1. C E H
Lab M a n u a l
H a c k in g W ir e le s s
N e tw o rk s
M o d u le 1 5

2. M odule 15 - H ackin g W ire le s s N etw o rk s
H a c k i n g W i r e l e s s
N e t w o r k s
I
Vi-Fi i developedon I E E E 802.11 standards and i widely usedin w r / s
s
s
iees
communication. Itprovides w r / s a c s t ap
i e e s c e s o p/ications and data a ro a radio
c ss
network.
I C ON
KEY
[£Z7 Valuable
information
Test roui
knowledge
=
Web exercise
m
Workbook review
Lab Scenario
Wireless network teclmology is becoming increasingly popular but, at the same time,
it has many security issues. A wireless local area network (WLAN) allows workers to
access digital resources without being tethered to their desks. However, the
convenience of WlANs also introduces security concerns that do not exist in a
wired world. Connecting to a network no longer requires an Ethernet cable. Instead,
data packets are airborne and available to anyone with ability to intercept and
decode them. Several reports have explained weaknesses 111 the Wired Equivalent
Pnvacy (WEP) algorithm by 802.1 lx standard to encrypt wireless data.
To be an expert ethical hacker and penetration tester, you must have sound
knowledge of wireless concepts, wireless encryption, and their related threats. As a
security administrator of your company, you must protect the wireless network from
hacking.
Lab Objectives
The objective of this lab is to protect the wireless network from attackers.
111
this lab, you will learn how to:
■ Crack WEP using various tools
■ Capture network traffic
■ Analyze and detect wireless traffic
Lab Environment
C 7T oo ls
d e m o n s tra te d in
111 the
lab you will need a web browser with an Internet connection.
■ Tins lab requires A irP c ap adapter installed on your machine for all labs
th is lab a re
a v a ila b le in
Lab Duration
D:CEHT oo lsC E H v8
Time: 30 Minutes
M o du le 15
H a c k in g W ireles s
N e tw o rk s
C E H Lab Manual Page 819
Overview of Wireless Network
A wireless network refers to any type of computer network that is w ire le s s and is
commonly associated with a te le c o m m u n ic a tio n s network whose
in te rc o n n e c tio n s between nodes are implemented without the use of wires.
Wireless telecommunications networks are generally implemented with some type of
re m o te information transmission system that uses e le c tro m a g n e tic w a v e s such as
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

3. M odule 15 - H ackin g W ire le s s N etw o rk s
radio waves for die c a rr ie r. Tlie implementation usually takes place at the physical
level or layer of die network.
^
TASK
1
O v e rv ie w
L a b T a s k s
Pick an organization diat you feel is worthy of vour attention. Tins could be an
educational uistimtion, a commercial company, 01‫־‬perhaps a nonprofit chanty.
Recommended labs to assist you 111 Wireless Networks:
■ WiFi Packet Slutting Using AirPcap with Wireshark
■ Cracking a WEP Network with Aircrack-ng for Windows
■ Sniffing die Network Using the OmniPeek Network Analyzer
L a b A n a ly s is
Analyze and document the results related to the lab exercise. Give your opinion 011
your target’s security posture and exposure.
P LE A SE
C E H Lab Manual Page 820
TA LK
TO
Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

4. M odule 15 - H ackin g W ire le s s N etw o rk s
W i F i
P a c k e t Sniffing U s i n g A i r P c a p
w i t h W i r e s h a r k
T h e A ir P c a p a d a p te r is a U S B d e v ic e th a t, w h e n u s e d in ta n g e n t n ‫׳‬i t h th e A ir P c a p
d r iv e rs a n d W in P c a p lib ra rie s , a llo w s a p e n te s te r to m o n ito r 8 0 2 . 1 1 b /g t r a ffic in
m o n ito r m o d e .
■c o n
key
[£ Z 7 V a lu a b le
in fo rm a tio n
S
T est your
k n o w le d g e
—
m
W e b e x e rc is e
W o r k b o o k r e v ie w
L a b S c e n a r io
Wireless networks can be open to active and also passive attacks. These types of
attacks include DoS, MITM, spooling, jamming, war driving, network liijacking,
packet sniffing, and many more. Passive attacks that take place on wireless networks
are common and are difficult to detect since die attacker usually just collects
information. Active attacks happen when a hacker has gathered information about
the network after a successful passive attack. Sniffing is die act of monitoring die
network traffic using legitimate network analysis tools. Hackers can use monitoring
tools, including AiroPeek, Ethereal, TCPDump, or Wireshark, to monitor die
wireless networks. These tools allow hackers to find an unprotected network diat
diey can hack. Your wireless network can be protected against tins type of attack by
using strong encryption and authentication methods.
111 tins lab we discuss the Wireshark tool, which can sniff the network using a
wireless adapter. Since you are the etlncal hacker and penetration tester of an
organization, you need to check the wireless security, exploit the flaws ni WEP, and
evaluate weaknesses present 111 WEP for your organization.
L a b O b je c tiv e s
The objective of tins lab is to help sftidents learn and understand how to:
■ Discover WEP packets
C E H Lab Manual Page 821
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

5. M odule 15 - H ackin g W ire le s s N etw o rk s
L a b E n v ir o n m e n t
£ 7 T o o ls
d e m o n s tr a t e d in
th i s la b a r e
a v a ila b le in
D:CEHT o o lsC E H v 8
M o d u le 15
H a c k in g W ir e le s s
N e tw o rk s
To execute the kb, you need:
■ Install AirPcap adapter drivers; to install navigate to D:CEH -ToolsC EHv 8
M o du le 15 H a c k in g W ireles s Netw orksVA irPcap -Enabled O pen S o u rce
to ols,
and double-click setup _airp cap _4_1_1.exe to install
■ When you are installing the AirPcap adapter drivers, it any installation error
occurs, install the AirPcap adapter drivers 111 compatibility mode (right-click
the A irP c ap a d a p te r d riv e r exe hie, select P ro p e rtie s ‫ ^־‬C o m p atib ility. 111
compatibility mode, and select W in d ow s7)
"
W ire s h a rk
located at D:CEH -ToolsC EHv 8
M o du le 15 H a c k in g W ireles s
N e tw o rk s A irP c a p -E n ab led O pen S o urce to o ls w ire s h a rk -w in 6 4 1.4 .4 .e x e
■
Run diis lab 111 Windows Server 2012 (host machine)
■ An access point configured with WEP on die host machine
■ This lab requires the AirPcap adapter installed on your machine. If
you don’t have this adapter, please do not proceed with this
lab
■ A standard AirPcap adapter widi its drivers installed on your host machine
■ WinPcap libraries, Wireshark, and Cain & Abel installed on your host
machine
■ Administrative privileges to run AirPcap and other tools
L a b D u r a t io n
Time: 15 Minutes
O v e r v ie w
o f W E P ( W ir e d E q u iv a le n t P r iv a c y )
Several serious w e a k n e s s e s 111 the protocol have been identified by cryptanalysts
with die result diat, today, a WEP connection can be easily cracked. Once entered
C E H Lab Manual Page 822
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited

6. M odule 15 - H ackin g W ire le s s N etw o rk s
onto a network, a skilled hacker can m o d ify software, n e tw o rk
s e c u rity settings.
se ttin g s,
and odier
Wired Equivalent Privacy (WEP) is a deprecated security a lg o rith m for IEEE
802.11 wireless networks.
L a b T a s k s
C onfigure A irP cap
Download AirPcap drivers Jtrom the site and lollow die wizard-driven installation
steps to install AirPcap drivers.
1. Launch the S ta r t menu by hovering the mouse cursor on the lower-left
corner of the desktop.
ca
You can download
AirPcap drivers from
http://www.a rdemon.net/
riverbed.html
1
F IG U R E 1.1: Windows Server 2012—Desktop view
2. Click the A irP c a p
P a n e l window.
C o n tro l P a n e l
app to open the A irP c a p
C o n tro l
m
The AirPcap adapters
can work in monitor mode.
In tliis mode, the AirPcap
adapter captures all o f the
frames that are transferred
on a channel, not just
frames drat are addressed
to it.
F IG U R E 1.2: Windows Server 2012—Apps
3. The A irP c ap
C E H Lab Manual Page 823
C ontrol P anel
window appears.
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

7. M odule 15 - H ackin g W ire le s s N etw o rk s
AirPcap Control Panel
Settings
Keys
Interface
V
AirPcap USB wireless capture adapter nr. 00
c a The Multi-Channel
Aggregator can be
configured like any real
AirPcap device, and
therefore can have its own
decryption, FC S checking
and packet filtering
settings.
Transmit: yes
Model: AirPcap Nx
Blink Led
Media: 802.11 a/b/g/n
Basic Configuration
Channel
2437 MHz [BG 6]
@ Include 802.11 FCS in Frames
Extension Channel
Capture Type
802.11 +Radio
v
FCS Filter
All Frames
Help
Reset Configuration
Ok
Apply
Cancel
F IG U R E 1.3: AirPcap Control Panel window
4. On the S e ttin g s tab, click the In te rfa c e drop-down list and select A irP c ap
USB w ire le s s c a p tu re ad ap ter.
5.
111 the B asic C o n fig uratio n section, select suitable C hannel, C a p tu re T yp e,
and FCS F ilte r and check the In c lu d e 8 0 2 .1 1 FCS in F ra m e s check box.
_
AirPcap Control Panel *
Settings
‫ם‬
Keys
Interface
AirPcap USB wireless capture adapter nr. 00
Q=& In Basic
Configuration bos settings:
Channel: The channels
available in the Channel list
box depend upon the
selected adapter. Since
channel numbers 14 in the
2.4GHz and 5GHz bands
overlap and there are
center frequencies
(channels) that do not have
channel numbers., Each
available channel is given
by its center frequency.
Model: AirPcap Nx
Transmit: yes
V
Blink Led
Media: 802.11 a/b/g/n
Basic Configuration
Channel
2412 MHz [BG 1]
Extension Channel
Capture Type
0
802.11 Only
✓]Include 802.11 FCS in Frames
v
v
FCS Filter
All Frames
Help
Reset Configuration
Ok
Apply
Cancel
F IG U R E 1.4: AirPcap Control Panel window'
6.
C E H Lab Manual Page 824
Now, click die K e y s tab. Check die E n a b le W EP D e c ry p tio n check box.
Tins enables die WEP decryption algoridim. You can A dd N e w K e y,
R e m o v e K e y, E d it K e y, and M o v e K e y U P an d D o w n.
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

8. M odule 15 - H ackin g W ire le s s N etw o rk s
7. After configuring settings and keys, click OK.
AirPcap Control Panel *
Settings Keys
WEP Configuration
In Basic
Configuration Settings:
Extension Channel: For
802.1 In adapters, one can
use the Extension Channel
list to create a “ wide”
channel. The choices are 1
(the preceding 20MHz
frequency band), 0 (no
extension channel), or +1
(the succeeding 20MHz
frequency band). The
channel o f the additional
frequency band is called the
extension channel.
[Enable WEP Decryption
Keys
Add New Key
Remove Key
Edit Key
Move Key Up
Move Key Down
Help
Reset Configuration
Ok
Apply
Cancel
F IG U R E 1.5: AirPcap Control Panel window
D TASK
Launch W ire s h a rk
appears.
2
C aptu rin g th e
p a c k e ts
N e tw o r k A n a ly z e r.
The
W ire s h a rk
T eW sh rkN tw rkA a r [W sh rk1 .2 (S NRv4 5 0fro /trunk-1.8)]
h ire a e o n lyze ire a .8 V e 4 2 m
Id
file
£dit
View
£0
Capture
Analyze
Statistics
Telephony
Tools
Internals
Help
m ± [B p ]
T
I j W t f M t M B B K S A I * * ‫►י‬
Filter
| v | Expression...
Clear Apply
^ ^ 0 0
1
yt
«, Interface List
m
Save
Open
Open a p-evousV captured fie
ft
Open Recent:
You can download
Wireshark from
http://www.wireshark.org.
^
Choose one or mo1 ‫ ׳‬nteffaces to capture from, then Start
Th« User's Guid« (local version, if instaied
Sample Captures
Security
A rich assortment of example captir• files on th* wiki
" t " AirPcap US8 wireless capture adapter nr. 00: .ai A
Work with Wireshark as secu!*ty as posstte
ff] DevkeNPF_{0A6DAE573‫־‬C5C4‫־‬CFE9‫־‬F ‫־‬E 8J s
4E 8E
J Microsoft Corporation: DeviceMPFJ82C13C97■‘'
^
o r u r.pc c . ^ k . r
W ebsite
Visit the project's website
User's Guide
M start
£‫|־י‬
E l “ ! x ‫'־‬
The W orld's Most Popular Network Protocol Analyzer
Version 1.8.2 (SVN Rev 44520 from /trunk-1.8)
WIRESHARK
m
main window
'
mdc v I
Capture Options
Start a capture with a«u.*a opeons
IE
Ready to load or capture
Profile: Default
F IG U R E 1.6: Wireshark Network Analyzer main window
C E H Lab Manual Page 825
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

9. M odule 15 - H ackin g W ire le s s N etw o rk s
9. Configure AirPcap as ail interface to
H ie following are
some o f die many features
Wireshark provides
available for U N IX and
W indow s.
In te r fa c e ... (C trl + l).
You can also click die
C a p tu re
l
i
Edit
View
K
^
Go | Capture | Analyze
it
IB
W
Statistics
Telephony
Jools
internals
I - ‫ ז□ן‬x
Help
? & [WPI 6 €1
1
interfaces...
->
icon on die toolbar.
(/TjThe W ireshark Network Analyzer [W ireshark 1.8.2 (SVN Rev 44520 from /trunk-1 .i
File
* Capture live packet data
from a network
interface.
ark. Select
DI* 0 ® ^
Options...
Jv
Expression...
Clear
Apply
Save
■ Display packets with
very detailed protocol
inform ation.
‫י‬
Open and Save packet
data captured.
Interface List
■ Im port and Export
packet data from and to
a lot o f other capture
programs.
b
VWt the project's websne
Open Recent:
®
User's Guide
3
^
e interfaces to capture from, then Start
The User $ Guide (local verson, tf instiled)
Sample Captures
A rich assortmert of example capture files on the w
ild
Work with Wireshark as securely as p ss4 te
o >
DeviceNPFJ0A6OAE57-3C5C4‫־‬C FE 9 ‫־‬F4E‫־‬E8E83: =
Microsoft Corporation: DevkeNPFJ82C18C97-'J®
OT Po.Hair prio c pc c3>«;r,
* Search for packets on
many criteria.
mpc —
Capture Options
Start a capture *ith detailed options
■ Colorize packet display
based on filters.
■ Create various statistics
Website
a
Start
‫ י י ךי‬AirPcap USB wireless capture adapter nr. 00: .ai ^
■ Filte r packets on many
criteria.
0pen
a
Open previously captured *te
Ready to load or capture
Profile: Default
11 2
F IG U R E 1.7: Wireshark Network A aly er with interface option
10. The W ire s h a rk : C a p tu re In te r fa c e s window appears. By default, die
AirPcap adapter is not 111 ninnuig mode. Select die A irp c a p U S B w ir e le s s
c a p tu re a d a p te r n r. 0 0 check box. Click S ta r t
Wireshark: Capture Interfaces
Description
IP
□
PI
N ote: Wireshark isn't
an intrusion detection
system. It does not warn
you when someone does
tilings on your network
that he/ she isn't allowed to
do. However, if strange
things happen, Wireshark
might help you figure out
what is really going on.
1]
Packets Packets/s
none
2154
1
5
Details
none
0
0
Details
fe80::3d78:efc3:c874:6f57
375
3
Details
none
375
3
Details
1 |,,t" AirPcap USB wireless capture adapter nr. 00
0
0
ff Microsoft Corporation
I 1 Realtek PCIe GBE Family Controller
ff
Help
Start
Stop
Options
Close
F IG U R E 1.8: W ireshark Capture Interface
11. Automatically, die
a d a p to r nr. 0 0 -
C a p tu rin g
fro m
W ire s h a rk
window appears, and it starts capturing
A irP c a p
USB
w ir e le s s
c a p tu re
packets from AirPcap Adapter.
C E H Lab Manual Page 826
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

10. M odule 15 - H ackin g W ire le s s N etw o rk s
[/T C p rin fro A c pUBw le sca tu a a te n 0 :V irp a O [W sh rk1 .2 (S NRv4 5 0from
| a tu g m i-Pa S ire s p re d p r r. 0 a c p O i‫׳‬e a .8 V e 4 2
/trunk-...1 I ‫ ם‬x
‫־‬
File
Edit
Vie*
60
Capture
Analyze
Statistics
Telephony
Tools
K < a tt * 1m h x a < 1 a 4
u
a
•
internals
[‫י‬
m
Wireshark can
capture traffic from many
different network media
types - and despite its name
- including wireless L A N as
well. W hich media types are
supported, depends on
many things, such as the
operating system you are
using.
Help
±ifsln e i a s i H
Expression,... Clear
Time
Source
278 12. 8113270 N e t g e a r _ 8 0 : a b : 3e
279 12. 9136860 N e t g e a r _ 8 0 :a b : 3e
Destination
Bro ad ca st
Bro ad ca st
Protoccl
802 .1 1
8 02 .1 1
280 12. 9347300 Netgear_32:7c :06
Broadcast
802.11
281
282
283
284
285
286
287
288
289
290
291
292
293
294
12. 9844520 N e t g e a r _ a e : 2 4 :c c
1 3 .0 1 60 93 0 N e t g e a r _ 8 0 : a b : 3e
1 3 .0 3 70 69 0 N e t g e a r _ 3 2 :7 c :0 6
1 3 .0 4 11 94 0 e 2 : 5 5 : e 5 : 2 7 : b l : c O
1 3 .1 1 84 52 0 N e t g e a r _ 8 0 :a b :3 e
1 3 .1 3 94 87 0 N e t g e a r _ 3 2 :7 c :0 6
1 3 .1 8 36 99 0 C o n p e x _ 6 8 :b 6 : f 5
1 3 .1 8 91 99 0 N e t g e a r _ a e : 24 : c c
1 3 .2 2 08 27 0 N e t g e a r _ 8 0 :a b : 3e
13. 2400780 N e t g e a r _ 3 2 : 7c :0 6
13. 2898380 2 c : d b : c f : c 6 : a a : 6 4
13. 3233130 N e t g e a r _ 8 0 :a b : 3e
13. 344 3 8 3 0 N e t g e a r _ 3 2 :7 c :0 6
13.4 2 57 28 0 N « t g e a r _ 8 0 : ab : 3q
Bro ad ca st
Bro ad ca st
Bro ad ca st
(e 4 :d 2 :6 c :4 0 :fe :2 7
Bro ad ca st
Bro ad ca st
Bro ad ca st
Bro ad ca st
Bro ad ca st
Bro ad ca st
4 5 :c 9 :c 7 :6 a :0 4 :0 9
Bro ad ca st
Bro ad ca st
Bro ad ca st
8 02 .1 1
8 02 .1 1
802 .1 1
(8 0 2 .1 1
8 02 .1 1
802 .1 1
802 .1 1
802 .1 1
802 .1 1
802 .1 1
802 .1 1
802 .1 1
802 .1 1
802 .1 1
IS F ram e 1 : 3247 b y t e s on w i r e (259 76 b i t s ) , 3247 b y t e s c a p t u r e d
l± I E E E 8 0 2 .1 1 u n r e c o g n iz e d ( R e s e r v e d f r a m e ) , F l a g s : ----r . f t
j
OO 06 Ob
OO
0 1 6b c3
00
0 2 c9 cc
00
0030 91 86
004 0 d5 5b
0
16 8f
5d83
8adf
aa b2
be5a
49
63
ef
10
cb
54 c8 13
fO e6 28
c3 aO 98
86 b4 2f
84 20 b3
48
2b
91
4e
05
AirPcap JS B wireless capture adapter nr. GO:...
8c
d9
75
ac
fO
fd ec
5alc
155e
caab
le 62
65
69
5f
6e
39
71 93
b2 8d
52 44
87 fa
5d 68
5e
fl
3d
16
c7
164
164
322
109
164
322
3707
164
322
132
109
164
91
3838
164
322
164
Appl(‫׳‬
Save
Info
Be a c o n f r a m e ,
Be a c o n f r a m e ,
S N 4 0 3 1 ‫ , ־‬FN=0, Flags‫־‬
S N 4 0 3 2 ‫ , ־‬FN=0, Flags‫־‬
Beacon frame, SN264‫ ,־‬FN=0, Flags=.
Be a c o n f r a m e , S N 1 7 5 3 ‫ , ־‬FN=0, Flags‫־‬
Be a c o n f r a m e , S N 4 0 3 3 ‫ , ־‬FN=0, Flags‫־‬
Be a c o n f r a m e , SN=265, FN=0, F l a g s ‫־‬
802.11 B lo c k A c k , F la g s = o p m .r m ft
Beacon frame, 5n4034‫ ,־‬fn=0, Flags‫־‬
Be a c o n fr a m e ,
Be a c o n fr a m e ,
f?
SN266‫,־‬
FN=0,F l a g s ‫־‬
S N 1 6 4 2 ‫, ־‬F N 0 ‫ , ־‬F l a g s ‫־‬
-
Deacon frame,
Be a c o n fr a m e ,
Be a c o n fr a m e ,
SN *40 3 5, f n -0 ,
SN -2 6 7,
E
5N=1756, FN=0, Flags‫־‬
F la g s f n - 0 ,F l a g s -
e
Acknowl cdgcm cnt (No data), SN-91S, TN-3, rlac
Be a c o n fr a m e , SN -4036, F N -0 ,
Be a c o n fr a m e ,
SN -2 6 8,
F la g s FN-0, F l a g s -
Boacon frame,
Plags-
(2 5 9 7 6 b i t s )
sn- 4037, FN-0,
on i n t e r f a c e
E
'
0
. IT. H ‫ ־‬q
. *‫־‬
...........u AR. _D
k. ] . c . . ( + .z . ‫___ ר‬
............../ N .. . n . . .
. [ .z ............. b9]h.
Packets: 489 Displayed: 489 Marked: 0
Profile: Default
F IG U R E 1.9: Wireshark Network Analyzer window with packets captured
12. Wait while Wireshark captures packets from AirPcap. II die F ilte r T o o lb a r
option is not visible on die toolbar, select V ie w -> F ilte r T o o lb a r. The
Filter Toolbar appears.
N o te : Wireshark doesn't benefit much from Multiprocessor/Hvperdiread systems
as time-consuming tasks, like filtering packets, are single direaded. No mle is
widiout exception: During an “update list of packets 111 real time” capture, capturing
traffic mns 111 one process and dissecting and displaying packets runs 111 another
process, which should benefit from two processors.
C p rin fro A c pUBw le sca tu a a te n 0 : Y irp a O [W s a 1 .2 (S NRv4 5 0from/tru k-... I ~ I ‫ ם‬r x
a tu g m irPa S ire s p re d p r r. 0 a c p O ire h rlc .8 V e 4 2
n
internals
Help
‫4 ? ©י‬
■ Main Tco bar
/
m u t
0. 0.
4>
‫ו‬
ax
‫ם‬
m m
‫ /י‬Filter Too bar
r
Wireless Toolbar
‫ <י‬Status Bar
✓ Packet L i*
*
Packet Qetails
‫ /י‬Packet Bytes
Wireshark can open
packets captured from a
large number o f other
capture programs.
lim e Display Format
I
Name Resolytion
! */ Coloriz• P«ck«t List
Auto Scroll in Liye Capture
Q
Zoom Qut
Q
Normal Size
E
Resize All Columns
u
Zoom In
Displayed Columns
Expand Subtrees
Expand A l
0: 0
0
0
1 01
0: 0
1 02
0; 0
loo
0030
10040
0■
0
I®
3247 b y t e s
c a p tu r e d
Save
nfo
B e a c o n f r a m e , s n 4 0 2 5 ‫ , ־‬fn‫־‬o , F l a g s ‫־‬
Beacon fr a m e , s n1 628‫ , ־‬f n 1 1 ‫ , ־‬F la g s ‫־‬
Be aco n fr a m e , S N 4 0 2 6 ‫ , ־‬F N 0 ‫ , ־‬F la g s ‫־‬
Beacon frame, sn^4027, fn^O, Flags^
D e a u t h e n t ic a t io n , s n -1 78 0 , f n -4 , F la g s •
B e a c o n f r a m e , s n - 4 0 2 8 , f n -0 , F l a g s B e a c o n f r a m e , SN -4 0 29 , F N -0 , F l a g s B e a c o n f r a m e , SN -4 0 30 , F N -0 , F l a g s -
Beacon frame, SN-4031, FN-0, FlagsBeacon fr a m e ,
SN-4032, F N -0 , F l a g s -
Beacon frame, SN-204, FN=0, FlagsBeacon fr a m e , S N 1 7 5 3 ‫ , ־‬F N 0 ‫ , ־‬F la g s ‫־‬
Beacon fr a m e , s n4 0 3 3 ‫ , ־‬f n 0 ‫ , ־‬F la g s ‫־‬
Beacon frame, £N=26S, FN=0, Flags‫־‬
8 0 2 .1 1 B l o c k A c k , F l a g s ‫ ־‬opm.RMFT
Beacon fr a m e , s n 4 0 3 4 ‫ , ־‬f n 0 ‫ , ־‬F la g s ‫־‬
B e a c o n f r a m e , S N 2 6 6 ‫ , ־‬F N 0 ‫ , ־‬F la g s ‫־‬
(2 59 76 b i t s )
on i n t e r f a c e
0
Flags: ....s .F T
C * Left
trl■■
Colorize Conversation
Reset Coloring 1-10
^
S ift■ Right
h *■
Ctrl* Right
Collapse All
Gear Apply
Protocol Length
164
St
802 1 1
e : 6f 6b 18
802 1 1
109
164
St
802 1 1
164
802 1 1
St
n _ f 2 45 Oc
802 1 1
30
104
St
802 1 1
►
164
St
802 1 1
► St
164
802 1 1
164
St
802 1 1
164
802 1 1
St
802 1 1
322
St
802 1 1
109
C l■■* S t
tr * ■■
164
St
802 1 1
C *■
trl■ ‫־‬
St
802 1 1
322
Ctr1+=
f e 27 (8 0 2 1 1
3707
164
St
802 1 1
S ift■ Ctrl+R
h *■
St
802 1 1
322
►
o
Q
Expression..
Coloring Rules...
Show Packet in New Window
►
C * Space
trl■■
5 71 93 5e
9 b2 8d f l
f 52 44 3d
e 87 fa 16
9 5d 68 c7
____ I T . . H. . . e q . A
k .].c ..( t .z . i. ..
................. U.a_RD=
............../ M .. . n . . .
. [ . Z ................ b 9 ]h .
Ctrl+R )isplayed: 7211 Marked: 0
Profile: Default
F IG U R E 1.10: Wireshark Network Analyzer window with interface option
C E H Lab Manual Page 827
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

11. M odule 15 - H ackin g W ire le s s N etw o rk s
13. Now select V ie w
window.
-> W ire le s s T o o lb a r.
kD Capturing from A irPcap U S B wireless capture adapter nr. 00: .airpcap00
File
m
Edit | View | Go
Capture
Analyze
Statist cs
Telephony
Internals
[W ireshark 1.8.2 {SV N R ev 44520 from /trunk ... I — ’ ‫ ם‬P
x
Help
► 5 ik [M]S
*
tg >/ Wain Todbar
i
*
Jools
The wireless toolbar appears 111 die
Q
0• ‫ ט‬I & 0
%
Fltcr Toolbar
'
] * Wireless Toolbar
‫־‬
£ 2.1 C an ■ S tu 3‫־‬r
0 1 h
‫ ׳‬ta s
Clear Apply
Save
| v [ D r i v e r [v] W le sSetings-. D
ire s
ecryp n Ky ...
tio e s
Packct List
Protocol
st
Length Info
802.11
164 Beacon frame, SN-4025, FN-0, Flags-.........
e:6f:6b:18 802.11
109 Beacon frame, 5N-1628, FN-11, Flags‫........־‬
St
802.11
164 Beacon frame, 5n=4026, fn=o, Flags‫......... ־‬
St
802.11
164 Beacon frame, SN-4027, FN-0, Flags*.........
n_f2:45:0c 802.11
30 Deauthentication, 5N-1780, fn- 4, Flags-..
st
802.11
164 Beacon frame. SN-4028, fn- 0, Flags-.........
164 Beacon frame. SN-4029, fn- 0. Flags-.........
St
802.11
st
8 0 2 .11
164 Beacon frame, SN-4030, FN-0, Flags-.........
st
8 0 2 .11
164 Beacon frame, SN-4031, TN-0, Flags-.........
802.11
164 Beacon frame, sn-4032, FN-0, Flags-.........
C *■ st
trl• *
.St
802.11
322 Beacon frame, 5N-204, fn- 0, Flags-...........
C *■
trl■■
109 Beacon frame, SN-1753, FN-0, Flags-.........
St
802.11
C ‫ ־‬St
trl•*■
164 Beacon frame, SN-4033, fn- 0, Flags-.........
802.11
322 Beacon frame, SN-265, FN-0, Flags-...........
St
802.11
c:40:fe :27 (802.11 3707 802.11 Block Ack, Flags-opm.RMFT
st
802.11
164 Beacon frame, SN=4034 , FN=0, Flags=.........
322 Beacon frame, SN-266, FN-0, Flags-...........
st
802.11
S ift■ R h
h ‫ ׳‬ig t
C
trl-Right
3247 bytes captured (2S976 bits) on interface 0
C L ft
trl•*‫ ־‬e
_
Flags: _ R.FT
P3cket Details
O
Wireshark is a
network packet analyzer
that captures network
packets and tries to display
that packet data as detailed
as possible.
Expression‫״‬
Packct Bytes
Jim• D layF rm
isp o at
N e R lu n
am eso tio
C lo P
o ri7e acket list
A S ro in L eC ture
uto c ll iy ap
200m n
ZoomQ t
u
N al S e
orm 2
R A C ns
esi:e ll olum
D layedC ns
isp
olum
Eipanc Subtrees
E p n Al
xad
C seA
ollap ll
Colori2e Conversation
Rcitl Culjrhy 1-10
C
oloring R le ...
us
_ .H
.
IT .
.. eq. a
5 71 93 5e
9 b2 3d f l
k. ] . c .. ( +.Z .‫. . . ו‬
f 52 44 3d ....................u . a _ rde 87 f a 16
........... / N... n...
0030
C R 9 5d 68 c7 . [ . z ............... b 9 ]h .
trK
£ A capU B.v le scaptureadapter n O ... P c e : 12 6D layed 12986M
irP
S ire s
r. ):
a lc ts 98 isp
arked ‫כ‬
:
OODO
01
00
02
00
S wP
ho acket inN W
ew indow
P file D
ro : efault
'
F IG U R E 1.11: Wireshark Network Analyzer window with wireless toolbar option
14. You will see die
Wireshark.
m
One possible
alternative is to ran
tcpdump, or the dumpcap
utility diat comes with
Wireshark, with superuser
privileges to capture
packets into a file, and later
analyze diese packets by
running Wireshark with
restricted privileges on the
packet capture dump file
and
s o u rc e
d e s tin a tio n
r t3‫ )׳‬Capturing from AiiPcdp USB wireless capture adapter nr. 00: VairpcapOO
£ile
£dit
m u
View
(jo
* 9t *
Cooturc
Analyze
Statistics
Telephony
Tools
Internals
of the packet captured by
[Wireshark 1.8.2 (SVN Rev 44520 from /trunk-... L ^ J ‫ ח‬r *
Help
6 ‫או 0 א: ט ^ ^ ^וי|| 1ו » ^ ^ ^ו 3 3 א ט‬
Filter
|~ | E p s io ... C
v x re s n
lear A
pply S v
ae
£0211 Charnel:
v !Channel CHfset
Time
v FCS Filter All Frames
Source
None
Destination
282 13.0160930 Netgear_30:ab:3e
283 13.0370690 Netgear_32:7c :06
284 13. 0411940 e2:55:e5:27 :bl:cO
285 13.1184520 Netgear_80: ab: 3e
286 13.1394870 Netgear_32:7c :06
287 13.1836990C0mpex_65:be:f5
288 13.1891990 Netgear_ae: 24: cc
289 13. 2208270 Netgear_80:ab:3e
290 13. 2400780 Netgear_32:7c :06
291 13. 2898380 2c:db:ef:e6:aa:64
292 13. 3233130 Netgear_80: ab; 3e
293 13. 3443830 Netgear_3z:7c:06
294 13.4257280 Netgear_80:ab:3e
295 13. 5282000 Netgear 80:ab:3e
?06 13. S4907?ONetgear_?2:7c:06
297 13. 6304580 Netgear_80: ab: 3e
298 13. 6514 500 Netgear _32: 7c. 00
jv ]
Wireless Settings... Decryption Keys..
Protocol Length Info
Broadcast
Broadcast
( e4 :d2 :6c:40:f e:27
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
45:c9:e7:6a:04:e9
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
B oadcasl
r
802.11
802.11
C802.ll
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
802.11
ou2.11
802.11
802.11
802.11
802.11
164 Beacon frane, SN=4033, FN=0, Flags‫־‬
322 Beacon frame, SN=265, FN=0, Flags‫־‬
E
3707 802.11 Block Ack, Flags=opm.RMFT
164 Beacon frame, SN-4034, fn- 0, Flags322 Beacon frane, SN=266, FN=0, Flags‫־‬
C
132 Beacon frane, sn1642‫ ,־‬fn=o , Flags‫־‬
109 Beacon frane, SN1756‫ ,־‬fn=0, Flags‫־‬
164 Beacon frane. SN=4035. FN=0, Flags‫־‬
91 Beacon frane, SN=267, FN=0, Flags=
E
3838 Acknowledgement (No data), SN-915, FN-3, Flac
164 Beacon frane, SN-4036, FN=0, Flags322 Beacon frane, SN=2btt, fn- u, Flags104 Beacon Trane, 5n-4 us/ , fn- u , Flags-................
164 Beacon frane. SN-4038. FN-0. Flags-..................
322 Beacon frane, SN-270, FN-0, Flags-............... B
164 Beacon franc, SN-4039, FN-0, Flags-...............
322 Beacon frane, SN-271, FN-0, Flags-............. .. C
<fl__________________________________________________
♦ Frane 293: 322 bytes on wire (2576 b its), 322 bytes captured (2S76 bits) on interface 0
+ ieee 802.11 Beacon frane, Flags: .............
IEEE 802.11 wireless lan management frame
S
3
00
00
01
00
02
00
0030
80
4c
64
08
0040 00
00
60
00
82
00
0000
de32
1104
840b
2a01
ff
7c
00
16
00
ff
06
09
24
2f
ff ff
cO 10
4b 75
30 48
01 00
ff
96
73
6c
30
m an nn n f
rA nn n f
© AirPcap U Bwi'eless capture adapter nr. GO:...
S
ff
31
75
03
18
4C60
8e64
6d20
0101
0100
de
00
57
05
00
32
00
4c
04
Of
7C
00
52
01
ac
06
00
01
02
02
.................. L • 2 |.
L'. 21. . . . 1. d_
_
d....... Kj sum W R
L.
.... SH1........
O
Paclcets: 32940 Displayed: 32040 Marked: 0
Profile: Default
F IG U R E 1.12: Wireshark Network Analyzer window with 802.11 channel captured packets
15. After enough packet capUires, stop Wireshark
C E H Lab Manual Page 828
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

12. M odule 15 - H ackin g W ire le s s N etw o rk s
Capturing from AirPcap USB wireless capture adapter nr. 00 ‫ ־‬Wireshark
£ile
Edit
m m
View
Go
Capture
Analyze
Statistics
Telephony
Tools
Help
a® *
Expression...
$02.11 Channel: 2412 [B G 1]
).
Time
Clear Apply
| v ] Channel Offset |0
Source
Destination
Protocol
| v | FCS Filter All Frames
|v|N on e WirelessSettings...DecryptionKeys...
Info
4992 90.885184 2a:13:4C:al:CC:la C7:0 : 80: 13‫ י‬IEEE
802.11
Fragnented ieee S02.ll frame
4993 90.885677
IEEE
802.11
unrecognized (Reserved frame), Flags‫ . . . ־‬p . m . .
4994 90.985558 Netgear_ae:24:cc
Broadcast IEEE
802.11
Beacon frame, SN=2080, FN=0, Flags‫־‬
BI=100,
unrecognized (Reserved frame), SN2851‫ ,־‬FN0‫ ,־‬Flags‫־‬o
4995 91.049792 ab:76:13:1c:e6: 3f f f :57:a6:9:1EEE
802.11
4996 91.087908 Netgear_ae:24:c c
Broadcast IEEE
802.11
Beacon frame, SM=2081,PN0‫ ,־‬Flags‫־‬
BI 100‫,־‬
4997 91.497565 Netgear_ae:24:c c
Broadcast IEEE
802.11
Beacon frame, SN-2085,FN-O, FlagsBI-100,
4998 91.600033 98:14:34:f c :48: cc Broadcast IEEE
802.11
Beacon frame, SN=3733,FN=7, Flags‫־‬
BI1]8896‫־‬
4999 91.70239* Dlg1talG_02:e8:d5 Broadcast ieee
802.11
Beacon frame, sn2087‫,־‬fn- 0, Flags‫־‬
B1100‫,־‬
5000 91.704757 f 8:a f:ed:3d:6c:62 f9:ea:f9:f IEEE
802.11
Null function ( no data), SN3864‫ ,־‬fn=15, Flags‫... ־‬P.M
Data, 802.11
SN-2916, fn- 0, Flags-.p
F.
500191.705380 bl:7c:25:46:el:dl e6:61:a IEEE:13
5002 91. 804794 Netgear_ae:24:cc
Broadcast IEEF
802.11
Beacon frame. SN-2088,FN-0, FlagsBT-100,
5003 91.907138 N«tgear_a«:24:cc
Broadcast IEEE
802.11
Beacon frame, &N-2089,F ^-O FlagsN ,
BI-100,
5004 92.112081 l c :12:30:8b:24: f 5 f f : f f : f f :3 IEEE
802.11
Beacon frame, SN-1151,FN-2, FlagsBI-55820
802.11
5005 92.246059 MonHaiPi _0a:72:8a 8:2c:b0:5d‫ ׳‬IEEE
Null function (no data), SN-2733, FN-0, Flag>-.. . P...
5000 92.246276
horiHalpr_o. ieee
802.11
A c k n o w le d g e n e n t, F la g s 5007 92. 316789 Netgear_ae:24:cc
Broadcast IEEE
802.11
Beacon frame, SN-2093,fn- 0, FlagsBI-100,
5008 92. 319258 91:6c: 5c: 32:50:d2 4d: 22: e: 24‫ ׳‬IEEE
802.11
Qos Data + CF-P011. 5N-1B31, FN-15, Flags-.p.PR..T
L
5009 92. S2164S Netgear_ae:24:cc
Broadcast IEEF
802.11
Beacon frame. SN-2095,fn- 0. FlagsBT-100,
+ Frame 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits)
S IEEE 802.11 Acknowledgement, Flags: .............
Type/Subtype: Acknowledgement (Oxld)
‫ ש‬Frame control: O O J (Normal)
xO D
......].
0000 d4 00 00 00 2c b 5d 80 ab 3e 6a 3e 19 81
O
0
AiP.ap LSBv
lapluie atiajlei nr. 00:...
Packets; 5C09 Displayed; 3009 MaiJ.cc: C
PioHIc; Default
F IG U R E 1.13: Stop wiieshaik packet capture
16. Go to F ile from menu bar, and select S a v e
‫ט‬
U i
T lie latest version is
faster and contains a lot of
new features, like A PR
(Arp Poison Routing)
which enables sniffing on
switched LA N s and Manin-the-Middle attacks.
*‫פ‬
AirPcap USB wireless capture adapter nr 00 ‫ ־‬Wireshark
[d<
t
yicw
20
£cptjrc
Analyze
Statistics
Telephony
Tools
tJelp
cw b a ‫ן‬
.0
&
Opengecent
Merge...
|n|n| <. q ! 1 ‫ט‬
3 3
yt b
& ib
►
kpressicn‫״‬
Clri»W 1rnc! Offset: [0
[ v j FCSFilter All Frames
Destination
Protocol
Clear Appf/
[v^None
["vj Wireless Settings- Decryption Keys...
Info
Control wrapper. Flags-.pm.R.f .
IEEE
802.11
Broadcast IEEE
Beacon frane, SN-353, FN-0, Flags‫־‬
802.11
BI-100, S
Beacon frane, SN-3 54, FN-O, Flags‫. . . . ־‬
f f :ee:1:93‫י‬IEEE
802.11
61=12530‫׳‬
f f :f6:54:d'IEEE
Beacon frane[Ka1formed Packet]
802.11
£xport
B I 5 ,100‫־‬
broadcast ieee
Beacon 0 2 .11 5n=356, fn=0, Flags‫. . . . ־‬
8 frane,
Data, 802.11
SN357‫ ,־‬FN1‫ , ־‬Flags=opmP.. FT
d4:fa:cb:c.lEEE
£ £rint._
Beacon frane, SN358‫, ־‬
FN0‫,־‬
Flags‫ ,־001 ־‬S
BI
Broadcast IEEE
802.11
Beacon frane, sn361‫ , ־‬FN0‫,־‬Flags‫. . . . ־‬
BI 100‫ ,־‬S
d4:aa:01:4 IEEE
802.11
E Quit
Ctrl*Q f : b 8 : c l
Beacon frane, SN364‫, ־‬
802.11
FN=0,
Flags‫ , ־ 0. 0. . ־‬S
BI1 .
/ uj zv.wv mwcjwi_iw2 :C B r o a d c a s t IEEE
ox o a a wt a « . 4 C
B r o a d c a s t IEEE
Beacon frame, SN=335, FN=14, Flag5=...
802.11
, BI= 200,
7641 267. 835429 Netgear_ae: 60: ce
Data, 802.11
5n3037‫ ,־‬fn3‫ ,־‬Flags=.p. . . . F.
74 27874 0 :5 :2 :0 :0 :4 IPv6mcaSt_HEEE
62 6. 796 1 4 9 1 0 4
Broadcast IEEE
Beacon frane, sn369‫ , ־‬fn0‫ ,־‬Flags‫־‬
802.11
BI 100‫ ,־‬S I
7643 268.038309 Netgear_ae: 24: cc
Beacon frane, SN370‫, ־‬
fn0‫,־‬
Flags‫ , ־ 0 0 1 ־‬S I
BI
7644 268.143787 Netgear.ae:24:cc
Broadcast IEEE
802.11
Beacon frane, SN372‫ , ־‬fn0‫ .־‬Flags‫. . . . ־‬
BI 100‫ ,־‬S I
Broadcast IEEE
802.11
7645 268. 345546 Netgear_ae: 24: cc
B r o a d c a s t IEEE
Beacon frane, SN=375, FN=0, Flags‫. . . . ־‬
802.11
BI 100‫ ,־‬S I
7646 268. 652782 Netgear_ae: 24: cc
Null function ( no data), SN-36, FN-0, Flags-. .. PR. .T
802.11
7647 268.661651 HorHai Pr_0a: 72 :8a 2c:bO:5d:8'IEEE
Null function ( no data), 5N-36, fn-O, Flags‫ .. . ־‬pr. . t [— I
802.11
74 28626 n m1 r_ a 7 :8 2c:bO:5d:8'IEEE
68 6. 610 o a p 0 : 2 a
7649 269.164812 48:09:39:1a:ce:d4 ff:ff:lb :f-IEE E
Beacon frane, SN-3746, FN-O, Flags-...
802.11
BI-36936
‫ י‬Frane 1: 14 bytes on wire (112 b its), 14 bytes captured (112 bits)
- ieee 802.11 Acknowl edgernent, Flags: .............
Type/Subtype: Acknowledgement (Oxld)
0 Frame control: O O 4 (Nornal)
0
xO D
E
Save As. .
:24:cc
►
1:02: cd
b : 24:ec
1:24: C
C
C
trl+P p:f8:41
:24:cc
00D0 d4 00 00 00 2c bo 50 80 ab Je 6a 4e 19 81
^
File: "C:OtersADMN - 'AppOatalocalT...
....... j•
■>
>■
)■
Packets: 7649 Displayed: 6£9‫ ל‬Marked: 0 Drcppec: C
F IG U R E 1.14: Save the captured packets
17. Enter die F ile
C E H Lab Manual Page 829
nam e,
and click Save.
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

13. M odule 15 - H ackin g W ire le s s N etw o rk s
Wireshark: Save file as
Save tn
**
|jj.
Name
< & C? ₪t
=
AirPcap -Enabled Open Source tools
-
Date modified
aircrack-ng-0.9-airpcap
10/19/2012 2:44 PM
Type
File folder
1
Recent places
K
Desktop
S
Lbranes
'V
Computer
Network
<
1
H
III
| Packet capture
Save as type
| Wreshark.‫ו׳‬cpdump
1
>
i
A
File name:
■
kfcpcap f pcap :*cap)
Save
_^J
Cancel
|
Hdp
(• Captured
♦Vpackets
Displayed
7649
Selected packet
‫ו‬
(" Marked packets
0
0
(" First to last marked
0
0
c Range 1 ‫־‬
‫־‬
r Remove Ignored packets
0
0
0
F IG U R E 1.15: Save the Captured packet file
L a b A n a ly s is
Analyze and document the results related to die lab exercise. Give your opinion on
your target’s security posture and exposure.
P LE A SE
TA LK
Tool/Utility
TO
Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Information Collected/Objectives Achieved
Used Adapter: AirPcap USB wireless capture adapter
nr .00
Wireshark
C E H Lab Manual Page 830
Result: Number ol sniffed packets captured by
Wireshark in network, which include:
Packet Number, Time, Source, Destination, Protocol,
and Info
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

14. M odule 15 - H ackin g W ire le s s N etw o rk s
Q u e s t io n s
1. Evaluate and determine the number of wireless cards supported by die
wireless scanner.
2. Analyze and evaluate how AirPcap adapters operate.
Internet Connection Required
0 Yes
0 No
Platform Supported
0 Classroom
C E H Lab Manual Page 831
□ !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

15. M odule 15 - H ackin g W ire le s s N etw o rk s
Lab
C r a c k i n g
a
W E P
N e t w o r k w i t h
A i r c r a c k - n g for W i n d o w s
A ir c r a c k - n g
re c o v e rs
is
keys
s ta n d a r d F A I S
an
8 0 2 .1 1
o n ce e n o u g h
W E P
and
d a ta p a c k e ts
W P A -P S K
have
be en
k e y s c ra c k in g p r o g r a m
c a p tu re d .
It
im p le m e n ts
th a t
th e
a tta c k a lo n g n it h so m e o p tim is a tio n s lik e K o r e K a tta c k s , a s w e ll a s
th e a ll- n e w P T W
a tta c k , th u s m a k in g th e a tta c k m u c h fa s t e r c o m p a re d to o th e r
W E P c ra c k in g to o ls .
I C O N
K E Y
'/ V a l u a b l e
in fo rm a tio n
> >
T est your
k n o w le d g e
—
c a
W e b e x e rc is e
W o r k b o o k r e v ie w
L a b S c e n a r io
Network administrators can take steps to help protect their wireless network from
outside tinea ts and attacks. Most hackers will post details of any loops or exploits
online, and if they find a security hole, they will come 111 droves to test your wireless
network with it. WEP is used for wireless networks. Always change your SSID from
the default, before you actually connect the wireless router for the access point. If an
SSID broadcast is not disabled on an access point, die use of a DHCP server to
automatically assign IP address to wireless clients should not be used because war
dnving tools can easily detect your internal IP addressing it the SSID broadcasts are
enabled and the DHCP is being used.
As an etlncal hacker and penetration tester of an organization, your IT director will
assign you the task of testing wireless security, exploiting the flaws in ”EP, and
cracking the keys present 111 WEP of an organization. 111 tliis lab we discuss how
WPA key are cracked using standard attacks such as korek attacks and PTW" attacks.
&
Too ls
d e m o n s tra te d in
th is lab a re
a v a ila b le on
D:CEHT oo lsC E H v 8
L a b O b je c tiv e s
The objective of tins lab is to protect wireless network from attackers.
111
tins lab, you will learn how to:
M o du le 15
■ Crack WEP using various tools
H a c k in g W ireles s
■ Capture network traffic
N e tw o rk s
■ Analyze and detect wireless traffic
C E H Lab Manual Page 832
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

16. M odule 15 - H ackin g W ire le s s N etw o rk s
L a b E n v ir o n m e n t
To execute the kb, you need:
■
A irc ra ck-n g
located at D:CEH -ToolsC EHv 8
M o du le 1 5 H a c k in g W ireles s
Networks'!W EP-W PA C rac kin g T oo lsA ircrack-n gb in
m
V is it B a c k tr a c k
■ Tins tool requires Administrative pnvileges to ran
h o m e s i te
h t t p : / / w w w .b a c k t r a c k -
■ A client connected to a wireless access point
lix u 1x . o r g f o r a c o m p l e t e
lis t o f c o m p a tib le W i-F i
■ This lab requires AirPcap adapter installed on your machine. If you
don’t have this adapter please do not proceed with the lab
a d a p te rs .
L a b D u r a t io n
Time: 20 Minutes
O v e r v ie w
m
Airplay filter options:
-b bssid: M AC address,
access point.
TASK
o f A ir c r a c k - n g
A wireless network refers to any type of computer network that is w ir e le s s ,
and is commonly associated with a te le c o m m u n ic a tio n s network whose
in te rc o n n e c tio n s between n o d e s are implemented without the use of wires.
Wireless telecommunications networks are generally implemented with some
type of r e m o te information transmission system that uses e le c tr o m a g n e tic
w a v e s , such as radio waves, for the c a rr ie r, and this implementation usually
takes place at the physical level or layer of the network.
1
C rac kin g a W EP
N e tw o rk
L a b T a s k
1. Launch
A irc ra ck-n g G U I
from
D :CEH -ToolsC EHv 8 M o du le 1 5 H a ck in g
W ireles s N e tw o rk s A irP c a p -Enabled O pen S o u rce to o ls a irc ra c k -n g -0 .9 a irp c a p b in
by double-clicking A irc ra c k -n g
G U I.e xe .
2. Click the A ird u m p -n g tab.
‫ט‬
To start wlanO in
monitor mode type:
airmon-ng start wlanO.
m
To stop wlanO type:
airmon-ng stop wlanO.
F IG U R E 2.1: Airodump-ng window
C E H Lab Manual Page 833
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

17. M odule 15 - H ackin g W ire le s s N etw o rk s
3. Click L au n c h . This will show the
a iro d u m p
window.
—
airodump-ng 0.9
‫ם‬
x
airodump-ng 0.9 —< > 2006 T as d'Otreppe
C
hom
Original work: Christophe Devine
m
To confirm diat die
card is in monitor mode,
run the command
“ iwconfig” . You can then
confirm the mode is
“ monitor” and the interface
name.
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag]
K n network adapters:
now
1 AirPcap U B wireless capture adapter nr. 00
S
Network interface index num
ber ->
F IG U R E 2.2: Airodump-ng selecting adapter window
4. Type the Airpcap adapter index number as 0 and select all channels by
typing 1 1 . Press E n ter.
airodump-ng 0.9
tewJ Aircrack-ng option: b bssid Long version —
bssid. Select the target
network based on the
access point's M AC
address.
airodump-ng 0.9 - < > 2006 T as d'Otreppe
C
hom
Original work: Christophe Devine
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Cius only flag]
K n network adapters:
now
1 AirPcap U B wireless capture adapter nr. 00
S
Network interface index num
ber -> 0
Channel<s>: 1 to 14. 0 = a ll -> 11
(note: if you specify the sane output prefix, airodump w ill resum
e
the capture session by appending data to the existing capture file )
Output f ilename pref ix
->
m
For cracking
W P A /W P A 2 pre-shared
keys, only a dictionary
method is used. SSE2
support is included to
dramatically speed up
W PA /W PA 2 key
processing.
C E H Lab Manual Page 834
F IG U R E 2.3: Airodump-ng selecting adapter window
5. It will prompt you for a file name. Enter
C a p tu re
and press
E n ter.
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

18. M odule 15 - H ackin g W ire le s s N etw o rk s
‫כ‬
airodump-ng 0.9
I~ I
airodump-ng 0.9 - < > 2006 T as d'Otreppe
C
hom
Original work: Christophe Devine
m
Aircrack-ng
completes determining the
key; it is presented to you
in hexadecimal format such
as K E Y FO U N D !
[BF:53:9E:DB:37],
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag]
K n network adapters:
now
1 AirPcap U B wireless capture adapter nr. 00
S
Network interface index num
ber -> 0
ChanneKs): 1 to 14, 0 - a ll 1 <
1 ‫־‬
<note: if you specify the sam output prefix, airodump w ill resum
e
e
the capture session by appending data to the existing capture file>
Output filename prefix
->| capture |
<note: to save space and only store the captured WP IUs, press y.
E
The resulting capture file w ill only be useful for WP cracking)
E
Only write WP IUs <y/n)
E
—
>
F IG U R E 2.4: Airodump-ng selecting adapter window
6.
Type y
111 O n ly w r it e W E P IV s
Press
E n te r
airodump-ng 0.9
m
Airodump option: -f
<msecs> : Tim e in ms
between hopping channels.
airodump-ng 0.9 - < > 2006 T as d'Otreppe
C
hom
Original work: Christophe Devine
usage: airodump-ng <nic index> <nic type> <channel<s>> <output prefix> Civs only flag]
K n network adapters:
now
1 AirPcap U B wireless capture adapter nr. 00
S
Network interface index num
ber 0 <
‫־‬
ChanneKs): 1 to 14, 0 = a ll -> 11
(note: if you specify the sam output prefix, airodump w ill resum
e
e
the capture session by appending data to the existing capture file )
Output filename prefix
-> capture
<note: to save space and only store the captured WP IUs, press y.
E
The resulting capture file w ill only be useful for WP cracking)
E
Only write WP IUs <y/n)
E
‫ע <־‬
m
Airplay filter option:
d dmac : M A C address,
Destination.
F IG U R E 2.5: Airodump-ng dumping the captured packets window
7. After pressing y it will display Wi-Fi traffic; leave it running for few
minutes.
8.
C E H Lab Manual Page 835
Allow airodump-ng to capturea large number ot packets (above 2,000,000).
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

19. M odule 15 - H ackin g W ire le s s N etw o rk s
1
1
Channel :11 - airodump-ng 0.9.3
BS
S ID
B8:A3:86:3E:2F:37
1C:7E:E5:53 :04:48
4C:60:DE:32 :3B:4E
4C:60:DE:32 :7C:06
80:A1:D7:25 :63:13
80:A1:D7:25 :63:10
80:fll:D7:25 :63:12
80:A1:D7:25 :63:11
<J4:44^9:F9 :4q:nn
|0 9r z‫ &״‬m 9c
e
z
BS
S ID
B :A3:86:3E 2F:37
8
1C:7E:E5:53 A4:48
1C:7E:E5:53 A4: 48
1C:7E:E5:53 04:48
1C:7E:E5:53 04:48
94:44:52:F2 45:0C
94:44:52: F 45:0C
2
94:44:52:F2 45:0C
94:44:52:F2 45:0C
94:44:52:F 45:0C
2
00:09:5B:AE 24:CC
00:09:5B:AE 24:C
C
L - l°l
-
P R Beacons It Data C M E C E S
U
H B N
S ID
-78
5
0 1 48 WP S A H
E? A C I
-80
5496
2146 1 48 U A D
1
P
‫־‬Link_DIR-524
-80
181
1 6 48 U A Ithey Ithey
P
0 11 48 WP K
-81
5
E ? usum WR
L
-77
13
0 1 54 O N
P
‫87 ־‬
21
0 1 54 WP G E
E? 0
-80
12
0 1 54 O N
P
‫87 ־‬
18
0 1 54 O N
P
1
99rh4 1
HANTFn
1 4R IJPA
-10
53036 224385 11 54 WP N T E R
E
EGA
S T N
TA IO
P R Packets E S
U
S ID
00:24:2C:38:39:96 -75
1 SAH
ACI
AC:72:89:6B:BD:B3 -81
38 D
‫־‬Link_DIR-524
29 D-Link_DIR-524
30:69:4B:C7:F9:F7 -84
D0:B3:3F:12:O1:FF -79
7 D-Link_DIR-524
E0:F8:47:95:05: D -82
6
421 D-Link_DIR-524
4C:ED:DE:02:5B:BF -80
2 GNE
ATC
4C: E : D : 94: C : El -80
D E
E
5 GNE
ATC
00:26:82:CF:09:C2 -80
16256 G N E
ATC
50:01:BB:58:05:27 -76
1 GNE
ATC
00:23:15:73:E7:E4 -73
293 G N E
ATC
1C:66:AA:7C:F0:79 -81
213 N T E R
EGA
04:54:53:0E:2C:OB -33 125920 N T E R
EGA
<|
rH
III
>
F IG U R E 2.6: Airodump-ng Channel listing window
m
airmon-ng is a bash
script designed to turn
wireless cards into monitor
mode. It auto-detects
which card you have and
run the right commands.
m
Airodump-ng is used
for packet capturing o f raw
802.11 frames and is
particularly suitable for
collecting W E P IV s
(Initialization Vector) for
the intent o f using them
with aircrack-ng.
9. Now close the window.
10. Go to
A irc ra c k -n g
andclick A d v a n c e d
O p tio n s
-
Aircrack-ng GUI
Aircrack-ng
x
Arodump-ng ] Airdecap-ng | WZCook | About
Filename (s)
Encryption
‫ם‬
Choose.
(§) W E P
Key size 1
128
v | bits
□
Use wordlist
□
Use PTW attack
O W PA
□
Specify ESSID
I I Specify BSSID
Fudge factor
Disable KoreK
attacks
I
□ 1
□ 2
□ 3
□ 4
□ 5
□ 6
□ ‫ל‬
U8
Key search filter
‫ח‬
Baiteforce
Alphanumeric characters
1 1 BCD characters
=
Last keybytes
bnjteforce
@
1 1 Numeric (Fntz'BOX)
‫ן‬
I aJ
— LZj
Multithreading bnjteforce
1 1 Single Bnjteforce attack
V
Launch
F IG U R E 2.7: Aircrack-ng options window
11. Click C h o o s e and select the filename
c a p tu re , ivs
N o te : Tins is a different file from the one you recorded; this file
contains precaptured IVS keys. The path is D :C E H -T o o ls C E H v 8
M o d u le 1 5 H a c k in g W ire le s s N e tw o rk s A irP c a p -E n a b le d O pen
S o u rc e to o ls a irc ra c k -n g -0 .9 -a ir p c a p
C E H Lab Manual Page 836
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

20. M odule 15 - H ackin g W ire le s s N etw o rk s
To save time capturing the packets, for your reference, the
tile (tins c a p tu re .iv s tile contain more than 200000
packets) is at D :C E H -T o o ls C E H v 8 M o d u le 1 5 H a c k in g W ire le s s
N o te :
c a p tu re .iv s
N e tw o rk s V A irP c a p -E n a b le d O p en S o u rc e to o ls a irc ra c k -n g -0 .9 a irp c a p .
12. After selecting tile, click Launch.
Aircrack-ng GUI
Qi-J
Aircrack-og
Filename(s)
Iff ll To put your wireless
card into monitor mode:
airmon-ng start rausbO.
Enctyption
Airodump-ng
j Airdecap-ng [ WZCook
About
"D:CEH-T0 0 lsCEHv8 Module 15 Hacking Wireless NetworksAirPcap ■Enabled Open
(§) W E P
Key size
128
v
bits
Q
Usewordlist
Q
Choose
1
Use PTW attack
O W PA
@ Advanced options
□
Specify ESSID
□
Specify BSSID
Fudge factor
Disable KoneK
attacks
2
m
n2
□3
□4
□5
□6
□7
□8
Key search filter
A
=
Biuteforce
Q
Alphanumeric characters
□
BCD characters
Last keybytes
biuteforce
M
1 1 Numeric (FritzlBOX)
1
1*1
— tZ J
Multithreading biuteforce
1 1 Single Biuteforce attack
V
Launch
F IG U R E 2.8: Aircrack-ng launch window
You may use this key
without the
in your
wireless client connection
prompt and specify that the
key is in hexadecimal
format to connect to the
wireless network.
m
13. If you get the enough captured packets, you wiil be able to crack the
packets.
14. Select your target network from
B S S ID
and press
E n ter.
C:W1ndowsSystem32cmd.exe- "C:UsersAdm1n1stratorDesktopa1rcrack-ng‫- !! ”"־‬
‫ם‬
*
I
Opening D:CEH-T001sCEHv8 M
odule 15 Hacking Wireless NetworksSHirPcap -Enabled
O e Source toolsaircrack-ng-0.9-airpcapcapture. ius
pn
R 231344 packets.
ead
00:09:5B:AE:24:CC
94:44:52:F2:45:0C
Index num of target network ? 1
ber
WP <231233 IUs>
E
WP <111 IUs>
E
F IG U R E 2.9: Select target network
C E H Lab Manual Page 837
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited

21. M odule 15 - H ackin g W ire le s s N etw o rk s
Aircrack-ng 0.9.3
m
Aircrack-ng can
recover the W E P key once
enough encrypted packets
have been captured with
airodump-ng.
K
B
0
1
2
3
[00:00:06] Tested 1 keys <got 164492 IUs>
byte<uote>
B < 42> B
F
9< 15> 4B 13> 41< 12> F < 9>
<
F
53< 40> C < 32> 34< 20> flF< 19> B
9
4< 19>
9E 40) D < 28> 64< 23> 88< 23> E
<
8
4< 18>
D < 143> 9?< 46> 33< 33> 43< 29> 38< 27>
B
K V F U D [ BF:S3:9E:DB:3? J
E ON!
Decrypted correctly: 100X
depth
0/ 1
0/ 3
0/ 4
0/ 1
F6< 4>
40< 16>
82< 18>
36< 26>
S
C:UsersfldninistratorDesktopaircrack-ng-0.9.3-winairerack-ng-0.9.3-winbin>
F IG U R E 2.10: aircrack-ng with W E P crack key
L a b A n a ly s is
Document die BSSID of the target wireless network, connected clients, and
recovered WEP key. Analyze various Airecrack-ng attacks and their respective data
packet generation rate.
P LE A S E
TA LK
TO
Tool/U tility
Y O U R IN S T R U C T O R IF Y O U
R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Information Collected/Objectives Achieved
N um ber of packet captured: 224385
Aircrack-ng
Cracked wireless adaptor name: NETGEAR
Output: Decrypted key
BF:53:9E:DB:37
Q u e s t io n s
1. Analyze and evaluate how aircrack-ng operates.
2. Does die aircrack-ng suite support Airpcap Adapter?
C E H Lab Manual Page 838
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

22. M odule 15 - H ackin g W ire le s s N etw o rk s
Internet Connection Required
□ Yes
0 No
Platform Supported
0 !Labs
C E H Lab Manual Page 839
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

23. M odule 15 - H ackin g W ire le s s N etw o rk s
3
Sniffing t h e N e t w o r k
O m n i P e e k
U s i n g t h e
N e t w o r k A n a l y z e r
O m n iP e e k is a s ta n d a lo n e n e tw o rk a n a ly s is to o l u s e d to s o lv e n e tw o rk p ro b le m s .
I CON
KEY
L a b S c e n a r io
/ V a lu a b le
Packet sniffing is a form of wire-tapping applied to computer networks. It came into
vogue with Ethernet; tins mean that traffic 011 a segment passes by all hosts attached
to that segment. Ethernet cards have a filter that prevents the host machine from
seeing traffic address to other stations. Sniffing programs turn off the filter, and thus
see everyone traffic. Most of the hubs/switches allow the inducer to sniff remotely
usmg SNMP, which has weak authentication. Usmg POP, IMAP, HTTP Basic, and
talent authentication, an intruder reads the password off the wire ni cleartext.
in fo rm a tio n
s
T est your
k n o w le d g e
w
W e b e x e rc is e
m
W o r k b o o k r e v ie w
To be an expert ethical hacker and penetration tester, you must have sound
knowledge of sniffing network packets, performing ARP poisoning, spoofing die
network, and DNS poisoning. OmniPeek network analysis performs deep packet
inspection, network forensics, troubleshooting, and packet and protocol analysis of
wired and wireless networks. 111 tliis lab we discuss wireless packet analysis of
capuired packets.
& Too ls
d e m o n s tra te d in
th is lab a re
a v a ila b le in
D:CEHT oo lsC E H v 8
M o du le 15
L a b O b je c tiv e s
The objective of this lab is to reinforce concepts of network security policy, policy
enforcement, and policy audits.
L a b E n v ir o n m e n t
111 tins lab, you need:
H a c k in g W ireles s
N e tw o rk s
‫י‬
A d va n c ed O m n iP e e k N e tw o rk A n a ly ze r
located at D:CEH-T 00 lsC EH v 8
M o du le 15 H a c k in g W ireles s N e tw o rk sW i-F i P a c k e t S n iffe rO m n iP e ek
N e tw o rk A n a ly ze r
■ You can also download the latest version ot O m n iP e e k
from the lnik http: / / www.w1ldpflckets.com
C E H Lab Manual Page 840
N e tw o rk A n a ly ze r
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.

24. M odule 15 - H ackin g W ire le s s N etw o rk s
■ If you decide to download die
die lab might differ
la te s t version,
dien screenshots shown
111
■ Run diis tool 111 Windows Server 2008
■ A web browser and Microsoft .NET Framework 2.0 or later
■ Double-click O m n iP e e k 6 8 2 d e m o .e x e and follow the wizard-driven
installation steps to install OmniPeek
■ Administrative privileges to mil tools
L a b D u r a t io n
Tune: 20 Minutes
O v e r v ie w
You can download
OmniPeek Network
Analyzer from
http://www.wi1dpackets.co
o f O m n iP e e k N e t w o r k A n a ly z e r
OmniPeek Network Analyzer gives network engineers real-time visibility and expert
analysis of each and even7 part of die network from a single interface, which
includes Edieniet, Gigabit, 10 Gigabit, VoIP, Video to remote offices, and 802.11
a/b/g/n.
L a b T a s k s
m.
TASK
1
1. Launch OmniPeek by selecting
S ta rt ‫ ־‬All P ro g ram s ‫)־‬
‫^־‬
W ild p a c k e ts
O m ni p a c k e ts Dem o.
A n alyzin g W EP
P a c k e ts
2. Click V ie w
«
: =
J<
;
sa m p le file s.
-‫י‬
E h V w Cp r S n
c ie a tue e d
&
Monitor
Tools
Window
■ it,;a a a ja f e 1&
.
Hlp
e
r±
W ild Pd cke t 6 ‫׳‬m n iP ee k
‫ט‬
‫ט‬
‫י‬
• B «
‫,, ג‬
Start Page x j
O
O a SI
N Capture
ew
Recent Files
WsP.att
Pacxet Exa-noba.pxt
W^Apd
O Capture File
pen
f$
View O niEngines
m
H
U
Start M
onitor
Location
CProg‫׳‬om= (x86)WidPac*ateOmPMk D«ncaanptoeAEP pkl
i09
CAProgrem Filoa (x8€)'V/JdPactaUVO■mP881D«nca#npla»VPecl>
«t
Exam
ple#, p t
k
C.XProgrwn
(x8€)'V/kJPacH»0‫רזי‬P»»t D«no*anplMAPA.pkt
SSD ‫ ־‬BlackSlat* PS< =wldpac»:*te
I oration
Summary
Recent Capmre Tem plates
he r#e*at t#nput»«
Summary
SSD ‫ ־‬BlackSlato K y- 123«5€785D
a
Documentation
Resources
►(flWWPWWT*
►A w tf‫ ־‬Cerwj Staled Godo
or «
►vtevr
iMtaiBdH nsiructoi*
►
me L**‫ ׳‬Sude
►
CnrCrgire O
efcirg Started Quide
►Lg1r a 1!e2Q -m
uQ a
►
jvow attapfe *toe I
►WUPBCcmcttwsa Events E H ]
►Vow Het.vo‫־‬k •rol^ais 6po *hit# papers, and m
oro L iiiJ
yutt
Technical Support
►vfevr :ech‫ד‬c3l euosort reaou•c6 f9r W Packet3produels
3
ild
«
WMFBCttts :ecfncaisuooort
mP63< Sjppcrted harcv/3rs L'iiil>
^‫ג1י‬
‫3כ‬
ED
Z
►
CD
2
Training & Services
►
L
IU
►caac:ut1‫״‬cP3:tetsoorsuitns Q
•
D
► ‫סט‬
wlcPa;«t8 Acadcny
fine
l'vP6e<
i
[F d‫ ־‬ic p, press FI
I 4
_
rj
J } None
F IG U R E 3.1: Omnipeek main window
Select W E P .p kt
C E H Lab Manual Page 841
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

25. M odule 15 - H ackin g W ire le s s N etw o rk s
P
F I.
Edit
v *w
C *x‫ ״‬e
Send
Monitor
Tool!
Window
Help
W lld P .. kt ! ‫׳‬S ^ n lP e e k
^ • t! •ma. fe a a j a t, * * B i! r a » tz1‫ . ב‬E ^ ©^,:oE
:
i
Start Fac« x ‫׳‬
5 o jd 3 4
‫י‬
W ackets O niP S p F s
ildP
m eek am le ile
Ps .e bam
aK !
pies.cM
Sancte fie wch a variety of wired traffic.
1 ‫ד • ס <£ ־‬
■
^ O m n iP e e k
‫ ־‬SackSiate Key ‫ ־‬i2J45675*i)
gives n e tw o rk
en g in ee rs realtim e vis ib ility and
2 •ncrypUd traffic. (SSID ‫ י‬BlackSlilt 9SK « wldpacUtt)
E x p e rt A n alysis
in to e v e ry p a rt of
th e n e tw o rk fro m
a sin g le in te rfa c e ,
AlPiOcS. nc
154C Tied: Boulevard. S
AotrU C e fc 2jlfoma
e.
‫0 נ 2כ*לנ9 (52 מ‬
including
E th e rn e t, G ig ab it,
1 0 G ig ab it,
8 0 2 .1 1a/b/g/n
w ire le s s , V o IP ,
and V id e o to
re m o te o ffic es.
:‫ - ב‬te p, press Pi
F IG U R E 3.2: Omiiipeek Sample Files W indow
4. It will open W E P .p kt 111 die window. Select P a c k e ts from die left pane.
11
F IG U R E 3.3: T E L N E T - U VVEP packets Window
5. Double-click any of die packets 111 die nglit pane.
C E H Lab Manual Page 842
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

26. M odule 15 - H ackin g W ire le s s N etw o rk s
1 Fit
Ed*
View.
Capture
Send
!2 1 ^ 1 .
Start Pi$4
Monitor
‫י‬
‫נ‬
Tools
Window
Help
9.
a
W ild '.»( ki t 6 ‫׳‬rnnlP »*ek
! n
_
!
- E ■n
« u i »l i A
l
WEP pkt x
Enier 3 fiter Gxpf-mior here (1.09 F1forhdp)
Dashboards
£z~ C o m p re h e n s ive
n e tw o rk
vott &voeo
Aodex
Zyirosss
Capture
►=
‫׳‬dde3
*°s
Expert
p e rfo rm a n c e
m a n a g e m e n t and
m o n ito rin g o f
8
9
10
::
1:
13
14
:‫צ‬
U
1‫־‬
1:
e n tire e n te rp ris e
including n e tw o rk
Vokc ft Video
C9I»
***‫יי‬
Vkuak
r ?w m j c
3’C^tt
SLdlbUcs
SDllK
Prctacos
Sumvtry
V/irdesi
| ALAN
s e g m e n ts a t
re m o te o ffic es
Signal
* B u f f a l o :A l: 32:31
* B u f f a l o ( A lt 82: 31
* B u f f a l o :A l: 32:31
* B u f f a l o : A l: 32:31
*B u r ra io :A 1 :8 2 :3 1
* B u f f a l o : A lt 82!31
* 3 u f f a l o ! A ll 32131
* B u f f a l o : A l : 92:31
* aurra1c:A1:52:31
* B u f f a l o :A l! 82 !31
* B u f f a l o 1A l l 32131
* B u f f a l o : A l: 82;31
20
21
22
21
2*
2S
2c
2‫־‬
2:
Web
Server*
Cteru
*A©*?
sSSID
* 3 a f f a l = : A l : 32 :31
* B a r m s : A 1:52:: 31
■ •!Ethernet Srcsdcast * 3 u f f a l o : A l : 3 2 :31
Ethernet B rcedcart * 3 u f f a l o : A l : B2
* L .te o n ie c h : 55: C2: CC * 3 .1 r r a l2 : A 1 :22
i ^ I •te o n 7 e ^:.c. :c;-:
e
* * a ffa L ? :A L :3 2
11 teoniech:EE:C3:CC * 3 a f f a l o : A l : 32
Ij{|11teonTech:SS:03:CC * 3 u f f a l o : A l : 32
lj|)l.teon7ech:S5:C 3:C C * 3 a f f a l : : A l : 22
■ p 1 :te o a l« cn :5 5 :c2 :
* 5 a r ra 1 5 :A i:5 2
■ S > 1 1 te o n T « ch :5 5 :C 3 :C 3 * : ‫ ־‬f fa lD :A l:32:
a
■ i|L 1 tc o a T c c h :E E :C 3 s C 3 * : ‫ ־‬f al o«Al «92
af
■J|l-teoa7ech:55:C3:OC * 3 u f f a l o : A l : 52
Ip E i& e rn e t srcaocast *9 u rra 1 9 :A 1 :s 2 :
■*jE th#rn#t 816‫ ■ * ז«*זג>נ‬i i f f a l ' r i l : 12
■JpEthcract Sreadcaat * 3 a f f a l s : A l : 22
■S E th eia et &:cedcaat * 3 a f f a l ; : A l : !2
I^ E lh e r& e t S:CeOCa£t * 5 a f r 3 1 3 : A l: 52
■•)Ethernet B re isra a t tp ■: r r » l ? r i l : ■
<
2
■]^Ethernet Srcadceet * 3 a f f a l o : A l : 22
■ ^ E th ern et Ezceocaat ■ 4 3 i f f 1 1 ; : A l: 12
■SJElheraei BlCcOCaSt * 3 j f f a l 2 : A l : 52
■ ^ Ethernet Brceocast * 5 j r r a i o : A l : : 2
*1 1te on 7e ch:5S :03 :0C * 3 a f f a l o : A l : 32
■1011teon7ech:5S:C2:C‫ 3 * ־‬u f f a l o : A l : 32
C
* 1 .te o n ie ch :5 5:0 2:C * 3 j f f a l = : A l : 52
«C
3
■j> B u ffa lo :A l: 32:31
S * B u f f a l o : A l : 82:31
“b:
n e tw o rk s ,
I i
<‫. ׳‬
*> i n i a d @ 1 h i
1 ‫5 ו - !ר‬
3ack»: Source
Destination
1 * B u f f a l o :A l: 32:31
■},}Ethernet B ice dce rt
2 * B u f f a l o :A l: 82:31
■9 Ethernet Broadcast
*.-*u S S a lo :A l:3 2 :3 l
* B u f f a l o :A ll 82131
* B u f f a l o :A l: 32:31
* B u f f a l o :A l: 82:31
*3 u rra 1 0 :A 1 :s 2 :3 1
* 3 u f f a l o : A l: 32: 31
* B u f f a l o : A l: 82:31
* B u f f a l o : A l: 32:31
*B u rra 1 0 :A 1 :8 2 :3 1
................. ■
<1
=lags
*?
‫?״‬
*?
*?
Wf
■■
i*
'lit
Wf
Wf
W
f
Wf
•p
*p
*?
*p
•9
*?
*P
•P
Wf
Wf
Channel
1
1
Signal Data Rate
1 ‫%פפ‬
170
1 ‫%פפ‬
1.3
100(
1‫ו כ כ‬
103t
1.0
: 1‫־‬
113
1001
100*
100»
lo o t
100%
lo o t
lo o t
lo o t
lo o t
1001
lo o t
lo o t
lo o t
lo o t
lo o t
lo o t
lo o t
lo o t
lo o t
1001
lo o t
lo o t
74
71
74
74
74
71
74
74
113
US
115
115
115
113
115
115
115
115
71
74
74
74
13.9
12.0
9.0
6.0
8.0
6.0
6.0
6.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
21.0
13.0
12.0
9.0
See
113
113
1
_L
pacms: 2003
Fj flap, press Fl
^
-I
Duration 000:4c
a;M.cr.e
F IG U R E 3.4: T E L N E T - U n W E P packets analyzer
6.
Click die right arrow to view the next packet.
le
[£Z"Om niPeek
C o n n e ct m a n a g e s
an o rg an iza tio n ’s
v
___Suit
re co rd ers, and
provides all th e
co n so le
c a p a b ilitie s o f
O m n iP e e k
E n terp ris e w ith
th e e x c e p tio n of
lo c al c a p tu re and
V o IP ca ll
p la y b a c k
View
Capture
Send
WP k
E .p t
. 4■J2EB3HQDQ
Monitor
Tools
Window
W ild
icketi O m n iP r fk
' li] & 1iiB: J 1
‫&" ׳‬
0x00000000
00000
x0000
9 Packet Larvgrh:
115
14:29:38.441934700 G
5
2
1.9 Mbps
1 2412M31 602.11b
9T e s
is rta f:
9 Eata Pare:
j‫ #־־‬Channel:
9 S ic r a l L a val:
f ic ‫ ״‬c ! ast:
j- 9 Noise L e ve l:
j *-• Seise d2c:
B T~ 802 .11 m e Eeader
10
01
‫54 ־‬
| I - • version:
<§ T ipe :
I- 9 SuLtyte:
! B ‫ “ץ״‬J r a c C on trol Plag3:
!
Help
iT ►E S
WEP put - Packet »3 x
: • # Facket tJurfcer:
9 F lag •:
O m n ip lia n c e and
T im e L in e n e tw o rk
Edit
! • • - . : a J il al. * * ai
‫׳‬
u > !l
:•
0 :0 Mask oxc-3]
*00 Management [0 Mask OxOC]
%0 0 Seacon [0 M OF ]
10
ask x O
10000[1
0000 ]
0.............. A cfl-s c ric c c rc e r
.0 ............ Ken-Protected Fras9
.........W
o
. . . 0 . . . . Fcvcx Management - a c tiv e r s ia
--- 0 ... 7/1 15 net
15
.......... 0 .. le s t o r Vnfragjcntsd Franz
...........0. Kcc
1-9
. .0
j i-•
•
Ncre D
ata
a R~-Transvissioa
an Exit T u tne Distrioizloa syszen
ro t
06
:‫ כ י י‬C C CC CC
C
0:33:
C 31 C4 CC
C
iC CS C4 CC
p:5S:
0099:
322 r CO DC
FF
CA
Cl
07
FF
42
00
00
FF FF FF
6C €1 63
00 2A 01
OC 43 00
FF 00
63 53
00 DD
00 00
16
6C
18
00
01
61
00
00
AL
?4
S
O
00
82
65
72
00
31 00 16 Cl A l £2 31 10 23 14 33 34 00 00 00 00 04 ‫ל‬
)
01 08 e2 64 EE S6 12 24 48 K 33 31 01 32 04 8C 98 B0 . 1 . . .31acicSlatc............ * H I . . . 2 -----02 01 01 C C C3 A4 00 00 27 A4 30 00 42 43 SC 00 62
C O
.......... * ......... ?................... ’ . . .SC* .b
00
F IG U R E 3.5: T ELN ET-U n W E P packets frame window
7. Close the tab from the top and select different options from the nglit pane;
click G raphs.
C E H Lab Manual Page 843
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.

27. M odule 15 - H ackin g W ire le s s N etw o rk s
F‫־‬
Edit
View
Capture
• fcl • H
£ ~ O m n iP e e k
t ‘te ro
n rt
WlEP.pkt x
Monitor
Tools
f:4
Window
fe S1; j!
Help
s
«
j
'AEP pkt -Packet = 3
32
j5k| 5*3
1‫־‬
0
E n terp ris e also
Send
: !3 J _!j g)
ft
Start
Dashboards
vwoe & vceo
Aadex
provides
C p re
a tu
ad v a n c e d V o ic e
=
‫׳‬acte3
and V id e o o v e r IP
*:
b
fu n c tio n a lity
Web
including
Cterts
»A0es
sig nalin g and
M ed ia an a ly s e s of
V aVe
okc id o
Cls
a
v o ic e and vid eo ,
V o IP p la y b a c k ,
StdlfeliLS
vo ic e and video
M
iflM
E x p e rt A n alysis,
SurMnory
V/irdes*
V isu al E xp e rt, and
*‫0י‬
91
m o re
^ n < / j» X 0 U
>r
a
< > !‫ ב‬ii
3 liL
Acdcs Cbun; Conpersons
Appicetion _ayer Protocols by 3ytc5
Zppicstion Layer P‫־‬oto:ols by 3ackets
‫־‬
ARP An^ss
0‫־‬oacast$ CO
fTpgredto Total
P ack e t Size Distribution
Er dPtDQ
re o C ls
E»ert Events
Boert VoP -H.323 Cal Erors
E>oert V0P - RTP B‫׳‬rcrs
Boert: Y - SIP Errors
0P
Ex>ert '‫•׳‬jireess Clent -^■ ‫׳‬slcal Errors
Ejoert N re bs ReossociaticnDeried
G^cbfc =our Pert Ublirabor (bts/3]
G^abfc =our Pert Uttli2attor (perc•‫);!׳‬
Gigabt! TtvoPytLttuaton (bits/s)
C-KXbt: Twopytutiiraron Cpercent)
. Networklltlixeto! (bits/s)
'f :
::• ‫■ ־‬
:■:.‫: :י‬c't:‫׳‬
«rc R eacts arrl Reoies
TCPAravs*
TCP V3LCP
-0lP ^Votocos
v/«b Protocoe
woto Jftlc
v/rdess: Access Potns bv Trust
WfrdaK Access Points vs. Clents
V/rdes* Assccobons arc Reeojoaoto-i:
V/rrittQ‫ ׳ 3 ־‬tes to/frorr Dutroubor Syote
V7r«te«s: Cierts ay Trust
v/rdess: Data 'vpes
v/rdess: »acke: Trees
V/rdess; 3adcts to'fron Dstnbubon Sv:
V/rdess: ^cbe Req vs. ^rcbe Rso
V/rdess: ^eres
PacKrts: zcXX)
Duration 000:40
‫י‬
rteip, press F1
F IG U R E 3.6: W E P Graphs window
8.
Now traverse through all the options 111 die left pane of the window.
L a b A n a ly s is
Document die BSSID of the target wireless network, connected clients, and
recovered WEP key. Analyze various Airecrack-ng attacks and their respective data
packet generation rate.
PLE A SE
TA LK
Tool/Utility
TO
Y O U R IN S T R U C T O R IF YO U
R E L A T E D TO T H IS LAB.
H A V E
Q U E ST IO N S
Information Collected/Objectives Achieved
Packet Information:
OmniPeek
Network
Analyzer
C E H Lab Manual Page 844
•
•
•
•
•
•
•
•
Packet Number
Flags
Status
Packet Length
Timestamp
Data Rate
Channel
Signal level
Ethical Hacking and Countermeasures Copyright © by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited

28. M odule 15 - H ackin g W ire le s s N etw o rk s
•
•
•
•
Signal dBm
Noise Level
Noise dBm
802.11 MAC Header Details
Q u e s t io n s
1. Analyze and evaluate the list of captured packets.
Internet Connection Required
0 Yes
□ No
Platform Supported
0 Classroom
C E H Lab Manual Page 845
□ !Labs
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.