The document discusses attacks on WiFi networks and provides an overview of wireless security testing tools and techniques. It notes that most attacks described would be illegal without permission and assumes no responsibility. It then covers wireless packet frames, packet sniffing filters, packet injection, wireless channels, hidden SSIDs, MAC filters, WEP cracking, WPA/WPA2 cracking using dictionaries, wireless security testing tools like Pineapple and Reaver, and recommendations for more secure wireless practices.
2. Don’t Be Stupid
The following presentation describes
real attacks on real systems. Please
note that most of the attacks
described would be considered ILLEGAL
if attempted on systems that you do
not have explicit permission to test
and attack. I assume no responsibility
for any actions you perform based on
the content of this presentation or
subsequent conversations. Please
remember this basic guideline: With
knowledge comes responsibility.
3. Disclaimer
The content of this presentation
represents my personal views and
thoughts at the present time. This
content is not endorsed by, or
representative in any way of my
employer nor is it intended to be a
view into my work or a reflection on
the type of work that I or my group
performs. It is simply a hobby and
personal interest and should be
considered as such.
4. Credits
• Almost nothing in this
presentation is original to me.
• BackTrack 5 Wireless Penetration
Testing Beginner's Guide (PACKT
Publishing)
• HAK5, Darren Kitchen, et. al.
• The guy sitting at Starbucks last
night
• The Internet (et. al.)
7. Required Gear
• Network Adapter that supports
“Monitor” mode.
– Equivalent to promiscuous mode on a
normal NIC
• Windows, MAC, or Linux
– Linux tools tend to be more readily
available
• Comfort at the command line
8. Today’s Lab
• Host Machine:
– Laptop, Windows 7, hard-wired to AP
– presentation, AP configuration
• Attacker:
– VM, BackTrack 5 SR1, Alfa AWUS036H
• Victim:
– VM, Mint 13, Netgear USB WiFi Nic
• Access Point:
– Linksys WRT310Nv1
9. Wireless Packet Frames
• Management Frames • Control Frames
– Authentication – Request to Send
– De-authentication (RTS)
– Association Request – Clear to Send (CTS)
– Association Response – Acknowledgment (AWK)
– Re-association • Data Frames
Request
– Re-association
Response
– Disassociation
– Beacon
– Probe Request
– Probe Response
11. Packet Sniffing
• Determine the channel of the
network we are interested in
– required for sniffing data packets
– airodump-ng
• iwconfig mon0 channel 1
12. Packet Injection
• aireplay-ng
– Inject packets onto a specific
wireless network without specific
association to that network
– Can target specific channels, mask
MAC addresses, etc.
– Does not require association
13. Wireless Channels
• 802.11 a,b,g,n slice up their spectrum
into channels
• Channels are padded by whitespace
• 802.11b on 2.4GHz uses 22MHz wide
channels
• 5 MHz unused spectrum buffers each
channel
14. Channels and Overlap
• Channel 1: Centered at 2.412 GHz begins
at 2.400 and ends at 2.422 GHz
• Channel 2: Centered at 2.417 begins 5MHz
past Channel 1’s beginning
• Channel 3: Centered at 2.422 GHz begins
5MHz past Channel 2’s beginning
• Channels 1, 6, 11, and 14 are discrete
Image Source: Wikipedia http://en.wikipedia.org/wiki/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg
15. Regulatory Issues
• Available Channels
– US: 1-11
– Everywhere Else: 1-13
– Japan: 1-14
• Radio Power Levels
– iw reg set US (up to 20)
– iw reg set BO (up to 30)
16. De-authentication Packets
• Polite way to disconnect a client
from the network
• Gives everyone a chance to free
memory
• Hackers best friend
Content for this slide taken from WiFi workshop, NoiseBridge, presented by Darren Kitchen
http://hak5.org/episodes/hak5-1122
18. DEMO: Hidden SSID
• Show packet capture with the SSID
• Hide SSID
• Prove it is now hidden
• Solve for X
– Passive (wait for valid client) –
wireshark filter
– Use aireplay-ng to send deauth packet to
force the discovery
• Probe Request/Probe Response packets
20. DEMO: MAC Filters
• Enable MAC Filtering on the WAP
• Prove that a client cannot connect
• Use airodump-ng to show associated
clients
• Use macchanger to spoof the
whitelisted address and connect.
22. DEMO: WEP Encryption
• Capture data packets (ARP) from a
known/trusted client (airodump-ng)
• Replay them/re-inject between 10-
100,000 times (aireplay-ng)
• Crack them (aircrack-ng)
• Guaranteed crack
25. DEMO: WPA/2 Encryption
• Vulnerable to dictionary attacks
• Collect authentication handshake
• Select dictionary file and run the
cracker
• Works for WPA, WPA2, AES, TKIP