Size Distribution oto:ols by 3ackets־־Aadex Appicstion Layer P provides ARP An^\ss oacosts COfTpgred to Total־Capture e advanced Voice Brail PotDCQls acte3 E»ert Events׳= Boert VoP -H.323 Cal Erors rcrs׳and Video over IP E>oert V0P - RTP B Boert: Y0P - SIP Errors slcal Errors׳■^- jireess Clent•׳' Ex>srt functionality *b: Doert N rebs ReossocioticnDeried G^cbfc =our Pert Ublirobor (bts/3] (:׳Web G^abfc =our Pert Uttli2attor (perc«1 including C-tgabtt TtvoPytLttuaton (bits/s) Cterts C-KXbt! Twopytutliraron Cpercent) . Network lltlixeto! (bits/s) ׳:c't: :■־י.:■:•:: : signaling and »A0es ' f Media analyses of Vokc a Video C9IS «rc Reacts * n Reoies TCPAravs* voice and video, TCP vsLCP \-0lP ^Votocos v/«b Protocoe VoIP playback, v;#b Jftlc v/rdess: Access son3 bv Trust StdlbULk V/rdess. A.cess Points vs. Cients :׳voice and video MSflM V/rdes* Asjccobons arc Ree3joaoto1 tes to/frorr Dutroubor Syote׳V/rdew 3 Expert Analysis, SurMnary Wr#te«sr Cierts ay Trust Windes* v/rdess: Data 'vpes v/rdess: »acke: Trees V/rdess; 3adcts to'fron Dstnbubon Sys Visual Expert, and V/rdess: ^rcbe Req vs. ^rcbe Rso more Sg^ai V/rdess: Metres י Packrts: zcXX) Duration 000:40 rteip, press F1

~~FIGURE 3.6: WEP Graphs window~~

~~8. N ow traverse through all the options 111 die left pane o f the window. Lab Analysis~~

~~Document die BSSID o f the target wireless network, connected clients, and recovered WEP key. Analyze various Airecrack-ng attacks and their respective data packet generation rate.~~

~~PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.~~

~~Tool/Utility Information Collected/Objectives Achieved~~

~~Packet Information: • Packet Number • Flags Om niPeek • Status Network • Packet Length Analyzer • Timestamp • Data Rate • Channel • Signal level~~

~~• Signal dBm • Noise Level • Noise dBm • 802.11 MAC Header Details~~

~~Questions~~

~~1. Analyze and evaluate the list o f captured packets.~~

~~Internet Connection Required~~

~~0 Yes □ N o Platform Supported~~

~~0 Classroom □ !Labs~~